Everyone knows what fishing is, but what is phishing?
You may have heard the joke “Where do fish keep their money? Answer: In a riverbank.” Phishers know this. They are trying to take your information, and ultimately, your money. Sometimes they’re just trying to mess with your computer. Not so funny.
Phishing is when someone virtually (digitally) throws out a line to see if they can “hook” you. You’re the “phish” they are trying to catch. Their “line” is the story they tell to try to lure you and reel you in. Don’t take the bait – don’t click on the link or open the attachment!
In other words, the definition of phishing involves an attacker sending you a counterfeit email or text claiming to be from a reputable company. They try to convince you to give them your personal information such as passwords, credit card numbers, account numbers, or social security numbers.
Once the scammer gets your information, it may be used to directly steal money from you, perform other attacks, steal proprietary information, install malware (malicious software such as ransomware) on your computer or other device, spear phish other people within the organization, and/or sell compromised accounts on darknet markets.
Thousands of phishing attacks are launched every day. They are becoming more and more sophisticated. If successful, the scammer is often able to watch everything and go across even more security boundaries with you as you meander through a website. As of 2020, it’s the most common attack performed by cybercriminals, which is why this is the first article in our Networks blog. After all, when it comes to computer systems, without cybersecurity, what do we have?
Let’s look at several types of phishing attacks, how to recognize them, and several techniques to keep your intellectual information safe from a phishing attack.
Types of Phishing Attacks
There are several types of phishing attacks. Understanding them can help you recognize if scammers are fishing for you.
Most phishing messages are delivered by bulk email with content that differs depending on the attacker’s goal. Bulk email phishing is not personalized or targeted specifically to you or your company. The attacker will commonly pretend to be companies that you know and trust, like banks, credit card companies, online payment websites, and online stores.
When there’s only one spear in real world spear fishing, the attack is just for one fish. The same goes for phishing. The attacker in spear phishing directly targets and tailors the message to you or your specific organization, often gathering information about you before the attempt to hook you. The hook is making you think the email is legitimate. Executives or those working in finance or accounting departments are typical potential victims.
Whaling and CEO Fraud
When we talk about the definition of phishing, specifically whale phishing, the whale is the big fish. Whaling refers to spear phishing attacks directed at high level executives. Attacks are likely specific to the person attacked, such as a customer complaint or subpoena. CEO fraud is the reverse: fake emails that falsely seem to be from senior executives that are sent to try to get other employees to do something such as wire money.
This is when the content and recipient address(es) of a legitimate, previously delivered email that has an attachment or link is “cloned” into almost identical email. The attachment or link is replaced with a malicious attachment or link. The email is then sent to you from an email address that looks like it’s from the original sender. It might trick you into thinking it’s a resend or update to the original email. The sender or recipient must usually be first attacked to get the legitimate email.
A voice phishing attack uses phone calls, often VOIP. In this definition of phishing attackers dial several phone numbers and play automatic recordings. The calls make false claims of fraudulent activity on your bank accounts or credit cards.
SMS phishing is similar to email phishing but attackers use cell phone text messages. The “bait” is an invitation to click a link, call a number, or contact an email address then provide your data.
How to Avoid a Phishing Attack
Don’t be the next meal for hungry “phishers.” Look for common signs, like misspelled URLs and subdomains, and links in emails that look like they belong to the company the attackers are impersonating. Scammers like to create websites by using exploited domain names; websites that look exactly like legitimate sites but that lead instead to malicious versions.
Phishers sometimes use images instead of text to evade anti-phishing filters that are trying to detect the text used in phishing emails.
Scammers often try social engineering, convincing you that it is urgent for you to click a link, open an attachment, or provide confidential information. Is it really urgent? Think twice. Social engineering can also consist of fake news articles that are generated that lead to websites where victims see false virus notifications or redirected to pages that attempt to install malware. Trouble could be just around the corner.
Technical Approaches to Avoid a Phishing Attack
- Filter out phishing email with spam filters
- Set up browsers that alert you to fraudulent websites
- Augmented password logins
- Ask a user to select a personal image called a SiteKey and tell them to only enter their password if they recognize the image. But just realize that users might still enter their password even if they don’t see an image.
- Provide an identity cue (a colored word in a colored box).
- Show a grid of images where the user must identify the pictures that fit a category in addition to entering a password.
- Protect your computer by using security software with 24/7 automated monitoring and takedown of phishing websites
- Set up your computer, cell phone, and other devices to update software and backup data automatically. This could give you critical protection against security threats.
- Transaction verification and signing using the cell phone as a second channel for verification and authorization
- Multi-Factor authentication, requiring a user to use at least two credentials when logging in, such as an authentication app passcode and a fingerprint scan.
- Require that users use an email client that redacts URLs from emails, making it impossible for the email recipient to click on a link or copy a URL. This almost eliminates phishing attacks.
Good Practices if You Suspect a Phishing Attack
There are several good practices you can use to combat phishing. If you see a suspicious message that asks you to click on a link or open an attachment, ask yourself if you have an account with the company or know the person who contacted you.
- Review the types of phishing attacks above to see if the message identifies with one of them.
- Contact the company from which the email originates to check if the email is legitimate.
- Instead of clicking on the hyperlink provided in the message, type in the authentic website.
- If you receive a generic email from a company that does not address you by your username, be aware that it may or may not be a phishing attempt, since some companies address their customers by their usernames in emails.
- You can also go to an anti-phishing website where you can see exact phishing messages that have been recently circulating on the internet.
Phishing Protection from Green Zebra Networks
Now you know the definition of phishing. Green Zebra Networks offers you a combination of security solutions to counter phishing attempts.
Anti-phishing measures in your company start with educating users to identify phishing scams. Green Zebra Smart Networks can help you run simulated phishing campaigns targeting staff through email to see if they take the bait.
Our cybersecurity team can also implement multi-factor authentication to keep your company’s data safe across all users. We also offer VPN, remote desktop protocol, and virtual desktop infrastructure.
Don’t take the bait. Keep your information safe. Run with Green Zebra Smart Networks at (800) 777-3562.