Phishing is a cyber attack method in which attackers disguise themselves and trick their victims into handing over personal information. Usually, this takes place through email or text message. Bank information,credit card details, home addresses, Social Security numbers, and of course, usernames and passwords, are types of information and PII obtained through phishing. This information can be used for financial benefits, either directly or by selling them on the dark web. The blog post will explain the different methods used for phishing, and how to avoid them.
6 Phishing Methods
Let’s look at the main types of phishing that take place today.
1. Mass Phishing
This is the most common type of phishing and what we often think of when we hear the word. In mass phishing, the same emails or messages are sent to a very large number of people. They attempt to trick people into providing information. For example, by asking them to change their passwords on a spoofed website, or to download malware. These emails might clone a trustworthy entity (see “Clone Phishing”) or they might scare, extort or use other depiction methods. The “success” of this method is based on the fact that even if only a small percentage buy into the scam, a small percentage of a huge number is still a large number.
2. Spear Phishing
Spear phishing is phishing that targets specific individuals and companies, rather than everyone and anyone. Messages are personalized for each victim, which increases the chances of them being opened, resulting in a security breach. Spear phishing messages are created after extensive research, including studying the sender’s behavior, language, contacts, various event dates, and more. The data can be collected through various methods, from social engineering to reading the victim’s emails.
3. Whale Phishing
Whale phishing is a type of spear phishing that targets high-level executives or influential individuals. It is a lucrative attack for the adversaries, because these individuals have access to entire networks and to financial resources.
4. Clone Phishing
We often think of phishing as a poorly-worded email asking us to transfer money to an account in a country far away. However, nowadays many phishing emails and messages have an authentic look and feel to them. They appear as if they’re coming from a trustworthy entity, like a bank or the government.
CA – Canada Revenue Agency
Detected 2021-02-06 20:07:30
(Proxy detected from timediff on pDNS records)
NS /dnspod.com pic.twitter.com/ScczbJIVFu
— Gizmo (@TeamDreier) February 6, 2021
In fact, many times the only difference between the real and the phishing email is one detail. It could be a link in the email, which leads to a spoofed website, or a supposedly legitimate phone number for further inquiries. This phone leads to the attacker, who poses over the phone as the entity, thus making the attack seem even more trustworthy.
5. Vishing and Smishing
Phishing does not just take place by email. Phishing can take place over the phone (vishing – voice phishing) and through a text message (smishing – SMS phishing). The idea is the same – to trick an individual into providing personal information.
Catphishing is a phishing method that targets individuals through a social media disguise. The attacker poses on social media as an individual she/he is not, and tricks the victim into providing information.
4 Ways to Protect Your Organization from Phishing
Phishing attackers invest a lot of resources into their attacks, and the stakes are high for organizations. The average loss from a spear phishing attack is $1.6 million. Here are four ways you can protect your business network and employees from phishing scams.
1. MFA or 2FA
A security method that is implemented at the entry point of networks, but can also be used for accessing specific assets or environments. MFA (multi-factor authentication) and 2FA (two-factor authentication) require additional validation from the user, in addition to their password. These include passwords, tokens, biometric information and location data. MFA and 2FA are considered a very safe security method.
Cyolo implements MFA authentication at network entry points.
2. Employee Education
30% of phishing emails are opened by users. So encourage your employees to question any message or email that attempts to access their personal data, including data about their personal habits and lives. Train employees to identify attacks, and provide support personnel to help identify if an email is a phishing attack.
Firewalls can filter and prevent malicious activities and attackers, which reduces the number and severity of phishing attacks. However, firewalls can be penetrated and they are not effective for a remote workforce.
4. Zero Trust
Zero trust is a security model that continuously validates users and devices, inside and outside of the company network. By trusting no one, it does not enable attackers who have penetrated the network, to gain access to assets, like email servers or personal computers. In fact, they will not even see which assets exist in the network. By implementing zero trust, organizations can protect themselves after a phishing attack.
Zero trust enables identifying compromised users (for example through anomalies in user behaviour) and doesn’t provide them with access to the network’s assets. Instead, continuous authentication is implemented through methods like MFA. As a result, the network is protected even after a phishing attack.
Many attackers use phishing for financial benefits, or just to wreak havoc in organizations. Implementing security systems will help prevent these attackers from gaining access to your network and users, from inside and out. To see how Cyolo can help you prevent phishing attacks, request a demo today.