Do you know all the ways you can be Phished?
At ISM, we hold cyber security near and dear to our hearts. Our personal mission is to keep our clients safe and productive, and that means generating awareness of new threats and new ways of combating those threats.
Like Darwin’s theory, phishing has evolved from a single technique into many highly specialized tactics, each adapted to specific types of targets and technologies. First described in 1987, phishing is now carried out via text, phone, advertising, and (of course) email. Boiled down, all these tactics all serve the same purpose: to swipe confidential information from unsuspecting targets in order to extract something of value. But knowing about the hugely diverse set of today’s phishing tactics can help home and business internet users alike, be better prepared for the inevitable.
This tactic has, in the past, been more about quantity vs quality. The audience was broad, and emails were riddled with noticeable errors. Phishing has since developed, and has become more sophisticated and harder to spot. When in doubt, delete.
A hallmark of malware phishing is the attachment of a blank document requiring you to enable macros to view its contents, as in the common “package delivery failure” message. This is a major red flag.
Where most phishing attacks cast a wide net, hoping to entice as many users as possible to take the bait,
spear phishing involves heavy research of a predefined, high-dollar target, like a CEO, founder, or public persona — often relying on publicly available information for a more convincing ruse.
SMS + PHISHING = SMISHING (Just Don’t Click)
This uses text messaging to deliver malicious links, often in the form of short codes, to ensnare smartphone users in scams. SMS open rates hover around 98%. Compare that to around 20% for email, and it’s clear why cyber criminals like smishing.
Search Engine Phishing
In this type of attack, cyber criminals wait for you to come to them. Search engine phishing injects fraudulent sites, often in the form of paid ads, into results for popular search terms.
Vishing involves a fraudulent actor calling a victim pretending to be from a reputable organization to extract personal information, such as banking or credit card information. Most often, the “caller” on the other line obviously sounds like a robot, but as technology advances, this tactic has become more difficult to identify.
Also known as DNS poisoning, pharming is a technically sophisticated form of phishing involving the internet’s domain name system (DNS). Pharming reroutes legitimate web traffic to a spoofed page without the user’s knowledge to steal valuable information.
In this attack, a shady actor makes changes to an existing email, resulting in a nearly identical (cloned) email but with a legitimate link, attachment, or other element swapped for a malicious one. These attacks can’t get off the ground without an attacker first compromising an email account, so a good defense is using strong, unique passwords paired with two-factor authentication, and changing passwords often.
In this attack, an eavesdropper monitors correspondence between two unsuspecting parties. When this is done to steal credentials or other sensitive information, it becomes a man-in-the-middle phishing attack. These are often carried out via phony public WiFi networks at coffee shops, shopping malls, and other public locations. Once joined, the man in the middle can phish for info or push malware onto devices.
BUSINESS EMAIL COMPROMISE (BEC) – Don’t make the payment!
One of the most expensive threats facing businesses today is business email compromise. This involves a phony email usually claiming to be an urgent request for a payment or purchase from someone within or associated with a target’s company.
Malvertising – “That Ad Isn’t What You Think It Is”
This takes advantage of advertising or animation software to exploit its targets. It is usually embedded in otherwise normal-looking ads, and placed on legitimate websites like Yahoo, but with malicious code implanted.
While staying vigilant will keep most attackers at bay, no one is 100% secure on their own. After all, phishing only exists today because it works. This is why it’s important to combine security awareness training with quality business endpoint protection; threat intelligence, cloud-based updates, and real-time anti-phishing, DNS protection, and reliable data backup.
If you have questions about your cyber security needs, please contact us at firstname.lastname@example.org or (406) 443-8386