Phishing attacks are growing in number and it presents a major challenge for businesses. The many different forms that these attacks come in just exacerbates the problem. Today, we will take a brief look at phishing to help you educate your staff on what they entail and how to mitigate the massive risk that comes with them.
Phishing Attacks
A phishing attack comes in as communication from a trustworthy source as to fool the recipient to interact with it. This could be in the form of an email, a text message, a phone call, or really any other form of direct communication. The goal is to manipulate the recipient into providing access credentials to network-attached resources so they can steal data or deploy malware.
Since phishing can come in several different forms, it is an effective way to breach your network defenses because the scammers are given access, they don’t have to try and outright breach your network defenses, which in many cases are extremely hard to hack into. Let’s take a look at some of the ways these scams are disseminated.
Business Email Compromise
In a business email compromise scam, the scammer will send an employee an email that, at first glance, comes from an authority figure inside of the business. The messages will be quite vague, but direct the recipient into taking some type of action that will allow the hacker to gain access to resources. Many employees will not think twice when their manager tells them to complete a task, so phishing attacks of this type are successful because people don’t take the time to ascertain that the message isn’t actually from anyone.
Hackers use this method because they work. In Q2 of 2020, successful business email compromise scams averaged $80,193.
Clone Phishing
One of the most successful phishing scams is using a clone of a message a recipient would have seen before. By gaining access to data beforehand, the hacker can customize a message that looks like one they have received previously. Typically, this type of familiarity removes any suspicion that the message is actually from a scammer. The links are altered to reroute to a site where scammers collect more information. Pretty crafty way to steal credentials.
Smishing
Email may be the predominant way that phishing is pushed to people, but it isn’t the only way. Smishing attacks are carried out through text messaging. Most people are much less careful about opening and interacting with text messages than they are with their email, and as a result scammers have started pushing phishing messages that look like legitimate messages through SMS. If you also consider that mobile devices often don’t uphold the same security standards that PCs do, users are more vulnerable through an SMS attack.
Spear Phishing
The spear phishing attack is probably the most dangerous of the phishing scams. First of all it is deliberately designed for a single user. The hacker, in this case, has already done their due diligence and chose their target based on information they already have about the target. Since these attacks take more time to properly execute, spear phishing is typically carried out against high-value targets. The success rate of these attacks are significantly higher than your average, run-of-the-mill phishing attack
Vishing
Another take on phishing, vishing is just phishing over the phone. A scammer will call a target under the guise of a salesperson or finance professional, and because of their perceived legitimacy, the scammer can typically extract information that will help them gain access to computing resources, or at the very least the target's personal or financial information.
Whaling
Whaling is a phishing attack, typically a spear phishing attack, aimed at business owners, decision makers, and executives at businesses. These attacks, because they are aimed at people who have access to everything, often are well planned; and, if successful often result in the biggest bounty for the perpetrator.
Phishing is a Serious Threat
You need to have a strategy in place to combat phishing as it is not going anywhere, anytime soon. If you would like to talk to one of our consultants about developing a plan to train your people about phishing attacks and what to do if they come across one, give us a call at (215) 853-2266 today.