The advent of modernization in the digital landscape has brought with it different variations in digital threat landscape. Of all, undoubtedly phishing attacks of all types are the most prevalent ones. In the 2020 Data Breach Investigations Report, the Verizon Enterprise had uncovered that phishing had been the second top-most cyber threat in the security incidents while it was the top-most variety in the data breaches. Over 22% of the data breaches as analyzed by the Verizon Enterprise involved phishing in various forms.
The rise in the phishing attacks poses a serious threat to all of the organizations of which identity theft is most common. Thus, it becomes mandatory for the companies to understand how to spot phishing scams. It is also crucial that they are aware of the most common types of the phishing techniques that the threat actors carry out to conduct scams.
In this article, we will discuss the most common types of phishing attacks and how to prevent them.
What Is Phishing? How Does Phishing Attack Work?
Phishing attacks can be defined as the practice of sending counterfeit or fraud communications that pose to have originated from a reputable source but bear the ability to compromise all types of data sources. Phishing is generally performed through emails. But the variety in the phishing types state that the scammers employ other sources to conduct the cybercrime as well.
The major goal of the phishing attacks is to steal various sensitive information such as the login credentials and credit card data or in some other cases install malware on the victims’ systems. From the malware perspective, the malicious attackers force the victims to install ransomware (without letting them know) and hijack the complete computer networks unless the victims pay out the demanded ransom.
In some of the cases, the hackers are just satisfied with obtaining the victims’ personal data or credit card information for their financial benefit. In the other cases, the phishing emails are sent to the victims for gathering employee login information or related details for utilizing in more malicious attacks against a specific company or few individuals.
So mostly, the phishing attacks start with the fraudulent email or any other mode of communication that has been designed to lure the targeted victim. The email is made to resemble as if it has come straight to the inbox from a trustworthy source or sender. If the look and feel of the email can fool the victim, then it is easier for the hackers to gain their desired information. The victim all by himself/herself will provide the confidential information, often via a scam website. However, sometimes malware is also downloaded on the system of the victim.
The first step of the cybercriminals is to identify a group of individuals or an organization whom they would like to target. Then they would create counterfeit emails and text messages appearing to be legitimate. Next, they would feed the legitimate looking emails and text messages with malicious links or attachments that are enough for the unaware victims to get trapped. In this context, it can be said that the phishers frequently make use of the emotions such as curiosity, fear, greed and urgency to drive the recipients to open phishing links and attachments. So, you need to think before you click on any link or download any attachments.
What Are The Dangers Of Phishing Attacks?
As both individuals and companies are the targets of the phishing cyber attacks, the dangers of the attacks revolve in both personal phishing risks and work environment phishing risks.
The personal phishing risks comprises of:
- Fake social media posts are done in your accounts.
- Fraudulent charges made on your credit cards.
- Lost access to your files, photos and videos.
- Money stolen from your bank accounts.
- The cybercriminals posing as a family member or a friend risking your personal information.
The work environment phishing risks comprise of:
- Damaging the company’s reputation.
- Exposing the personal information of co-workers and customers.
- Files getting locked and inaccessible.
- Loss of the corporate funds.
Types Of Phishing Attacks
The phishing attacks at the current scenario are not just limited to the general emails but have gone far to the other techniques as well while the goal remains the same. It is just like making the same dish in a variety of ways. In this segment, we will talk through the different phishing techniques and how they are pulled out causing phishing scams.
By far, deceptive phishing has been the most common variety of phishing scam. While doing this, the fraudsters masquerade as legitimate companies for stealing the personal data or the login credentials of people. These fake quite frequently utilizes threats and a feel of “urgency” for intimidating the users into taking the exact steps the attackers wish to.
The attackers use a variety of methods in the deceptive phishing attacks:
- Legit Links: Some of the malicious actors attempt to evade the detection from the email filters through incorporating legit links into their deceptive phishing mails. Otherwise, they could also do this by including the genuine contact information of an organization probably whom they had been spoofing.
