background image

Blog

Types of Phishing Attacks

certification

Introduction

There are several types of phishing attacks with some targetting the masses while others target the most senior staff in your organization. Phishing is the fraudulent attempt to attain sensitive information or data, such as usernames, passwords, financials, trade secrets, etc. by masquerading oneself as a known entity within electronic communication.

Characteristically phishing attacks are carried out by use of email spoofing, instant messaging, text messaging, and even voice phishing, or “vishing”; in each instance, the campaign directs users to enter personal data into a fraudulent website that is designed to match the look and feel of the legitimate site. Often, the site is barely indistinguishable from an authentic web page.

Phishing attacks are a prime example of social engineering methods used to con users. Users are lured by communications claiming to be from trustworthy parties including social media sites, banks, colleagues, executives, online payment processors, human resources or IT administrators.

The evolution of phishing attacks poses a major risk to all organizations, regardless of their size or industry. It’s essential to recognize that all companies should recognize how to spot some of the most typical phishing scams if they are to have any hope of protecting their corporate information. In an effort to create awareness, here, we will review seven of the most common types of phishing attacks below as well as provide some useful guidelines on how organizations can protect themselves against them.

Standard Phishing

Standard phishing is easily the most common type of phishing scam. In this type of ruse, would-be attackers imitate a legitimate business in an effort to steal people’s personal data login credentials. These emails often practise the use of creating false pressures to generate a sense of urgency and panic to rush users into doing exactly what the attacker intends.

For example, attackers could send out an attack email that instructing users to click on a link in order to correct a discrepancy with their account. In reality, the link redirects the user to a false login page that collects a victim’s login credentials, providing them directly to the attacker.

Obviously, however, the success of a phishing attempt hinges on how carefully the attack email resembles a piece of official.

Spear Phishing

In the instance of spear phishing, attempts are directed at specific individuals or organizations. In contrast to standard phishing, spear phishing attackers often perform targeted reconnaissance and use gathered personal data about their target to increase their overall probability of success.

In terms of efficacy, it is a particularly effective variant. Spear phishing may make use of emails, social media, instant messaging, and other platforms to convince users to divulge personal information or perform actions that cause network compromise, data loss, or financial loss.

Whaling

Even more specialized still, the form of phishing known as whaling refers to spear phishing attacks that take aim specifically at senior executives and other high-profile targets. In these specialized campaigns, the content will be fashioned to target an upper manager and the person’s role in the company. The content of a whaling attack email may be an executive issue such as a subpoena or customer complaint, though it does not have to.

Similar to the previous two forms of phishing, whaling uses methods such as email and website spoofing to convince the high-profile target into performing specific actions, including revealing sensitive data or transferring money.

Clone Phishing

Clone phishing is a type of phishing attack whereby a previously delivered, authentic email containing an attachment or link has had its content and recipient address retrieved and used to create a virtually identical or cloned email. The attachment or link within the email is commonly exchanged with a malicious version and then sent from an email address spoofed to appear to come from its original sender. It may claim to be a resend of the original or an updated version to the original. Usually, this requires either the sender or recipient to have been previously compromised for the attacker to obtain the legitimate email.

Voice Phishing (Vishing)

Interestingly enough, not all phishing attacks rely on the use of a fake website or malicious attachment. Voice messages may claim to be from a bank, or other financial institution, maliciously urging users to dial a phone number concerning problems with their bank accounts. Commonly, once the phone number is dialed, scheduled prompts advise users to enter their account numbers and PIN. Vishing may sometimes make use of a phoney caller ID providing the appearance that the call is originating from a trusted source.

SMS Phishing

Finally, SMS phishing or “smishing” makes clever use of cell phone text messages to deliver the bait with the purpose of persuading people to divulge their personal information. Smishing attacks characteristically ask the user to click a link, dial a phone number, or contact an email address provided by the malicious party though SMS message. Further, the victim is then invited to provide their private data; more often than not, credentials to other websites or services. Lastly, SMS phishing messages may come from telephone numbers that are in an unusual or unanticipated format.

Anti-phishing Strategies

User Awareness Training

Often, if an individual knows what to look for, avoiding such attacks may be easier than expected. For example, it is wise to review any suspicious emails for typos in the domain or email body. As well, if a user has any doubt, it is best practise to advise Helpdesk as soon as possible, and avoid opening the email.

Phishing Controls

Use a spam filter: The use of a specialized spam filter can reduce the number of phishing emails that effectively land in user inboxes. These filters use a number of techniques including machine learning to classify phishing emails and reject any emails with forged addresses.

Browser Alerts: Another popular technological strategy involves maintaining a list of known phishing sites, otherwise known as a “black list” and using it to check suspicious websites against them. Many popular browsers, include Google Chrome, Mozilla Firefox and Internet Explorer 7 have these features built in.

Multifactor Authentication: Organizations can also implement two-factor or multi-factor authentication (2FA & MFA), which forces a user to use at least 2 factors when logging in. This approach mitigates some risk; in the incident of a successful phishing attack, the stolen password on its own will not be enough to breach the system.

Simulation Training: At Packetlabs, our objective-based penetration testing services allow any organization to accurately test their true risk profile, across people, processes and technologies. With the use of custom-tailored phishing campaigns, our services provide our clients with a clear view of their organizations security through the eyes of an attacker. The resulting data provides immense value to an organization, allowing the security team to precisely plan their future remediation efforts, security investments and user awareness focus. If you would like to learn more about what Packetlabs can do to keep your organization safe, contact us today!