No matter how hard individuals and businesses try to protect themselves in cyberspace, the sad reality remains that they are constantly exposed to attacks. Even as we record advances in technical security measures, cybercriminals continue to find ways to compromise IT systems and execute their nefarious intentions. Phishing remains one of their favorite tactics, which is why businesses and individuals need to keep learning about phishing scams and how they can be prevented.
What is Phishing?
A good understanding of what phishing is will help you detect one in time and prevent the scam from taking place. Phishing, generally, refers to a type of social engineering attack in which cybercriminals trick victims into providing sensitive information or installing malware in their computer system. It is a fraudulent attempt to obtain such sensitive information as usernames, passwords, credit card details, and more. Phishing scammers operate by disguising as trustworthy entities, luring their victims to do the things they want them to do.
Phishing is usually carried out over email. A very well-disguised email will always do the trick, but the scam has expanded to other channels like social media, messaging services, and apps. Once the email is intended to extract sensitive personal information or has a malware link, the attack is regarded as phishing. It was introduced into popular culture in 2004 after a California teenager was charged for extracting credit card information with a fake American Online website.
The Proliferation of Phishing Kits
Over the years, phishing has expanded, even as technical security measures continue to expand. One of the reasons for the expansion of the crime is the proliferation of phishing kits. Cybercriminals have access to some kind of bundle that allows them to perpetrate phishing scams. Even those who have little technical knowledge can use the bundles to attack unsuspecting businesses and members of the public.
Some of the phishing kits available to cybercriminals comprise of website resources and tills that just need to be installed on servers to facilitate phishing scams. The criminal will just need to send out fraudulent emails and hope that victims click on them or provide the required information. Some of the kits also make it easier for cybercriminals to spoof trusted brands, which significantly increases the chances of the victims clicking on the fraudulent emails. Individuals and business owners are expected to be more vigilant when dealing with emails, messages, and notifications.
What Are The Basic Types Of Phishing Websites?
Cybercriminals normally have dedicated websites for their phishing activities. Understanding these different types of websites can help you identify a fraudulent email or message in time and prevent an attack. The major malicious websites used for phishing include:
1.Pharming/DNS cache poisoning
In pharming attacks, cybercriminals are able to redirect a website’s traffic to a malicious site that exploits vulnerabilities in the system that matches domain names with IP addresses. The malicious website impersonates the original site for the purpose of extracting personal information from unsuspecting users.
2. Typosquatting/URL hijacking
These are spoof websites URLs that look very similar to the original one they impersonate. The attackers subtly misspell the original website URL with the hope that users will not notice the difference and will land on their malicious site and do what they want them to do.
3. Clickjacking/UI redressing/iframe overlay
This involves the use of transparent layers to place malicious clickable content over legitimate buttons. When users click on the supposedly safe buttons, they unknowingly install malware on their computers.
4. Tabnabbing and reverse tabnabbing
This involves rewriting some unattended browser tabs with malicious sites. When users return to the tab, they hardly notice that something has changed and may proceed to provide sensitive information.
How Do Phishing Scams Work?
Most phishing scammers employ one of two basic methods to get the victim to do what they want. They may send malicious attachments with enticing names that will install malware on the victim’s computer or redirect the victim to malicious websites. The malicious websites will either download malware or contain credential harvesting script that will collect sensitive information from the unsuspecting victims.
Based on purposes of the attack, here are the two basic ways phishing scams work:
- Stealing of sensitive information
As mentioned earlier, many cybercriminals are interested in stealing sensitive information like login details and card information of victims. When they are able to trick the victim into providing username and password, the scam artist can easily breach a system or an account. In most instances, the scammers send out deceptive emails/messages that look as if it is coming from a major bank. When the messages are spammed to millions of users, the scammers expect that some of the recipient, especially the customers of the bank, will click on the message and redirected to a phishing website. They may eventually enter their usernames and passwords, giving the scammers access to their accounts. This is just a classic example of stealing sensitive information. There are other methods used by scammers, and they may target email accounts, credit card information, and others.
- Download of Malware
The purpose of some phishing schemes is to get victims to download and install malware on their computers. The scammers often send soft-targeted messages with attachments that appear genuine. When the victim clicks to download or open the attachments, they infect their computers with malware. The attachments are often .zip files or Microsoft Office documents with malicious embedded codes. Most of the codes are ransomware.
What Is Targeted Phishing Attack?
As hinted earlier, phishing emails or messages are often sent to many people at a time. Sometimes, scammers spam hundreds of thousands of individuals at a time, relying on the sheer weight of numbers for success. In some instances, however, phishing scammers target specific individuals or organizations. This is referred to as targeted phishing attacks or spear phishing, and are often perpetrated by smart and technically proficient scammers. It is important, therefore, that you know the different types and how they work.
Types of Targeted Phishing Scams
Like the regular phishing attacks, targeted phishing scams employ malicious links or attachments. However, the different types include:
- Clone Phishing
This is usually a copy of an email that has already been delivered. The scammer will clone the legitimate email and send it from a spoofed address that is very similar to that of the original sender. In the cloned email, the cybercriminal normally replaces the links and attachments with malicious ones that will either infect the victim’s computer with malware or redirect them to malicious websites with credential-harvesting scripts. This type of targeted scams is often successful because recipients recognize the content of the email and may need to click on the links or open the attachments.
