Take a look at any of the many surveys out there and you’ll quickly see that phishing attacks have been through the roof since the start of the COVID pandemic. Even before the pandemic-related spike, the number of Phishing URLs had been steadily skyrocketing, growing by an unprecedented 640% in the year 2019. But what is scarier than the rate of increase in phishing attacks is the ease with which phishing attacks can be carried out. Hackers can very easily create a website that looks exactly like your LinkedIn, Facebook, or online banking site within 30 minutes. That’s the easiest part of the task of credential harvesting, where information like username, password, answers to secret questions and account information are collected from the unsuspecting user. The hard part, or what should be the hard part, is getting the user to follow a link back to the bogus site and enter the desired information. This is where the real trickery comes into play. But before we go any further, let’s make sure we understand the term “phishing”.
What Is Phishing?
Phishing is a type of social engineering where the attacker impersonates the identity of a trustworthy entity in an attempt to elicit an action from the user. The attacker may try to entice an employee via threat, appearance of urgency, promises of money or a huge discount. This is the bait. Attackers get extremely creative when thinking of ways to get you to click a link. They are also extremely creative when thinking of ways to deliver phishing attacks, employing email, text messages, social media posts, voice communications, ads, etc. Regardless of method, the goal is to get you to click links that download and install malicious code to steal valuable health or financial information, encrypt hard drives (ransomware), place “sleeper” applications on your network that execute at a later time when a user takes a certain action (logic bomb), collect credentials and valuable information for later use (credential harvesting), or place a rule on the user’s inbox so that the attacker gets a copy of all outbound emails.
As long as phishing has been around, it is still the most common type of cyberattack. A recent survey revealed that 96% of organizations rank email phishing scams, end user carelessness and social engineering as the top three threats to business security and operations.
Who Is At Risk?
If you use email, social media, texting, instant messaging, or voice communications, you are a potential phishing victim. Past attempts used to cast a wide net in a volume approach, gleaning whatever valuable information they could discover. This progressed to a targeted form of attack called spear phishing, where attempts are customized by name, occupation, title, and other specific information to give the appearance of valid communication from someone who has an existing relationship with your organization. Today’s attacks are now even more targeted. Executives are often chosen because they are easily identifiable (their contact information is public), and they are more likely to possess or have access to the most sensitive data. This is called whaling (the BIG phish). Surprisingly still, entry level employees are targeted at almost the same rate as C-level executives. This means that cyber-security awareness at a company-wide level is of the utmost importance. The first step in that awareness program involves recognizing the types and warning signs of a phishing attack.
Types of Phishing Attacks
We just discussed spear phishing and whaling in the previous section, but those are descriptions of targets in a phishing campaign. Let’s look at some of the tactics that the malicious actor will use when executing a phishing attack once the subject has been targeted.
SMS (Text) Phishing (Smishing) – targets mobile phones as the new vehicle of choice. Smart phone users are more trusting of a text, and more likely to carelessly follow links without thinking or checking first due to distraction. This creates serious vulnerabilities, since so much work-related information is now housed on mobile phones.
Voice Phishing (Vishing) – is just as described. Attackers call targets pretending to be debt collectors or authority figures (think IRS, FBI) to pressure you into divulging valuable information or submitting payment under threat of serious financial or criminal penalty. This is a widely used scam that disproportionately affects the elderly.
Baiting – offers something of interest, like a sale, free vacation, or recent social or political issue to entice the end user into clicking a link and downloading a malicious file. Once you have taken the bait, infection may be made obvious through popup or ransom note, or may quietly siphon off senstive information over time.
Spoofed Websites – trick users into entering sensitive information into a website that they thought to be legitimate or launch a ransomware attack. It is made to look as much like a familiar, legitimate site in hopes that minor details will be missed by the end user. Hackers use template tools to create these sites in mere minutes.
Tech Support Scams – – trick users with notifications of computer issues like viruses or slow performance and offers to fix them. The target then clicks the link and allows remote access or runs an executable that steals credit card numbers, Personal Health Information (PHI), user login information, or other valuable data.
Protecting Your Organization
In this digital game of Cops & Robbers, the cyber security needs of an organiztion are ever changing, as the tactics of the methods used by the hackers are ever advancing. But the pillars of defense against phishing attempts can be summed up as follows:
Among the first lines of defense, email security stops the majority of malicious emails from even making it to the end user. Bad links and senders are immediately blocked and the user is notified of the defensive action taken.
Web Application Firewall
In a phishing scenario, this is the second line of defense. Bad URLs and domains are identified and access to or from them is blocked. Users are even protected from clicking links to known malicious sites.
Identity & Access Management
Your IAM solution is one of the most critical components of any cyber security solution. Protect against unauthorized access or possible privilege escalation with a well designed and enforced role-based user access policy.
You are the last line of defense when all technical measures fail. This is when knowing how to recognize a spoofed URL, spotting suspicious language in an email, or simply knowing to hover over a link before clicking become priceless.
Need Help Securing Your Office?
In today’s distributed office environment, businesses are more susceptible to attacks now than ever, and attackers are more motivated than ever to exploit all the new vulnerabilities. Contact us and get the expert help you need closing the security gaps and increasing your productivity.