Phishing is the attempt to obtain sensitive information including but not limited to usernames, passwords, and credit card details by someone posing as a legitimate entity in an electronic communication. It is a type of cyberattack that targets the user through social engineering instead of directly compromising the computer or network system.
How serious a threat is phishing in 2020? Well, according to APWG’s Phishing Activity Trends Report for Q3 2019, phishing attacks rose in prevalence to a level that hasn’t been observed since 2016. Furthermore, Cofense’s Phishing Threat and Malware Review 2019 found that almost 74 percent of phishing attacks between October 2018 and March 2019 involved credential phishing—stealing usernames and passwords.
How Phishing Can Be Accomplished
There are numerous methods used by attackers that are modified and updated regularly, but the following are currently the most prevalent methods:
Spear Phishing Attacks
These are customized attacks targeting specific individuals as opposed to groups or organisations. The target is studied by the attacker through their social media accounts and other online information that is publicly available. This data is used to customise communication to the victim and make it look authentic. In cases where the victim is a high profile individual, spear phishing is called whaling.
Business Email Compromise (BEC)
A business email is one that has a company name after the @ symbol, for example ‘email@example.com’ as opposed to the common ‘@gmail.com’ or ‘@yahoo.com’. When an attacker gains access to such an account, their victims are more likely to believe what is sent to them, especially within that company but also with businesses they normally communicate with. The Austrian Aerospace parts manufacturer FACC fell victim to such an attack and lost $47 million.
Social Media Attacks
These are social media posts that contain links to malicious websites or contain malware payloads (programs meant to infect and take-over target devices). Social media has become a popular medium of attack besides email because it is more trivial to create fraudulent accounts and effect spear phishing. In 2017, a high profile state-level attack targeting over 10,000 employees in the United States Department of Defence highlighted the value social media can hold for cybercriminals.
Smishing (SMS/Text Phishing) And Vishing (Voice Phishing)
An attack vector where the victim is sent an SMS or Voice call and convinced to reveal sensitive data by following a link, assuming they are talking to a trusted party. This is a popular method because people are generally more likely to open a link from a message than from an email and phone security is lower than that on computers.
According to the Gartner, text messages are read over 98% of the time compared to 20% of emails and 45% of messages are replied to, compared to 6% of emails. This is a huge opportunity that cybercriminals using smishing exploit.
Common Features of Phishing
There are several ways to identify that a communication such as an email may be a phishing attack. If one spots any of the following features, the communication is likely to be a phishing attempt:
Too Good to Be True
Many phishing emails contain offers for products or services that the recipient is not normally eligible for. They may claim winning an expensive item or a new car or even a large cash prize. These are meant to entrap the victim and should be ignored as too good to be true.
Sense of Urgency
When a phishing communication gives the recipient a very short time to respond, there is a chance they are not giving time for fact checking. Many contain statements like, “Hurry, this offer is only valid for the next hour!” These “super deals” or threats of account closure are meant to induce panic or a kind of tunnel vision to prevent the victim from making a rational decision about following their instructions.
Phishing scams often provide spoof internet links that look genuine at first glance. However, these links are often either insecure or redirect to spoof websites or both. The link text is designed to look genuine, but the actual hyperlink is not. Combined with the sense of urgency described above, a victim is lured to a website where they are led to surrender usernames and passwords.
Potential targets of phishing are sent communication from a known sender such as a boss or colleague in another department. This unusual sender is known to the victim but unexpected. The communication is usually tailored to be urgent so that it appears to be an emergency.
Is your company prepared for phishing?
Companies today must deploy frequent cybersecurity awareness training tailored to the organisation in order to minimize possible attack vectors.
Let the professionals at ASB Resources help your company find quality security professionals, and build the agility you need to stay ahead of phishers who are constantly tweaking their methods. Schedule a call with one of our experts today!