Phishing Attacks: A Guide to Cyber Security
With every cyber attack, it becomes increasingly clear that no one is safe from data breaches or cyber extortion. Whether you are an employer that stores proprietary data or an individual with financial and personal information at risk, hackers won’t rest until they have what’s yours. And their tactics continue to evolve.
One of the most common and difficult-to-spot strategies hackers use is phishing scams, which require minimal technical know-how and can be deployed from anywhere in the world via a simple email.
Phishing & Spear Phishing
Phishing is a general term that refers to any cyber attack where a hacker disguises themselves as a trusted source in order to acquire sensitive information. Spear-phishing attacks are much more convincing, targeted and sophisticated. Malicious hackers can find most of the information needed to carry out a spear-phishing attack right on the internet, particularly on company websites and social networking sites.
Both phishing and spear-phishing scams can affect anyone. Phishing attacks are more expansive and don’t necessarily have a psychology behind who is attacked. Spear-phishing attacks, however, are more thought out and planned. These attacks often have one of two targets: individuals or employers.
Cyber criminals target individuals because they are the easiest to compromise and the most susceptible to phishing attacks. This is because many people aren’t tech-savvy or educated on how to spot phishing emails.
For employers, every one of their employees represents a potential exposure to phishing attacks. In fact, a skilled scammer could easily trick employees at every level of the organization. This puts a company’s financial information, trade secrets, confidential documents and network at risk.Employers of all sizes and industries are at risk; however, online payment services, internet-based financial businesses and retail sites are among the most targeted sectors.
How Cyber Criminals Plan Their Attacks
A common tactic for spear phishers is to impersonate someone the victim knows, like a co-worker, friend or family member. In finely crafted spear-phishing scams, the attacker will have done their research and may include specific names, dates and details the user is familiar with and likely to respond to.
Fake President Fraud
One subset of impersonation and social engineering is commonly referred to as fake president fraud. The fake president fraud is a type of scam in which a criminal posing as a company executive convinces an employee to voluntarily transfer a large sum of money directly to a criminal’s account.
In whaling attacks, cyber criminals specifically target high-profile business executives. In these scams, the fraudulent emails and webpages are designed to appear like a critical business email from someone with legitimate authority, either externally or internally.
People are more likely to respond to phishing attempts if emails appear to be pressing or if the victim believes they are in some sort of trouble. Common examples of this type of fakery include, but are not limited to, messages from angry bosses, late credit notices, cancelled memberships, compromised accounts, missed package deliveries, missing rent checks, unexpected password reset requests.
Unexpected Refunds, Payments and Contests
It is not uncommon for phishing emails to bait victims with the promise of refunds, bank account adjustments or tax refunds. In broader phishing attacks, spammers may even claim you have won or are eligible for a contest or prize. Unsolicited emails of this kind are usually a dead giveaway for phishing schemes.
Vishing is a form of phishing that uses phone systems and similar technologies. Users may receive an email, phone message or text (usually called smishing) that encourages them to call a phone number to correct some discrepancy. Typically, attackers use a technique called caller ID spoofing to make the calls appear like they are coming from a legitimate phone number. To avoid falling for a vishing scam, never click links in a text message or respond to automated phone calls.
How Your Data Gets Compromised
Deceptive phishing is the most common form of phishing. Under this type of scam, the attacker impersonates real companies in an attempt to steal your personal information or login credentials. Links in these phishing emails redirect users to a fraudulent website that has a nearly identical URL to its legitimate counterpart. Only a few characters will be out of order, making the phony links difficult to identify.
In order to steal your information, attackers will introduce malware— software designed to damage or disable computers—to a victim’s PC. This is usually accomplished through email attachments or downloadable files from a website. Using these methods, hackers can introduce various malware into a network, including:
Ransomware—Ransomware is an increasingly popular style of malware. Using ransomware attacks, a victim’s data is encrypted until a steep fee is paid. While dollar amounts may vary, some ransomware attacks can cost six figures or more.
