With how more people are now becoming more ‘educated’ about the internet and how it works, you might think that phishing and social engineering scams are now a thing of the past but they are more common now than before.
However, phishing attacks are actually still very common, with a relatively high success rate. In the 2020 edition of Verizon’s Data Breach Investigations Report (DBIR), phishing was the second most prominent threat variety in overall cybersecurity incidents and the number one cause for data breaches.
We can only expect phishing to become even more prominent in 2021 and onwards. Many attackers have leveraged the COVID-19 situations in their phishing attacks (i.e., offering vaccines and ‘secret cures’).
Thus, phishing attacks remain a very prominent threat to both organizations and individuals. Here we will discuss the most common phishing scams and some actionable tips to protect against them.
How Does a Phishing Attack Work?
Table of Contents
The name ‘phishing’ is a modified version of ‘fishing,’ referring to how the cybercriminal is attempting to ‘fish’ a user with a sneaky lure.
While there are various types of phishing attacks executed with different techniques, in its basic principle, a phishing attack attempts to trick a user into entering confidential information like their PII (Personally Identifiable Information like full name and physical address), banking details, login credentials, and more.
The most common phishing attacks are launched by contacting the target over emails, although nowadays, the attackers can use other channels like social media to approach the target.
A key characteristic of a phishing attack is the attacker will attempt to impersonate someone or an organization the target is familiar with while invoking a sense of alarm or loss of security.
For example, the attacker may impersonate the victim’s HR manager and asks for the victim’s banking information so the ‘company’ can send the target’s salary. The attacker may convince the victim that the company they work with lost their banking information.
According to Symantec, around 135 million phishing emails like this are being sent every single day.
Another common phishing technique is a notification that the target has won prizes in fake lotteries or contests. The victims are asked to enter their personal details to claim this prize. Most likely, you’ve experienced this type of phishing attack in the past.
In most cases, phishing aims to harvest the victim’s sensitive information and personal data. Still, there are also cases where the phishing attack is used to deploy malware or ransomware, for example, by fooling the victim to click a link to a fraudulent website or download an attachment filled with malware.
Below, we will further discuss the different types of common phishing scams.
Different Types of Common Phishing Scams
1. Traditional Phishing
Also called deceptive phishing, this is the most common type of phishing attack. As briefly discussed above, in this type, the attacker impersonates a legitimate company to harvest personal data.
To fool the spam filter, the attacker may include legitimate links into their emails like legitimate contact information of the company they are impersonating and other techniques like modifying the HTML attributes of the brand logos (some spam filters can spot usage of common logos).
There’s no single effective way to prevent these phishing attacks, but users should inspect the email address and link URLs carefully to check whether they redirect to a suspicious website. Grammar/spelling errors are also a common sign of fake phishing emails.
2. Spear Phishing
Spear phishing targets specific individuals and personalizes their attacks to increase the success rate. This is commonly done by impersonating someone the target victim knows and trusts.
The attacker tailors their email details with the target’s name, position in a company they work in, work phone number, and other legitimate information in an attempt to fool the victim, for example, by pretending to be the victim’s boss.
However, the objective remains the same as in traditional phishing: tricking the victim into clicking a link and/or download an attachment or to hand over their sensitive data.
A subtype of spear phishing is a whaling attack, where the attacker also tailors the attack around a specific target. The target is a very high-profile target like CEOs, big influencers, or even famous celebrities.
While email remains the most popular method in launching phishing attacks, in vishing, the attacker uses phone calls instead, mainly by setting up VOIP (Voice over Internet Protocol) to impersonate various entities to harvest sensitive/personal data.
For example, the attacker may target a company’s employees pretending to be the company’s IT support and might attempt to confuse the target by using (not necessarily real) technical jargon, then asks for the victim’s sensitive information to ‘fix’ the fake technical issue.
Pharming combines the words ‘phishing’ and ‘farming’ and is typically known as a phishing technique without using a ‘lure.’
Pharming typically involves a two-step process: first, the attacker will install malware (or malicious programs) on the target’s device or server. The code will then send the victim to a fraudulent site where you may be tricked to give up your personal information.
To protect against pharming attacks, we should encourage ourselves and the employees to only enter login credentials on HTTPS-certified websites. Anti-malware and anti-bot management solutions like DataDome are also important in preventing the initial malware infection that kick starts the pharming attack.
Smishing relies on text messages containing malicious links to fraudulent websites, which will attempt to trick the users into entering their personal information. In more sophisticated smishing attacks, the attacker can also use malicious links to trigger an automatic download of malware or malicious apps on the target’s smartphone.
