The 6 most common types of phishing attacks
You are at your computer working when suddenly an email from your bank pops into your inbox. It indicates “High Priority” and asks you to change your internet banking password and PIN number immediately, ostensibly to avoid fraud. You think it is from a trustworthy source; so, you make the changes and then check the banking website. The site is unresponsive. You wait and check again. In the meantime, you are notified of several large value purchases, and, before you know it, you’ve lost money. You have become the subject of a phishing attack!
It is a means of fraudulent social engineering. Sensitive communications appear to come from a reputable source. The goal is to steal personal data such as passwords, credit card authentication information, or even funds, and install malware on the victim’s machine.
Phishing is a cyber-attack on individuals and organisations alike. Most people know what phishing is and how it works, but the frustrating thing is that they still get caught in its trap.
The six most common types of phishing and what can be done to mitigate them:
- Email Phishing: It is the most common type of attack where attackers impersonate trusted entities like banks or government authorities and send out mass emails. These emails are delivered with high urgency, requesting immediate responses and sensitive information through fake links that enable attackers to perform numerous malicious activities such as installing viruses or malware and stealing money from user accounts. The attack is launched en-masse on all addresses to see which ones “bite”.
- Spear Phishing: This is a more targeted attack, unlike email phishing, where malicious emails are sent to specific individuals in an organisation. Attackers use the target’s name, position, work phone number and other seemingly legitimate information to trick the recipient into believing they have a connection with the sender. The goal is the same as with email phishing: to get the recipient to click on the fake URL and hand over personal data. Malicious hackers scan specific individual social media posts to target them. They also scan and house documents on cloud services such as Google Drive and Drop Box to entice users into opening them. Both email phishing and spear phishing can be avoided by providing security awareness training to employees, discouraging users from posting sensitive information on social media and encouraging individuals to carefully examine salutations, grammar mistakes, spelling errors and URLs.
- Whaling Attacks: While spear phishing targets individuals and even CXO level executives, whaling attacks are sharper. The digital attackers “spear” or “harpoon” a key executive. They do this by infiltrating organisation networks, following up with a phone call routed through a trusted agency to gain target trust and sending emails from trusted organisation partners. Once the executive email is compromised, sensitive authentication information is obtained, fraudulent wire transfers are conducted, and tax and benefit information of employees can be published on the dark web.
Executives need to regularly participate in awareness training and organisations should implement multi-factor authentication channels with their financial authorisation workflows so that there are multiple authorisations to complete a transaction.
- Vishing: In addition to emails, digital attackers use other media to execute their attacks. Vishing is a form of phishing, conducted using a phone and placing a phone call. The fraudulent caller uses VoIP (Voice over Internet Protocol) servers to deliver mostly automated IVRS-like messages that appear to come from legitimate entities such as banks, insurance or government institutions. During the call, a recipient is informed of an urgent action such as renewing their insurance, after which their personal information such as credit card details and other personal credentials are solicited, obtained and used to steal data and/or funds. Users can avoid vishing attacks by avoiding calls from unknown numbers, using a caller ID app and never giving out personal information over a call.<
- Smishing: SMS phishing is used by attackers to send SMS text messages that appear to come from legitimate sources and contain malicious links, often disguised as offers or discounts.
If they have doubts, users can call the company named in the suspicious SMS messages for confirmation or simply not click on an unknown URL.
- Social Media Phishing is where attackers exploit users on social media by impersonating well-known brands and creating fake accounts or luring victims to share personal and sensitive information on social media by tracking their preferences and choices and then inviting them to click on malicious links. Users are cautioned to be mindful while on social media accounts like Facebook, Twitter and Instagram and exercise extra caution when being prompted to click on a link or being re-directed to other websites from there. Checking the URL is a good habit to sniff out unfamiliar websites.
*For organizations on the digital transformation journey, agility is key in responding to a rapidly changing technology and business landscape. Now more than ever, it is crucial to deliver and exceed on organizational expectations with a robust digital mindset backed by innovation. Enabling businesses to sense, learn, respond, and evolve like a living organism, will be imperative for business excellence going forward. A comprehensive, yet modular suite of services is doing exactly that. Equipping organizations with intuitive decision-making automatically at scale, actionable insights based on real-time solutions, anytime/anywhere experience, and in-depth data visibility across functions leading to hyper-productivity, Live Enterprise is building connected organizations that are innovating collaboratively for the future.