Keyloggers and screenloggers—Two common varieties of malware are keyloggers and screenloggers. In simple terms, these forms of malware track keyboard strokes of victims and relay the information back to the phisher. Advanced versions of these kinds of malware run automatically in the background and launch whenever a browser is opened.
Session hijacking—In plain terms, computer sessions are temporary interactions users have with websites. For instance, from the time you log in to an account (e.g., Facebook, Twitter or an online bank) until you log out is considered a session. Session hijacking occurs when malicious software “hijacks” a user-initiated session. Phishers execute these attacks using local malware on a user’s computer. Once deployed, session hijacking can be used to monitor all forms of online activity.
Pharming—Pharming doesn’t require an attacker to send thousands of emails and is effectively phishing without the bait. Pharming redirects a user’s website traffic to another, bogus website using malicious code such as viruses, worms, Trojans and spyware. Even savvy users are often unaware that the website they are visiting is controlled by hackers.
One of the most deceitful methods of pharming involves web Trojans—malicious programs that collect a user’s login credentials, using specific websites as a disguise. Commonly spoofed sites include social media platforms, company portals and email accounts. These fraudulent websites are designed to appear legitimate, when in reality victims are willingly handing their personal information to cyber criminals. System reconfiguration attacks, tab-nabbing, DNS-based phishing and hosts file poisoning are other variations of this kind of attack.
Man-in-the-middle phishing—Of all the varieties of phishing attacks, man-in-the-middle attacks are one of the hardest to detect. In these attacks, hackers position themselves between a user and a legitimate website, stealthily recording information. What makes them so hard to spot is that, during these attacks, a user’s transactions and web activity are not visibly affected.
Search engine phishing—Search engine phishing occurs when phishers create phony websites with too-good-to-be-true offers and index them within popular search engines. These scams are easy to fall for, as they appear during a user’s usual internet usage. A common example of this is when phishers set up fake banking sites offering lower interest rates. A user would see this website appear in their search results and could easily be enticed into clicking the link and giving up their personal details.
It should be noted that this is not a complete list of phishing tactics. In fact, the methods of cyber criminals continue to evolve, opening the door for larger and more effective attacks. Phishing isn’t going away anytime soon and, because it is so difficult to counteract, it’s critical that you know a number of methods for spotting and preventing common scams.
Spotting an Attack
- What time was the message sent?
- Do I know the sender?
- Do the URLs match up?
- Does the content match the subject?
- How is the grammar and spelling?
Globally, the following were the subject lines of the most clicked phishing emails in recent years:
- Security Alert
- Revised Vacation & Sick Time Policy
- UPS Label Delivery 1ZBE312TNY00015011
- BREAKING: United Airlines Passenger Dies from Brain Hemorrhage – VIDEO
- A Delivery Attempt was made
- All Employees: Update your Healthcare Info
- Change of Password Required Immediately
- Password Check Required Immediately
- Unusual sign-in activity
- Urgent Action Required
Avoid Becoming a Victim
- Never enter personal information or click links in a pop-up screen.
- Avoid emailing personal or financial information, even if you think you know the sender. Hover over and triple-check the address of any links before you click them.
- Avoid replying to the sender if you suspect an email is malicious. If you recognize the individual or company sending the suspicious email, follow up with them offline to ensure they meant to contact you.
- Report the attack to your employer and the FBI’s Internet Crime Complaint Center. Keep your browser up to date and use firewalls.
- Use a password manager.
- Run anti-virus and anti-malware software on a regular basis. Reputable vendors include McAfee, Symantec, Malwarebytes and Avast.
- In addition to providing risk management tips for both employers and individuals, Gaspar Insurance Services can help keep you informed on the biggest happenings in cyber security. Contact us today to learn more ways to stay cyber safe.
We offer Cyber Insurance for businesses and qualified individuals. Contact us for more information.