- Minimal Content Of The Phishing Emails: The digital attackers try to evade the detection by creating minimal content for their attack emails. For instance, they can just include an image rather than texts.
- Brand Logo Modification: Some of the email filters can spot when the cybercriminals steal logos of the organizations and incorporate them into their attack emails or even onto their landing pages meant to phish victims. The attackers do so by getting the HTML attributes of the logos. In order to fool the detection tools, the threat actors change the HTML attribute of the chosen logo, say for example its colour.
- Shorten The Links & Redirects: The threat actors do not want to raise any suspicion with their victims. Thus, they carve out their phishing campaigns for using the shortened URLs for fooling the Secure Email Gateways (SEGs). They use the “time-bombing” techniques for redirecting the users to a landing page that is solely created for phishing after the email has been delivered. It redirects to the legit web pages as the victims have forfeited their sensitive credentials.
Not all of the phishing scams use the “spray and pray” techniques. Some phishers depend more on the personal touch. They do such things as otherwise they would not be successful.
In this type of phishing attacks, the fraudsters customize the attack emails having the name of the targets, their position, work phone number, company and various other information attempting to trick the recipient into trusting that they bear a connection with the sender. However, the goal is pretty same as the deceptive phishing which is tricking the victim into clicking on a malicious address or email attachment in the bid to extract their personal information from them. Spear phishing finds its most usage on the various social media sites such as LinkedIn where the cyber attackers can utilize several data sources for crafting a targeted attack email.
The techniques that are used in the spear phishing attacks are:
- Collecting Out-of-Office Notifications: The cyber criminals require a lot of intelligence for convincing the victims using spear-phishing techniques. One of the ways in which they can conduct the same is by emailing the employees as a whole and collecting the out-of-office notifications for learning the format of the email addresses the internal employees use.
- Compromising Tokens: The digital criminals attempt to compromise the session tokens or the API tokens. In this regard, success would enable them stealing access to an email account or other resource including SharePoint sites.
- Exploring The Social Media: The threat actors need to have a good knowledge who all are working on the targeted organization. This is remotely possible through using social media that would help them investigate the structure of the organizations and also decide whom they would like to have their targeted attacks.
- Placing The Malicious Documents On The Cloud Services: The malicious attackers are currently focusing on housing the malicious documents on Box, Dropbox, Google Drive and the various other cloud services. The It firms are unlikely to block these services by default. Thus, the email filters of the organizations would not flag the weaponized documents.
CEO Fraud / Whaling
When the phishing attacks at the workplace is concerned, the spear phishers can target anyone in the organization, including the executives. In this kind of phishing fraud, the fraudsters attempt to harpoon an executive and steal their login credentials. This is what is commonly termed as whaling. The CEO fraud is technically the second phase of the Business Email Compromise (BEC), where the cyber attackers abuse the CEO’s or high-ranking executive’s email address for authorizing fraudulent wire transfers to their preferable financial institution. Alternatively, they can leverage the same email account as well for conducting W-2 phishing. In this kind, they request the W-2 information for all the employees so that they are able to file fake tax returns on their behalf or even post that data on the dark web.
The whaling attacks usually utilize the same social engineering attack techniques as that of the spear phishing campaigns. Some of the additional tactics that the whaling attacks could use are described below:
- A Phone Call Follow Up: The National Cyber Security Centre (NCSC) of the United Kingdom had come across various instances where the malicious attackers followed up a whaling email with an email request confirmation phone call. The social engineering tactic had helped to alleviate fears of the target that there could possibly be something suspicious.
- Follow The Supply Chain: The NCSC has witnessed a steep in the instances where the malicious actors have used the information from the targets’ vendors and suppliers for making their whaling emails appear as if they are coming from trusted partners.
- Infiltration Of The Network: A spoofed email account is not that effective as compared to the compromised email address of an executive. Therefore, the digital attackers could utilize rootkits and malware for infiltrating their target’s network.