- Whaling/CEO Fraud
This is a type of phishing scams that are targeted at high-profile individuals or who the scammers refer to as the big fishes. It is mostly perpetrated by full-time and technically-proficient scammers who can patiently track victims and know the perfect time to send the spear emails. In most CEO Frauds, the scammer target members of the finance team of organizations or board members who have great authority in the organization. Some of these individuals are particularly vulnerable since they may use personal email addresses for business-related correspondence. Some scammers may go as far as downloading keyloggers onto the executives’ computers and using them for more nefarious activities.
- Business Email Compromise (BEC)
This is a form of scam in which legitimate business email communications are hijacked by scammers. It is often accomplished by the use of social engineering tactics, making victims believe that they are still communicating with the right individuals. In many BEC scams, the fraudster may fool staff members to wire money to the wrong recipient account or disclosing business information that may lead to major scams and scandals. Most BEC scammers disguise as CEOs, CFOs, or other top-level individuals in the organization.
Phishing and Crisis Situations
There is something about cyber-attacks and crisis situations. The coronavirus pandemic (COVID-19) and the accompanying increase in cyber-attacks are not surprising at all. It is a known fact in the cybersecurity industry that attacks are heightened during crisis situations, and this is something everyone who needs to be security conscious must know.
It is sad that people will take advantage of a difficult situation to attack others. That is exactly what scammers do, anyway. They are mostly opportunists who rely on creating a sense of urgency and deception. These work perfectly in crisis situations when people are a little too desperate for solutions.
Scammers also know that people are always in need of information during crises and will normally attempt to take advantage of the situations to lure victims to taking their phishing baits. Scammers may send messages that appear to emanate from the government, relevant authorities, emergency management agencies, and even employers. Clicking on links/attachments in such messages or taking any of the required actions may initiate a phishing scam. To avoid compromising your account or infecting your computer with malware from a phishing scammer during a crisis, avoid impulsive clicks.
How Can You Identify Phishing Emails or Message?
Identifying phishing emails and messages is the most critical step towards preventing the scam. But how do you identify phishing emails and messages? We have a few tips that can help you:
- The message is sent from a public email domain.
Legitimate organizations do not send messages from a public email domain. You have to watch out for business emails that come from addresses that end in ‘@gmail.com’ ‘yahoo.com’ or other public domains. Such emails are most probably from scam artists. You should look out for email addresses and not just the sender. Pay special attention to what is found after the ‘@’ sign. Some scammers are very smart and can spoof emails to look very similar to what someone from a reputable organization will send. If the domain name of the organization is not found after the ‘@’ sign, it is a spoof email.
- The domain name is misspelled
Scammers intentionally misspell domain names when building clone websites. Victims invariably click on links that lead them to such websites when they don’t look closely. The burden is on the target to observe carefully to see if an email is coming from a domain that is misspelled in any way, as that is a clear indication that the website is spoofed.
- The email is poorly written with bad grammar and spelling.
While some scammers are smart, many are not communication experts. This is always obvious in the way they write their messages. If you see an email that is purportedly from a reputable company but has so many bad grammar and spelling, it is probably from a scammer. Further investigation will confirm your suspicion.
- There are suspicious attachments or links.
Phishing emails and messages have attachments or links that victims are urged to click on. Do not click on links and attachments impulsively. Instead, verify the authenticity of any message before clicking on a link or opening an attachment.
- There is a sense of urgency to the message.
Scammers often want their targets to take actions immediately as they know that wasting time may lead them to identify suspicious things about the email or message. If a message sounds a little too urgent, try to confirm that it is from the right source before clicking or taking any action.
What Are The Best Measures To Curtail Phishing Attacks?
At the beginning of this post, we mentioned that there had been advances in technical security measures. Knowing that you or your organization are still susceptible to cyber-attacks, there is a need to have the right measures in place to manage the problem. Here are the most efficient ways to mitigate phishing scams:
- Implement the Appropriate Technical Measures
This is the first step towards protecting yourself and your organization. Adopt robust cybersecurity practices and install the right antivirus software. With a good defense mechanism, you can meaningfully reduce the number of attacks that get to you.
- Build a Positive Security Culture
Your organization must have a very positive security culture to quickly detect and neutralize IT security reaches. Avoid victim-blaming and make everyone understand that they need to report any threat as soon as possible.
- Learn the Psychological Triggers of Phishing Scams
Phishing scammers rely on social engineering, which exploits human psychology. You need to be psychologically prepared to realize when someone is trying to get through your natural wariness. Get your staff to understand that conditioned responses, sense of indebtedness, and false sense of urgency are the psychological angels employed by phishing scam artists.
- Train Staff on Cyber Security Measures
Being conscious is not enough; everyone in your organization needs basic training on the best cybersecurity practices. They should be aware that phishing emails and messages can come at any time, and they must be prepared to identify and report them. Test the effectiveness of the training to make sure that your organization is safer.
The Future of Phishing
Phishing scams have been around for a long while and remain a viable strategy in the hands of cybercriminals. From what we know, it will remain a threat for a long while because it is relatively easy to carry out, and there are many cybercriminals working hard of phishing tools. Since even sophisticated IT users can fall victim to phishing scams, it will remain a viable tool in the hands of internet fraudsters. It is important that individuals and organizations get ready to deal with the possibility of more advanced phishing attacks.
While you are your in-house IT security team can do a lot to protect your systems and network, it is always better to work with a seasoned IT security firm. This is the best way to manage the rising threat from phishing scams and related cybersecurity issues.
If you would like more information on KMT’s Dark Web Monitoring Service or Managed Cyber Security offering, please contact myself – firstname.lastname@example.org.