Phishing is the process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity. (source KnowBe4.com,) This is most commonly done through email and spear phishing attacks, but cyber criminals are getting more advanced, and these tactics are starting to be used through text messages, phone calls and even on social media platforms. According to a recent study, 81% of organizations around the world are experiencing an increase in email phishing attacks since March 2020 and employees play a significant role in a successful phishing attack. Cyber criminals target employees within the organization and attempt to get them to click on links and/or send sensitive information. The most effective way to avoid these types of phishing attacks, is to be aware of what they look like and understand how to identify them.
1. Email Phishing
The most common form of phishing is email phishing, which is when a cybercriminal will send out general, mass emails to employees of an organization. These emails aim to provoke a sense of fear or urgency to get the recipient to either click on a link or download a file. The links included usually link to a malicious website that can install malware on your computer or steal credentials.
How to Identify Email Phishing Attempts:
- Look out for misspellings throughout or in the domain
- Sender email address is the wrong domain.
- Domain in the wrong place. (Example: Bestbuy@gmail.com instead of customerservice@bestbuy.com)
- There is a strange or unexpected attachment.
- There is a sense of urgency or fear throughout.
Tip: When in doubt reach out to the IT department with your concerns.
2. Spear Phishing
Spear phishing is a type of email phishing as well; however, it is more targeted and less generalized than standard email phishing. Spear phishing targets a specific person within the company, usually a high-value individual, through email. They will search for public information about this person and use it within the email, including things like their name, job title and telephone number. This type tends to be more successful and therefore more dangerous because the message is very carefully crafted by the attacker.
How to Identify Spear Phishing:
- Check the name vs. the email address and ensure they are the same.
- Look out for email formatting differences.
- Look out for abnormal requests, usually involving money or personal information.
Tip: When in doubt, call the person if you know them and ask about legitimacy.
3. Whaling
Whaling is another type of email phishing attack that focuses on the CEO or another executive leader in an organization. This is when a cybercriminal finds the name of a CEO and uses a similar email address to impersonate this person. Usually reaching out to the employees of that company, asking them for information, money or including a malicious link.
How to Identify Whaling Attempts:
- Check the email in comparison to the real CEO email (even if it looks the same or similar).
- Look out for abnormal requests, usually involving money or personal information.
- Look out for email formatting differences.
Tip: When in doubt reach out to the CEO to ensure they are trying to reach you
4. Vishing and Smishing
Vishing and smishing are type of phishing attacks that take the form of calling and texting. Vishing happens when a cybercriminal calls someone on the phone in an attempt to get personal information out of the victim or money sent to them. Usually, these calls have a heightened sense of urgency and are very common around tax season, where the cyber criminals pose as IRS workers. Smishing is similar, but instead of calling, it involved text messages sent to the victim’s phone. The texts usually include a malicious link and attempt to get the victim to click it. These are not as common as email phishing but still pose a very real cyber threat.
How to Identify Vishing and Smishing Attempts:
- Examine the caller phone number, common signs of phishing could be from an unusual location or blocked number.
- Look out for abnormal requests, usually involving money or personal information.
- Watch out for strange links in text messages from unknown numbers.
5. Angler Phishing
Angler phishing is one of the newest forms of phishing out there today and it uses social media platforms to try and scam users. Usually this consists of cyber criminals creating a fake social media account posing as a well-known brand’s customer service account. Typically, the account they make will be something along the lines of {Brand Name} Customer Support Team, and they will hope the victim does not realize it is a fake account They will then message users posing as the brand, offering them friendly support. They will then usually send out a malicious link posing as a brand link. Since this is so new, it can be dangerous because many people do not know about this threat.
How to Identify Angler Phishing Attempts:
- Examine the account name and contents, usually a fake account will not have a lot of followers or be verified.
- Be wary of “brand” links on the social media page, these can be faked.
Tips:
- When in doubt do not take customer service help from a social media account and instead head to the official brand website.
- Do not click links on social media pages unless the page is verified as the brand.
Phishing threats come in all forms, and many are still new and evolving. Human error is one of the biggest risks to any organization and education is the best tool to combat that. End User Security Training plays a vital role in protecting your organization against phishing attacks. Your employees are your front line of defense, so they should be routinely educated on the different types of phishing attacks and best practices to identify these threats and respond appropriately.
CompuData Managed IT Services combine best-in-class IT and help desk support with cloud support, management, implementation, and security services. We are one provider for managed IT, cloud, and security so you will never outgrow our services. CompuData offers IT Security Solutions that extend beyond traditional data protection. We offer a comprehensive solution and train your team to help protect you against cyberthreats. We take a proactive approach that offers flexibility and scalability to strategically protect your organization.