Phishing

Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email with the intention to steal sensitive data like credit card and login information, or to install malware on the victim’s machine.

 

What are the different types of phishing attacks?

Phishing attacks can have a great range of targets depending on the attacker. They could be generic scam emails looking for anyone with a PayPal account.

Phishing can also be a targeted attack focused on a specific individual. The attacker often tailors an email to speak directly to you and includes information only an acquaintance would know. An attacker usually gets this information after gaining access to your personal data. If the email is this type, it is very difficult for even the most cautious of recipients not to become a victim. PhishMe Research determined that ransomware accounts for over 97% of all phishing emails.

 

What is spear phishing?

Fishing with a pole may land you a number of items below the waterline – a flounder, bottom feeder, or piece of trash. Fishing with a spear allows you to target a specific fish, hence the name.

Spear phishing is a targeted attack on an individual staff member, such as a company’s system administrator.

 

What is whaling?

Whaling is an even more targeted type of phishing that goes after the whales – a marine animal even bigger than a fish. These attacks typically target a CEO or CFO within an industry or a specific business. A whaling email might state that the company is facing legal consequences and that you need to click on the link to get more information.

The link takes you to a page where you are asked to enter critical data about the company such as tax ID and bank account numbers.

 

What is smishing?

Smishing is an attack that uses text messaging or short message service (SMS) to execute the attack. A common smishing technique is to deliver a message to a cell phone through SMS that contains a clickable link or a return phone number.

A common example of a smishing attack is an SMS message that looks like it came from your banking institution. It tells you your account has been compromised and that you need to respond immediately. The attacker asks you to verify your bank account number, etc. Once the attacker receives the information, they have control of your bank account.

 

Ways to Prevent Phishing Attacks

Here are some simple tips to identifying and preventing phishing scams.

  1. Know what a phishing scam looks like

New phishing attack methods are being developed all the time, but they share commonalities that can be identified if you know what to look for. There are many sites online that will keep you informed of the latest phishing attacks and their key identifiers. The earlier you find out about the latest attack methods and share them with your users through regular security awareness training, the more likely you are to avoid a potential attack.

  1. Don’t click on that link

It’s generally not advisable to click on a link in an email or instant message, even if you know the sender. The bare minimum you should be doing is hovering over the link to see if the destination is the correct one. Some phishing attacks are fairly sophisticated, and the destination URL can look like a carbon copy of the genuine site, set up to record keystrokes or steal login/credit card information. If it’s possible for you to go straight to the site through your search engine, rather than click on the link, then you should do so.

  1. Don’t give your information to an unsecured site

If the URL of the website doesn’t start with “https”, or you cannot see a closed padlock icon next to the URL, do not enter any sensitive information or download files from that site. Sites without security certificates may not be intended for phishing scams, but it’s better to be safe than sorry.

  1. Strong Password and use 2FA (2nd Factor of Authentication)

If you’ve got online accounts, you should get into the habit of setting up a strong password so that you prevent an attacker from gaining unlimited access. Your accounts may have been compromised without you knowing, so adding that extra layer of protection through 2FA can prevent ongoing attacks and lock out potential attackers.

  1. Don’t ignore those updates

Receiving numerous update messages can be frustrating, and it can be tempting to put them off or ignore them altogether. Don’t do this. Security patches and updates are released for a reason, most commonly to keep up to date with modern cyber-attack methods by patching holes in security. If you don’t update your browser, you could be at risk of phishing attacks through known vulnerabilities that could have been easily avoided.

  1. Install firewalls

Firewalls are an effective way to prevent external attacks, acting as a shield between your computer and an attacker. Both desktop firewalls and network firewalls, when used together, can bolster your security and reduce the chances of a hacker infiltrating your environment.

  1. Don’t be tempted by those pop-ups

Pop-ups aren’t just irritating; they are often linked to malware as part of attempted phishing attacks. Most browsers now allow you to download and install free ad-blocker software that will automatically block most of the malicious pop-ups. If one does manage to evade the ad-blocker though, don’t be tempted to click! Occasionally pop-ups will try and deceive you with where the “Close” button is, so always try and look for an “x” in one of the corners.

  1. Don’t give out important information unless you must

As a rule of thumb, unless you 100% trust the site you are on, you should not willingly give out your card information. Make sure, if you must provide your information, that you verify the website is genuine, that the company is real and that the site itself is secure.

  1. Have a Data Security Platform to spot signs of an attack

If you are unfortunate enough to be the victim of a successful phishing attack, then it’s important you are able to detect and react in a timely manner. Having a data security platform in place helps take some of the pressure off the IT/Security team by automatically alerting on anomalous user behavior and unwanted changes to files. If an attacker has access to your sensitive information, data security platforms can help to identify the affected account so that you can take actions to prevent further damage.

  1. End User Training

A study has found that, regardless of how good of a system you have in place, unless an end user has been trained there is a chance that they will fell victim of a phishing attack. So, a well-structured training program will assist end users to identify a phishing email.

A certain budget should be allocated towards the training and awareness of employees regarding this issue, and regular tests need to be held in order to ensure that employees are fully prepared to combat such scams. Tests should be conducted every 6 months to keep employees vigilant and keep the new employees up to date with the program.

 

I got phished. Now what?

Once attacked by malware, time is of the essence when it comes to cleaning and securing your environment.

The longer the attacker has control over your data and credentials, the higher the risk there is for data loss, increased ransom fees (depending on the type of data they access), and a wider spread of infection.

It’s crucial that you contact your IT service provider as soon as there’s a suspected infection.

As a user, you must understand that a phishing attack affects the whole organization. While it may sometimes seem like it’s the better option, DON’T try to solve it yourself as this may cause more harm than good.

Provide technology uses a system that allows us to conduct a simulated Phishing attack for your staff to check their knowledge of a Phishing emails.

To find out more about phishing or how we can help educate your team on how to protect themselves against phishing attacks, get in contact with the team at Provide Technology today.