We’ve all heard the term before, “phishing”, and most of us know that it generally means some kind of online scam. But how many of us know what a phishing scam actually entails?
Or the different forms such a scam might take as a malicious actor tries to get your sensitive personal information? This article’s purpose is to inform you of and arm you against these kinds of social engineering attacks, to better safeguard your sensitive information and keep yourself and your company safe.
More than 90% of successful hacks and data breaches worldwide start with some form of a phishing scam—it’s a threat to everyone. Phishing is the process of trying to trick a user into giving up sensitive information (usernames, passwords, credit card information) by pretending to be a trustworthy entity. A popular example of this is getting a bulk email from “Facebook” telling you that your password has been changed and you need to update your information—but the email is fake, and so is the webpage you’ll be directed to. Both the email format and the webpage can look exactly the same as the real thing, which is what tricks people into trusting the source and giving up their information. One of the myths around phishing scams is that they’re easy to spot, and sometimes that’s true. But the next one will be cleaner, more professional looking, and so will the one after that. Eventually the average uninformed person will not be able to tell the difference, and will get caught.
So what are some easy ways to spot and avoid these kinds of attacks? The easiest is to be aware of the most common cases, the most frequent ways the attacker tries to scam you. These hackers are playing on the employee’s desire for security, so messages that involve HR or could affect their daily work routine are messages that are likely to be noticed, read, and interacted with. On a personal level, this same feeling applies to social media notifications and emails. Facebook, LinkedIn, and Twitter make up for 90% of trending phishing scams; these usually take the form of “Add me to your friends/connections” or “Password Reset” or “Deactivation Request” emails—all things that usually demand some form of imminent action on the part of the user. The easiest way to avoid this is to think before you click. If you open the email at all, check the sending address and compare it to the sending address of the company that’s being impersonated. It will usually look different. If you actually click the link within before thinking, look at the website URL, it might not be accurate to the real thing. Be careful about what you click, and do not open any files attached to these suspicious emails. There could be malware included.
These scams are usually quantity-over-quality kinds of attacks. The scammer will send out a mass email blast to hundreds or thousands of users to try and see who takes the bait. Things like bank account access info, or password recovery info like a mother’s maiden name, or even a direct account number are all things that these emails can try to trick you into giving them. Financial gain is the obvious, standard motive for these attacks, but there is rarely (if ever) a specific target in mind for these attacks. Anyone can be a target, and there’s nothing anyone can do about being targeted. The only way to avoid these attacks is to not be tricked by them. If you see something, say something. Don’t click on unknown links in emails or messages. Double check on dubious instructions from colleagues or executives with them via phone before implementation, just to be safe. Use multi-factor authentication for your systems, like fingerprint or facial recognition. Encrypt your data. All of these things can help keep you safe.
Here is a list of some other forms of social engineering scams that are similar to phishing, and can have the same disastrous outcome:
Pretexting: Using an invented scenario to bait the victim using already-gathered personal information. This generally uses date of birth, social security numbers, etc. in order to get you to give up more information.
Water-Holing: The attacker will gather information about the target group’s preferred websites, then will abuse the vulnerabilities in that website’s system in order to get access to the victim’s information, and then their system.
Spear Phishing: A small, focused version of email phishing that is targeted at a specific person or organization. It’s done after extensive research on the target, and has a specific component designed to be used against that target.
Tailgating: A tailgater waits for an authorized user to open and pass through a secure entry point, and then follows them in. This one is easy to prevent with strict security policies.
Rouge: Also known as rogue anti-spyware, or scareware, this form of scam tricks users into paying for a fake or simulated anti-virus software subscription. This has become more and more common over recent years, and there are dozens of these kinds of programs.
There are some additional tools you can use to prevent or guard against these kinds of attacks. You can begin by working with your IT resource to identify and close existing holes in your company’s IT policy that could leave you vulnerable to phishing attacks. On top of that, there are some additional tools available that can give you another layer of security. One such tool is Barracuda Sentinel, an AI-based threat detection service that learns your unique business communication patters to detect personalized fraud in real-time to protect your business from security breaches due to phishing scams. Another tool is Azure ATP Threat Protection, which integrates with your system and logs both user and system activities, which allows it to alert you to abnormal scans or behavior and help you identify compromised systems.