Phishing is a practice where computer users are tricked into giving sensitive or personal information through electronic communication.
Wombat Security suggests that there are over 2.5 billion successful scams each day. Furthermore, the average cost of social engineering these attacks per business can be upward of 1.6 billion dollars. This includes brand costs, impacts on customers, legal fees, ransomware and reputation costs.
The goals of a “phisher” are to:
- Gain the trust of a user in order to break into secure storage and/or information
- Access credentials necessary to modify data
- Collect user IDs and/or passwords in order to gain access to documents, emails, money and personal data
- Distribute malware
Common types of phishing schemes
There are 6 common kinds of phishing scams. Each has its own tactics.
Spear phishing
Spear phishing is a targeted phishing attack. In a spear phishing attack, a phisher uses the information they’ve been able to gather, typically through an open source, to access detailed background information. They then use this specific information to deceive individuals. One common source for the information is through social media accounts.
Phishers then take this information and send out fake emails to enter personal accounts. You can combat spear phishing by training employees to be aware of the risks and tactics of phishers. This training should include limiting the amount of sensitive information they share. Additionally, businesses should consider investing in automated software that analyzes emails for phishing risks.
Whaling
Whaling is another type of targeted phishing scheme; however, this type specifically targets executives or other high-ranking organization members. Whaling phishing techniques are similar to spear phishing techniques—the only real difference is the target.
Rather than using social media to gain initial access, usually fake DocuSign documents are utilized to gain an executive’s signature. Performing executive training on the risks associated with whaling phishing and setting up multi-factor authentication for all financial transfers are great ways to combat whaling.
Pharming
Users are becoming more familiar with some of the more common phishing techniques, so scammers are changing tactics. Rather than baiting victims, some are resorting to a technique called pharming. In this method, phishers poison the domain name system (DNS) of a particular website and change it from an alphabetic name to a numerical IP address. By doing this, the phisher can redirect their victims to any website they desire.
To protect your data from a pharming attack, employees should be encouraged to only use their credentials on HTTPS-protected sites. Additionally, organizations should utilize antivirus software on all computers and ensure they’re frequently updated.
Deceptive phishing
Deceptive phishing is the most common variety of phishing. After collecting a victim’s username and password, a phisher uses software to send out fake emails to others. After entry into the victim’s account, the phisher will often change the owner’s credentials to deny them reentry and take over the account.
To recognize a deceptive phishing scam, check URLs carefully. Also, check the body of any emails for grammar mistakes, generic greetings and spelling errors.
SMishing
SMishing utilizes the same techniques as a typical phishing scam, but it utilizes text messages or SMS. In this kind of scam, you’ll receive a text to your phone that contains a link to follow, which gives the scammer access to your accounts.
Vishing
With vishing, scammers use your phone to try to gain access to your accounts. A typical example of a vishing scam involves a scammer calling a victim and posing as a tech support member. They will often ask permission to log into some account—via a specific website—in order to “repair” it.
To avoid vishing scams, you should avoid answering calls from numbers you don’t know and avoid giving personal information out over the phone. You can also call back a representative on a recognized phone number.
Guarding against phishing attacks
Follow these general tips to guard yourself against phishing tactics:
- Avoid clicking on the links in emails from people you don’t know.
- Don’t save passwords.
- Call contacts that request company information.
- Don’t give out personal information via the phone.
- Open a new email rather than replying to a suspected scam email.
- Verify a caller’s intent and request a callback number.
- Use multi-factor authentication.
- Implement required complex passwords.
- Keep antivirus software and security certificates up-to-date.
- Think before you act and click.
- Keep your employees’ training up-to-date.
- Only download trusted apps.
- Only allow company approved programs to access company computers and internet.