Phishing is a cyberattack method in which attackers trick their victims into handing over personal information. Usually, this takes place through email or text message. Bank information, credit card details, home addresses, Social Security numbers, and of course, usernames and passwords, are types of information and personally identifiable information (PII) obtained through phishing. This information can be used for financial benefits, either directly or by selling the stolen data on the dark web. The blog post will explain the different methods used for phishing and how to avoid them.
6 Phishing Methods
Let’s look at the most common types of phishing attacks.
1. Mass Phishing
This is the main type of phishing and what we often think of when we hear the word. In mass phishing, the same emails or messages are sent to a very large number of people. They attempt to trick people into providing information. For example, by asking them to change their passwords on a spoofed website, or to download malware. These emails might clone a trustworthy entity (see “Clone Phishing”) or they might scare, extort or use other depiction methods. The “success” of this method is based on the fact that even if only a small percentage buy into the scam, a small percentage of a huge number is still a large number.
2. Spear Phishing
Spear phishing is phishing that targets specific individuals and companies, rather than everyone and anyone. Messages are personalized for each victim, which increases the chances of them being opened, resulting in a security breach. Spear phishing messages are created after extensive research, including studying the sender’s behavior, language, contacts, various event dates, and more. The data can be collected through various methods, from social engineering to reading the victim’s emails.
3. Whale Phishing
Whale phishing is a type of spear phishing that targets high-level executives or influential individuals. It is a lucrative attack for the adversaries, because these individuals have access to entire networks and to financial resources.
4. Clone Phishing
We often think of phishing as a poorly-worded email asking us to transfer money to an account in a country far away. However, nowadays many phishing emails and messages have an authentic look and feel to them. They appear as if they’re coming from a trustworthy entity, like a bank or the government.
#phishing
CA - Canada Revenue Agency
/rracanadian.com
Detected 2021-02-06 20:07:30
proxy /3c8x1.com/00/
(Proxy detected from timediff on pDNS records)
IP 8.208.88.7
NS /dnspod.com pic.twitter.com/ScczbJIVFu
— Gizmo (@TeamDreier) February 6, 2021
In fact, many times the only difference between the real and the phishing email is one detail. It could be a link in the email, which leads to a spoofed website, or a supposedly legitimate phone number for further inquiries. This phone leads to the attacker, who poses over the phone as the entity, thus making the attack seem even more trustworthy.
5. Vishing and Smishing
Phishing does not just take place by email. Phishing can take place over the phone (vishing - voice phishing) and through a text message (smishing - SMS phishing). The idea is the same - to trick an individual into providing personal information that will be used against them.
6. Catphishing
Catphishing is a phishing method that targets individuals through a social media disguise. The attacker poses on social media as an individual she/he is not, and tricks the victim into divulging personal details.
4 Ways to Protect Your Organization from Phishing
Phishing attackers invest a lot of resources into their attacks, and the stakes are high for organizations. The average loss from a spear phishing attack is $1.6 million. Here are four ways you can protect your business network and employees from phishing scams.
1. MFA or 2FA
Multi-factor authentication (MFA) and two-factor authentication (2FA) require additional validation from the user, beyond just their password. These extra factor can include one-time passwords, tokens, biometric information and location data. Both MFA and 2FA can be implemented at the entry point of networks and can also be used for accessing specific assets or environments. Enforcing these advanced authentication methods improves security significantly.
2. Employee Education
A remarkable 30% of phishing emails are opened by users. Encourage your employees to question any message or email that attempts to access their personal data, including data about their personal habits and lives. Train employees to identify attacks, and provide support personnel to help identify if an email is a phishing attack.
3. Firewalls
Firewalls can filter and prevent malicious activities and attackers, which reduces the number and severity of phishing attacks. However, firewalls can be penetrated and they are not effective for a remote workforce.
4. Zero Trust
Zero trust is a security model that continuously validates users and devices, inside and outside of the company network. By trusting no one inherently, the zero trust model does not enable attackers who have penetrated the network to gain access to sensitive assets, like email servers or personal computers. In fact, they will not even see which assets exist in the network. By implementing zero trust, organizations can keep their data safe even after a successful phishing attack.
Looking Forward
Many attackers use phishing for financial benefits, or just to wreak havoc in organizations. Implementing security solutions like zero trust access will help prevent these attackers from gaining access to your network and from causing catastrophic harm if they are already inside.
