When term “phishing” comes up in conversation, you’re probably not thinking of breaking out the tackle box on a lazy weekend morning. You’re think of how about one wrong click could potentially put yourself and your company at risk. Just like there are plenty of fish in the sea there are multiple types of phishing attacks out there.
According to Webroot Security, 1.5 Million new phishing sites are built each month in 2019 and 76% of businesses reported that were the victim of a phishing attack within 2018.
To reach to the optimum level of cybersecurity that a business needs, your workforce’s knowledge of how to avoid being caught on the hook of a phishing attack is crucial. To truly be prepared, it’s best to be familiar with the many kinds of phishing attacks that are out there waiting to catch a user off-guard.
Where did the term “phishing” come from?
The term “phishing” originated through AOL scams in the 1990s, mainly through newsgroups such as a Usenet group called “AOHell.” Attackers would use the popular service to send spoof emails intending to steal user passwords and manipulating AOL’s algorithms to create random credit card numbers and fake accounts to spam other users.
(Official animation from the FTC's website)
It did not stop at emails though, as the attacks then made their way through AOL Instant Messenger, even sending messages posing as AOL employees to scare other users. America Online put a stop to the attacks in 1995 when they added stronger security measures to block randomly generated credit card numbers.
There are many different scales of a phish, so to speak. Here are some of the most well-known (and dangerous) forms of phishing:
- Deceptive Phishing: The most familiar type of phishing, this utilizes an email scam disguised as a legitimate source such as a bank or a vendor in order to trick the victim into providing their login credentials, banking information, personal info, etc. Many of these phishing attacks involve a suspicious link that prompts you to enter your credentials on a bogus website, or downloading a malicious attachment such as a .Doc or .Zip file that installs malware on your computer. In an instant, your whole network could be compromised.
- Spear-Phishing: A more dangerous phishing method, spear-phishing is a direct attack at an individual instead of a wider group. Attackers research the background of the target and craft the phish specifically to the victim, making it look more authentic. These types of attacks are also prevalent on social media sites such as Facebook, and in many cases are the first step that an attacker will attempt to take to gain access to company confidential information. What’s even more dangerous is that these messages could include conferences you’ve been to, vendors you’ve partnered with, topics you may have been interested in, or other personal details in order to fake familiarity.
- Whaling: Going straight after the prime target, whaling involves a phishing attack that is directed right at the higher levels of power in an organization such a CEO. This attack requires even more research by the attacker in order to fool the victim as they utilize further social engineering to gain greater access than an entry-level employee. Whaling uses tactics such as fake customer complaints, legal matters, or even posing as one of their own executives to get the information they seek.
- Pharming: An advanced form of web browser hijacking, this type of phishing attack is especially dangerous because you don’t even have to click a link or file to get hooked. Pharming begins from an infected email that installs code to alter DNS Server files and redirects website traffic to fake websites that swipe their personal information without them knowing.
- Clone Phishing: Clone phishing, or “cloning,” involves a bogus email message that is a near-replica of a legitimate, previously sent email from a trusted sender. The message sent may include verbiage such as “re-sending," “in case you missed it,” or “updated,” to trick the reader into thinking it is safe since it is a message that was “previously sent.” They also may contain a malicious link or bogus attachment in place of the real one.
- Vishing: Also known as voice phishing, a vishing attack involves a person receiving a call that contains a voice message disguised as a message from a trusted source, like a bank. The message then prompts the recipient to enter their account information, such as PIN numbers or bank account numbers, to “verify their account.” Tech support scams are a common example of vishing.
- BEC Scams: These phishing attacks are aimed directly at a senior executive or financial controller of a company. The attack is sent is under the guise of a financial officer or CEO, attempt to trick victims into initiating money transfers into unauthorized accounts. The message typically has a heightened level of urgency to increase the chance that the finance department will not verify the sender. The Internet Crime Complaint Center states that between December 2017 and May 2018, BEC campaigns caused more than $12.5 billion in losses around the world, $2.9 billion of which came from the US alone. **
Always double check the sender and for grammar problems when you see emails like this from "legitimate sources."
At neoRhino, not only do we value on our clients having proactive DEFENSE in place through our Security solutions but also in helping to EDUCATE on how to keep your business vigilant and safe from phishing attacks. You can relax knowing that our IT professionals are here to protect you. Call us at (281) 779-4850 for a FREE consultation and we can help your business today.
* 2018 APWG Phishing Activity Trends Report: https://docs.apwg.org/reports/apwg_trends_report_q1_2018.pdf
** https://duo.com/decipher/the-rise-and-rise-of-business-email-compromise-scams
