A Refresher on the Ancient Art of Phishing
Phishing; one of the oldest tricks in the cybercrime playbook. It first hit the digital scene in 1995, at a time when millions flocked to America Online (AOL) every day. If we know one thing about cybercriminals, it’s that they tend to follow the masses. In the early days phishing attempts were easily spotted due to link misspellings, odd link redirects, and other such giveaways. However, today’s phishing tricks have become personalized, advanced, and enveloped in new ways. So, let’s take a look at the different types, as well as real-world examples and how you can recognize a phishing lure.
Be Wary of Suspicious Emails
Every day, users get sent thousands of emails. Some are important, but most are just plain junk. These emails often get filtered to a spam folder, where phishing emails are often trapped. Despite today’s stringent security parameters on most email services, they can occasiocally slip through the digital cracks into your primary inbox. These messages most always portray a sense of urgency, with requests that require the user to input sensitive information or fill out a form through an external link. These phishing emails can take on many personas, such as banking institutions, popular consumer services, and universities. As such, always remember to stay vigilant and double-check the source before giving away any information.
This is along the same lines of a cyber-threat as email phishing. Link manipulation is when a cybercriminal sends users a link to a malicious website under the ruse of an urgent request or deadline. After clicking on the deceptive link, the user is brought to the cybercriminal’s fake website rather than a real or verified link and asked to input or verify personal details. To check the validity, it’s always a good idea to contact the source directly to see if the notice or request is legitimate.
Corporate executives have always been high-level targets for cybercriminals. That’s why chief-officers have a special name for when cybercriminals try to phish them – whaling. In this sophisticated, as well as personalized attack, a cybercriminal attempts to manipulate the target to obtain money, trade secrets, or employee information. With the huge rise of cybersecurity awareness over the past decade, organizations have become smarter and in turn, whaling has slowed down. Before the slowdown, however, many companies were hit with data breaches due to cybercriminals impersonating high-level executives and asking lower-level employees for company information. To avoid this pesky phishing attempt, train any and all members of your organization to be able to identify phishing, as well as encourage unique, strong passwords on all devices and accounts.
Spear Target Acquired
Just as email spam and link manipulation are phishing siblings, so too are whaling and spear-phishing. While whaling attacks target the executive level of a specific organization, spear-phishing rather targets lower-level employees of a specific organization. Just as selective and sophisticated as whaling, spear-phishing targets members of a specific organization to gain access to critical information, such as staff credentials, intellectual property, customer data, etc. Spear-phishing attacks tend to be more lucrative than an ordinary phishing attack, which is why cybercriminals will often take more care in fabricating and obtaining personal information for these specific targets. To avoid falling for this phishing scheme, employees must have proper security training so they know how to spot a phishing lure when they see one.
With so many things to click on a website, it’s easy to see why cybercriminals would take advantage of that. Content spoofing is based on exactly that notion – the cybercriminal alters a section of content on a trustworthy page, to redirect to an illegitimate website where they can then ask to enter personal details. The best way to steer clear of this phishing scheme is to check that the URL matches the primary domain name.
Phishing in a Search Engine Pond
When users search for something online, they expect reliable resources. Though sometimes, phishing sites can sneak their way into legitimate results, even when using a big-name search engine. This tactic is called search engine phishing and involves search engines being manipulated into showing malicious results. Users are attracted to these sites by discount offers for products or services. However, when the user goes to buy said product or service, their personal details are collected by the deceptive site. To stay secure, watch out for potentially sketchy ads in particular and when in doubt always navigate to the official site first. Remember, if it’s too good to be true..
Who’s That Caller?
With new technologies come new avenues for cybercriminals to try their schemes. Vishing, or voice phishing, is one of those new avenues. In a vishing attempt, cybercriminals contact users by phone and usually ask the victim to dial a number to receive identifiable bank account or personal information through the phone by using a fake caller ID. For example, just last year, a security researcher received a call from their financial institution saying that their card had been compromised. Instead of offering a replacement card, the bank suggested simply blocking any future geographic-specific transactions. Sensing something was up, the researcher hung up and dialed his bank – they had no record of the call or the fraudulent card transactions. This scenario, as sophisticated as it sounds, reminds users to always double-check directly with businesses before sharing any personal information.
As you can see, phishing comes in all shapes and sizes.
This blog only scratches the surface of all the ways cybercriminals lure unsuspecting users into phishing traps. The best way to stay protected is to invest in comprehensive security solutions for yourself and your business, and of course to stay updated on new phishing scams and cybersecurity as a whole.