5 Types of Phishing Attacks that Could Really Ruin Your Day
- by Brittany Day
Phishing is the favorite method of attack among cybercriminals, accounting for over 90% of all modern cyberattacks. This trend has only been magnified in recent years, with remote workers’ increased reliance on inadequately secured cloud email for business communications.
According to Guardian Digital researchers, phishing attacks have increased by 600% due to the pandemic and users are now three times more likely to interact with a malicious link than they were pre-COVID. Phishing comes in many forms, as attackers leverage email and other communication channels to steal from your business. When it comes to protecting against phishing, a combination of awareness and proactive, multi-layered email security technology is key. This article will introduce five types of phishing attacks to watch for and measures you can take to mitigate your risk.
What Is Phishing & How Does It Work?
Phishing is a type of digital attack threat actors use by sending malicious emails with the intent of tricking users to fall for a scam. The goal of a scam campaign is to get people to reveal their financial information, credentials, or other sensitive data. Spam emails are the first and most obvious type of phishing scam that aim to lure users to allow attackers access to your device. Other types of phishing are more sophisticated, however, and will use social engineering methods to trick the victim.
Attackers will often collect background information beginning with a company email address, the names and job titles of intended victims from social media, and other openly available databases to make messages more credible. These attackers will even go so far as to create fake websites to steal a user’s passwords and credit card numbers.
Types of Phishing Attacks
In 2020 email cyberthreats rose 64%, but there are other communications channels used for phishing as well. The 5 types of phishing attacks organizations should be aware of that will be covered in this article are the following:
- Email phishing
- Spear phishing
- Smishing and vishing
- Angler phishing
1. Cybercriminals Cast a Wide Net in Email Phishing Campaigns
Dating as far back as dial-up modems, the original phishing scam is a spam email sent to a huge group of targeted victims attempting to get the user to send money, open a malicious link that unknowingly installs malware, or access a fake website to steal money, information, or install malware.
This is a scam that people still fall for, and according to a survey done by SOES, 40% of companies report that their email security falls short, and 13% have no system in place at all. The majority of phishing attacks follow the same five phases: target, deliver, deceive, click, exploit.
2. Spear Phishing Attacks are Well-Researched & Highly Targeted
Spear phishing is a more specialized form of attack that targets specific users, after gaining personal information from online sources. Social media as well as the option to buy entire databases on the Dark Web have made it that much easier to design a highly convincing spear phishing message that can make its way into your inbox.
What separates spear phishing from regular phishing is that the email is often designed to appear as if it's coming from a coworker or a company the victim works with. Fake email addresses or websites are made to appear similar to the original. Paying close attention to the spelling, punctuation of the address, and grammar of the content in the message can help you spot the differences. Some attackers will also use a different domain, such as .net as opposed to .com, or add extra characters to a legitimate address, such as an underscore or dash.
3. Whaling Hits Senior Management
High-profile executives for a company, or “whales,” typically have complete access to sensitive data as well as possess the ability to authorize costly wire transfers, thus making them valuable targets for an attack. Whaling attacks are often successful due to the potentially high returns of these campaigns, so attackers will conduct extensive social engineering research on their targets to make their emails as authentic as possible.
Defenses against whaling and spear phishing are similar in that they include training to develop security awareness and implementing filters that scan email attachments for malware and checking the content of emails for indicators of phishing emails, such as misspelled addresses.
4. Smishing & Vishing Attack Mobile Phones
Cell phones and other mobile devices are used for multiple functions, both personal and professional. Because of this, attackers developed a strategy for creating different types of phishing geared towards smartphones. Smishing uses texts, or SMS, to do the work that emails perform in traditional phishing. Vishing, on the other hand, uses voice messages and robocalls.
This is commonly seen in calls or texts allegedly from the Social Security Administration or Internal Revenue Service requiring a response, as well as a detected fraud alert from “Cardmember Services” that is typically paired with a request for personal information or a link to open.
The FCC (Federal Communications Commission) offers many common-sense guidelines such as installing anti-malware software as well as making sure your operating systems for each device are fully updated. Another way to keep your system secure is for your company to establish a bring-your-own-device policy so that employees have limited actions and access to devices in the event of a smishing or vishing attack.
5. Angler Phishing Targets Social Media
Organizations use social media as a method of customer service, but attackers use the information found on social media as a model for phishing attacks. This method of attack uses social engineering directly from the customer’s social media activity to gain access and information.
Anglers look for social media posts where the customer complains about the service, intercepts the communication, and responds to the customer via email or direct message on social media offering to “make things right.” The customer then shares personal information or opens a link to a malicious website the attacker supplies. Much like spear phishing attacks, the fake site siphons personal information, installs malware, or performs other malicious acts on the victim’s system.
To defend against this kind of phishing attack, monitor social media interactions closely. Users must pay more mind to the warning signs of a fake account, such as a missing verified symbol. The company in question must also safeguard its online presence and publicly disclose when an angler phishing attack is detected so customers can contact customer service in other ways.
Staff training is the first line of defense against phishing attacks. Companies should involve user testing, phishing drills, and other unscheduled training or phishing attack simulations to keep users prepared and on their toes. As new channels of communications open, attackers will follow, so your company must develop the awareness of vulnerabilities to counter them. Phishing attacks may not be avoidable entirely, but you can keep them from being successful with an effective third-party email security solution to safeguard your system and proper training for your employees.
Must Read Blog Posts
- Demystifying Phishing Attacks: How to Protect Yourself Now
- What You Need to Know to Shield Your Business from Ransomware
- Shortcomings of Endpoint Security in Securing Business Email
- Microsoft 365 Email Security Limitations You Should Know
- Complete Guide to Email Viruses & Best Practices to Avoid Infections
Latest Blog Articles
- Thinking Strategically about Email Security in 2021 and Beyond
- Open Source: A Powerful, Yet Underutilized Weapon against Phishing & Zero-Day Attacks
- Buyer's Guide: What to Prioritize in an Email Security Solution
- Buyer's Guide to Microsoft 365 & Workspace Email Security
- EnGarde Cloud Email Security: The Logical Solution to Cyber Risk in Microsoft 365
- Exchange Servers Are Vulnerable - Learn How To Secure Your Email Server Now
- Top Email Security Risks in 2021 - How To Set Your Business Up for Safety & Success
- Ransomware By The Numbers: How Big Is My Risk?
- SMB Ransomware Warnings & How To Prevent an Attack
- Apache SpamAssassin 3.4.6 Release Fixes Two Potentially Aggravating Bugs