(© metamorworks – stock.adobe.com)
Phishing is one of the most common ways for scammers to steal information. Through deception or social engineering, fraudsters attempt to trick people into handing over confidential or personal information to then use it for malicious purposes. And that’s very easy. With some basic information like your full name and address, scammers could make you susceptible to identity theft and with answers to privacy questions and a username, they might even be able to get into your online banking accounts.
In 2020 phishing attacks continue to play a dominant role in the digital threat landscape. According to the Data Breach Investigations Report, phishing is the second topmost risk action variety in security incidents and the topmost threat action variety in data breaches.
On the other hand, digital fraudsters show no sign of slowing down their activity in 2020 – possessing a considerable threat to all organizations. It’s therefore vital that all organizations know how to recognize some of the most popular phishing scams if they are to protect their valuable corporate data.
1. Deceptive phishing
Deceptive phishing is by far the most common type of phishing scam – typically, fraudsters impersonate a legitimate organisation in an attempt to steal people’s login credential or personal data. They use emails with a sense of urgency to scare users into doing what the fraudsters want.
Techniques used in deceptive phishing
- Legitimate links: Most attackers will attempt to evade detection from email filters by integrating legitimate links into their deceptive phishing emails.
- Blend malicious and benign code: Those accountable for creating phishing landing pages usually blend malicious and benign code together to fool EOP (online exchange protection).
- Modify brand logos: There are some email filters that can spot when malicious actors steal organizations‘ logos and implement them into their phishing landing pages or attack emails.
2. Spear phishing
Contrary to many inexperienced beliefs, not all phishing scams embrace the “spray and pray” technique. Most fraudsters rely more on a personal touch. And they do so because they wouldn’t be successful otherwise.
In this ploy, cybercriminals customise their attacks emails with the target’s name, company, position, work phone number and other info in an attempt to trick the recipient into believing that they have a connection with the sender. The type of browser you’re using is also playing a role in your security – for instance, UC Browser has a rough patch in the industry, especially when it comes to data breaches. There are multiple reports of information leaks and other such security concerns.
As a user, this certainly must have shaken your confidence in the browser. But you will be glad to find out that there is a means to use your favourite browser without running into the dangers of data breaches. This is through using a VPN for UC browser. With a great amount of information needed to build a valid attack attempt, it’s no surprise that spear-phishing is commonplace on browsers like UC and social media platforms like LinkedIn where hackers can use a wide range of data sources to generate a targeted attack email.
To protect against the type of scam, companies should perform ongoing employee security awareness training that amongst other things, discourage them from publishing corporate or sensitive personal information on social media. Organizations should also invest in solutions that analyse inbound emails for known malicious email/links attachments.
3. CEO fraud or “whaling” attacks
While spear phishers will target anyone in an organization, including the CEOs – in these scams, fraudsters try to catch an exec and steal their login information.
If their attacks prove successful, cybercriminals can choose to conduct CEO fraud. This happens when attackers abuse the compromised account of a CEO or other high-ranked executives to allow fraudulent wire transfers to a financial institution of their choice. What’s more, attackers can leverage the same email to conduct W-2 phishing which requests W-2 data for all employees so that they can post that data on the dark web or file fake tax returns on their behalf.
Techniques used in whaling
These attacks make use of the exact same methods as spear-phishing campaigns. Here are the most common tactics that malicious attackers could use:
- Infiltrate the network: A compromised CEO’s account is more efficient than a spoofed email account. Typically, digital attackers could, therefore, rely on rootkits and malware to infiltrate their target’s network.
- Follow up with a phone call: Most frequent instances were those followed by a whaling email with a phone call confirming the email request. This tactic helped to relieve the target’s concerns about something suspicious.
- Why do the whaling attacks work? Oftentimes whaling attacks succeed because CEOs don’t participate in security protocols and training with their employees. To avoid the threats of W-2 phishing and CEO fraud, companies should mandate that all employees plus higher-ranked ones – take part in security awareness training on an ongoing basis.
Story by William Busby