E-mail Phishing is one of the most frequent threats we face. Most of us know what it is and how it works, but we still find ourselves falling for the tricks.
The scam, which involves criminals sending messages that masquerade as legitimate organizations, targets hundreds of millions of organizations every day. The messages direct recipients to a bogus website that captures their personal information or contain a malicious attachment.
The modern-day credential harvesting phishing attack is easy to pull off. It has these simple steps:
They are simple to carry out and even easier to be victimized. This is the process:
The hacker sends a phishing email.
You're encouraged to click on a link and perform a task.
The link takes you to a PHONY web page.
You are tricked into entering your email address and password.
The hacker retrieves your password from his server.
The hacker exploits your harvested credentials.
Remember, your speed in clicking that link is what the cybercriminal counts on.
Although the ultimate goal is always the same, they’ve found many ways to launch their attacks.
Here Are Some Of The Most Common Ways In Which They Target People:
1. Email Phishing
Most phishing attacks are sent by email. The criminal will register a fake domain that mimics a genuine organization and sends thousands out of thousands of generic requests.
The fake domain often involves character substitution, like using ‘i’ and ‘l’ next to each other to create ‘rn’ instead of ‘m’.
Alternatively, they might use the organization’s name in the local part of the email address (such as amazon@fakedomain.com) in the hopes that the sender’s name will simply appear as ‘amazon’ in the recipient’s inbox.
There are many ways to spot a phishing email, but as a general rule, you should always check the email address of a message that asks you to click a link or download an attachment.
2. Spear Phishing
There are two other, more sophisticated, types of phishing involving email. The first, spear phishing, describes malicious emails sent to a specific person. Criminals who do this will already have some or all of the following information about the victim:
Their name;
Place of employment;
Job title;
Email address; and
Specific information about their job role.
They usually gather this information from your website. They learn who is who and make their targets.
3. Whaling
Whaling attacks are even more targeted, taking aim at senior executives. Although the end goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler.
Tricks such as fake links and malicious URLs aren’t useful in this instance, as criminals are attempting to imitate senior staff.
Scams involving bogus tax returns are an increasingly common variety of whaling. Tax forms are highly valued by criminals as they contain a host of useful information: names, addresses, Social Security numbers, and bank account information.
4. Smishing and Vishing
With both smishing and vishing, telephones replace emails as the method of communication. Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation.
Smishing Definition: Smishing (SMS phishing) is a type of phishing attack conducted using SMS (Short Message Services) on cell phones.
A typical smishing text message might say something along the lines of, “Your ABC Bank account has been suspended. To unlock your account, tap here: https://bit.ly/2LPLdaU” and the link provided will download malware onto your phone. Scammers are also adept at adjusting to the medium they’re using, so you might get a text message that says, “Is this really a pic of you? https://bit.ly/2LPLdaU” and if you tap that link to find out, once again you’re downloading malware.
Vishing Definition: Vishing (voice phishing) is a type of phishing attack that is conducted by phone and often targets users of Voice over IP (VoIP) services like Skype.
It’s easy for scammers to fake caller ID, so they can appear to be calling from a local area code or even from an organization you know. If you don’t pick up, then they’ll leave a voicemail message asking you to call back. Sometimes these kinds of scams will employ an answering service or even a call center that’s unaware of the crime being perpetrated.
A common vishing scam involves a criminal posing as a fraud investigator (either from the card company or the bank) telling the victim that their account has been breached.
The criminal will then ask the victim to provide payment card details to verify their identity or to transfer money into a ‘secure’ account – by which they mean the criminal’s account.
5. Angler Phishing
A relatively new attack vector, social media offers a number of ways for criminals to trick people. Fake URLs; cloned websites, posts, and tweets; and instant messaging (which is essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware.
Alternatively, criminals can use the data that people willingly post on social media to create highly targeted attacks.
In 2016, thousands of Facebook users received messages telling them they’d been mentioned in a post. The message had been initiated by criminals and unleashed a two-stage attack. The first stage downloaded a Trojan containing a malicious Chrome browser extension on to the user’s computer.
When the user next logged in to Facebook using the compromised browser, the criminal was able to hijack the user’s account. They were able to change privacy settings, steal data, and spread the infection through the victim’s Facebook friends.
How to Prevent Cyber Criminals From Getting Your Info?
Education and knowing what to look for is half the battle. Remain on-guard and slow down to think and examine everything before you open that e-mail, click on that link or respond to that text.
Here is a helpful link on how to recognize some of these scams Read more here
As phishing continues to evolve and find new attack vectors, we must be vigilant and continually update our strategies to combat it.
Ref
https://www.nist.gov/cyberframework/online-learning/five-functions