It has already been mentioned that although phishing via email is a pretty usual occurrence and the phishers are turning to new methods as well. Vishing is one of the other methods to phish their attacks. Vishing dispenses with sending an email in the inbox and chooses to place a phone call. An attacker can commit a vishing campaign through setting up a VoIP or Voice Over Internet Protocol server for mimicking the various entities in the bid to steal funds and/or sensitive data.
Some of the common techniques that are used in vishing attacks are:
- ID Spoofing: The ID spoofing tactic aids a malicious actor to disguise their phone number to impersonate their call as if it is coming from a legit phone number within the target’s area code. This technique, however, could lull the targets into a false secure feeling.
- Technical Jargon: The threat actors are targeting the employees and that they might impersonate the in-house tech support using the technical jargon and advert to things such as badging and speed issues for convincing an employee that it is absolutely fine to handover their information.
- The Mumble Technique: The online scam attackers, most of the time will incorporate certain unique tactics to run after specific targets. When the cyber attackers target the call center agents or the customer service representatives, they might use the mumble technique for mumbling a response to a question hoping that their answer would suffice.
Vishing is not the sole phishing technique that the cyber fraudsters can conduct using a phone. Smishing can also be a way to benefit themselves. This method involves the malicious text messages for tricking the victims into clicking a malignant link or even handing over their personal information.
The smishers use the following techniques to conduct smishing:
- Instructing Users To Contact The Tech Support: This type of smishing attack technique aids the malicious actors to send text messages instructing the recipients to contact a customer support number. The scammer then masquerades as a legit customer service representative attempting to trick the victim into handing over their personal information.
- Links To Forms For Stealing Data: The attackers could also send a text message containing deceptive phishing techniques and trick the users into clicking a malevolent link. The phishing campaign then redirects them to a website so designed for robbing their personal information.
- Trigger Malicious App Download: The phishers may use malicious links for triggering the automatic download of malicious apps on the targets’ mobile devices. These apps then deploy ransomware or even enable the nefarious actors to control their devices remotely.
The users are now becoming aware of the various phishing techniques that forces the phishers to conduct yet new ways to phish their targets. Owing to this, some of the scammers and fraudsters are chucking the idea of “baiting” techniques entirely. On the contrary, they are moving towards pharming. This phishing method employs cache poisoning against the Domain Name System (DNS). DNS is a naming system that the internet uses to convert alphabetical website names to numeric IP addresses like www.paypal.com to something else. This implies that the attackers can redirect the users to their preferred malicious website. This could also be the case even though the victim has entered the correct website name.
Below are some of the most prominent pharming techniques:
- Malevolent Email Code: In this particular pharming attack, the threat actors send out emails that contain malicious codes to modify the host files on the recipient’s computer. All of those modified host files redirect all the URLs to a website under the control of the attackers so that they install the malware or steal sensitive information of the victim.
- Targets The DNS Server: Alternatively, the threat actors might choose to skip targeting the individual users’ systems and go directly after a DNS server. This might potentially compromise millions of URL requests from the web users.
Snowshoeing is also known as “hit-and-run spam” requiring the attackers to push out messages through multiple IP addresses and domains. Each of the IP addresses sends out messages in a very low volume so that the volume or reputation based spam filtering technologies cannot recognize and block the malicious messages straight away. Some of the messages also make it to the email inboxes before the filters attempt to block them.
The hailstorm campaigns work in the same way as the snowshoe, except that the messages are sent in an extremely short time span. Some of the hailstorm attacks end just after the anti-spam tools catch on and update the filters for blocking future messages. But unfortunately, the hackers have levelled up to the next campaign.