Another common attack vector is instructing the user to contact a fake ‘tech support’ for fake issues on their device. The scammer will then impersonate a legitimate customer service and attempt to trick the victim into giving up their personal information.
How To Protect Yourself from Phishing Attacks
As we can see, cybercriminals can use various techniques to launch their phishing attacks, and each method might demand different prevention measures to protect against them.
However, below are some important tips you can use to protect yourself from phishing attacks:
Educate Yourself and Your Team to Spot Phishing Symptoms
While there are sophisticated phishing attacks with specially crafted messages that looks very authentic, no phishing attacks will be 100% perfect, and here are some key areas you should look for in identifying the attempted phishing:
- Grammar and spelling errors
Especially common in less-sophisticated phishing attacks. Official messages from legitimate companies are very unlikely to contain any grammar and spelling errors, so this can be a huge sign that the email might not be legitimate.
- Phishing link and attachment
While sophisticated phishing attacks may contain an official-looking URL, in many cases, it can be a shortened URL where the attacker will hope the victim won’t check the link and will click right away. Hover over the link’s URL and file name for attachments. If they look fake, never click on them.
- Sender address
A common trick used by many attackers is to make the sender address look almost legitimate, but typically the attacker won’t be able to fake a real address, and there will always be signs. For example, they can’t fake the real ‘paypal.com’ domain, creating something like ‘paypal-intl.com’ as the email’s domain name.
In general, even if the message is crafted in detail and looks like it came from legitimate sources, it’s best to contact someone else in the company (i.e., the company’s legitimate customer support, you know) to ensure that they really send the email.
Install Anti-Malware and Anti-Bot Management Solution
As discussed, attackers may attempt malware injection and may also use malicious spam bots to launch the attack.
It’s very important to protect your network and system from malware infection by using a proper anti-virus/anti-malware solution and to protect your system from malicious bot activities.
However, simply blocking all bots entering our website or system is typically not a good idea due to two reasons:
- There are bad bots that hackers and cybercriminals operate. However, there are also good bots that are beneficial for your network. You would not want to block Googlebot. Googlebot reads the content of your website and adds it to the Google index.
- The creators of malicious bots are getting more sophisticated at impersonating humanlike behaviors. They can visit other pages before executing their objectives while also using various technologies to mask their identity, like rotating between many different IP addresses. Differentiating these bots from legitimate human users can be a major challenge.
An adequate bot management solution is needed to tackle these issues. An AI-powered bot management solution like DataDome is recommended to properly detect and protect yourself from spambots launching common phishing scams.
Install Filtering Solutions
A Secure Email Gateway is a very important line of defense against phishing attacks, which is required to effectively filter out malicious emails. So, you might want to invest in a good email gateway that can block any email that contains malicious links and/or attachments.
Nowadays, various vendors are offering this service. Many of them are cost-effective and easy to use.
You can also perform website filtering by using DNS or a web proxy to block your users from accessing suspicious phishing websites. Again, you can use various DNS web filtering services that can be used right away to combat phishing attacks.
Strong and Unique Password
While using a strong password won’t directly help protect yourself against phishing attacks. This practice is important so that when your credential is compromised from a phishing attack, the attacker can’t use it to access your other accounts via brute force and credential stuffing attacks.
Make sure to use a long and complex password that is at least ten characters long and includes a combination of uppercase, lowercase, symbols, and numbers, but also make sure your password is unique: only one password for one account.
Nowadays, we can use a password manager tool, including Google’s free password manager, to easily generate and remember complex passwords.
Another important practice to consider is injecting 2-factor authentication (2FA) channels into various practices prone to phishing attacks. For example, we can add 2FA to the financial authorization processes to authorize payments via email alone. This way, even if a user has been tricked into authorizing payment via email, they’ll still need to authenticate the second factor in 2FA, which will prevent the actual payment to happen.
Since phishing scans, unlike most other types of cyber attack vectors, target the network/system’s human element, then educating yourself and your team is the most powerful way to combat these phishing attacks.
Even if you believe you are already an expert in spotting phishing emails, it’s best never to let your guard down as phishing emails and scams will continue to get more sophisticated, and some of them already look very legitimate.
The best way to protect yourself, your company, and your system from common phishing scams is to continuously educate yourself while at the same time also installing the right protection technologies to help detect and block the most current forms of phishing attacks.
Featured Image by Andrew Martin from Pixabay