Sextortion is another type of phishing scam that is carried out by sending an email to someone and appears to have come from themselves. In the email content, the hacker claims to have hacked your email account and then got into your computer. Alongside, they have claimed that they possess two specific things – a recorded video of you and your password. The sextortion part comes when it comes to the recorded video. The hackers claim that you have been constantly watching the adult content videos from your computer and that the camera was on at that time. This camera had already recorded your activities. They demand an amount, usually in Bitcoin (BTC), which if not paid they will put out the video to your colleagues or family.
Search Engine Phishing / SEO Poisoning / SEO Trojans
This particular phishing occurs where the malicious actors work to become the top hit on a popular search using Google or related search engines. If they happen to be successful and could get someone to click on their link, it would then take them to the hacker’s selected website. This sort of phishing websites could be anything where the primary candidates are PayPal, banks, online shopping or even the social media websites.
How To Spot Phishing Attacks?
Owing to the intensive growth of the phishing attacks, people need to spot out the various ways in which they can be tricked into giving their personal information. The scammers often update their modus operandi. However, there are some signs that aids you in recognizing a smishing message or a phishing email.
- Phishing Emails And Messages Impersonate Trustworthy Source Or Sender: The phishers are much intelligent and thus they try to gain trust of the victims by sending emails and text messages that make them believe that they are from a trusted sender. For example, an email from your bank or credit card company, an online payment app or website, a social networking site or an online store. They include certain statements in their phishing emails or text messages such as –
❯ They have noticed any suspicious login attempts or activity.
❯ Claim that your account might have encountered a problem or in your payment data.
❯ Asks you to confirm specific personal information.
❯ Includes a fake or counterfeit invoice.
❯ Asks to make a payment via a given link.
❯ Says you are eligible for registering in a government refund.
❯ Offers coupon for free stuff.
- Examine The Hyperlinks / URLs: Another most easy way to identify phishing emails and text messages is to examine the URLs and hyperlinks. You need to check if the destination URL is the same as the URL in the email or text messages. Additionally, you have to be cautious before clicking on any link having bizarre characters in them or contain abbreviated terms. On the mobile devices, hover over the hyperlink. This results in the URL to materialize in a small pop-up window. However, on the web pages, the destination URL will get revealed in the bottom left corner of the browser window when you hover over the anchor text.
How To Prevent Phishing Attacks?
There are quite a handful serious ways in which you can protect yourself from the dangerous phishing attacks. However, your email spam filters might keep your inbox free from phishing emails. But the scammers are always looking out for intelligent ways to outsmart the spam filters. Thus, it is best to add the extra layers of protection. Here are some of the ways in which you can protect yourself from the phishing scams.
- Use security software on your desktops and laptops. Make sure you set the software update to automatic so that it can deal with any latest security threats.
- Update your phone’s OS regularly. If you do not do this, a new patch for your OS is not installed and this leads to potential threats.
- Use multi-factor authentication wherever possible. The multi-factor authentication enabled in the accounts provides extra security by needing two or more credentials for logging into your account. Two things are required to enable multi-factor authentication – an authentication app or a text message enabled passcode and your fingerprint scan or face scan. This process makes it really difficult for the hackers and scammers to log in to your accounts in case they get your username and password.
- Conduct regular backups. This helps you to retrieve data in case your system is compromised. Make sure that the backup is not connected to your residence network. You can either copy the files in an external hard drive or store in the cloud storage.
- Keep your browsers updated from time to time.
- Differentiate between emails and text messages whether they are legit and then proceed further.
- Be aware of the pop-up windows.
- Never click on any link attached in an email or text message from an unknown source.
- Take a note that no company asks you to offer your username or password.
- If any website seems suspicious, call on the given phone number on the website to confirm if it is legit.
- Check for spelling mistakes. Scammers alter some characters or numbers to trick your eye and gain your trust.
- Never download things from unsolicited sources.
This guide will help both the individuals and the organizations to spot some of the most common types of phishing attacks. This also does not imply that you will be able to detect each and every phish as the mode of phishing is evolving continuously. Thus, you need to upgrade yourself on the latest phishing attacks.
Disclaimer: Read the complete disclaimer here.