When reading the names of these attacks out loud, we wouldn’t be surprised if the first thought that comes to mind is “how malicious can attacks with such cutesy names really be?”. Well, phishing is used as the attack vector for 95% of all targeted attacks against enterprise networks, and a single spear phishing attack results in an average loss of $1.6 million according to Security Boulevard. So yeah, phishing is quite a big deal.
But it’s not only classic email phishing that is causing a fuss. The FBI issued a warning last month about voice phishing attacks, also known as “vishing”. In their statement, the FBI shed light on a new wave of cybercriminals “taking advantage of changing environments and technology” during lockdown and other COVID-19 restrictions. In this blog post, we will explain how phishing works across different platforms, how to recognize the attacks and how to make sure you’re protected.
The most commonly used attack method is email phishing. This type of phishing involves fraudulent emails that lure victims in to clicking a malicious link, downloading a malicious file, or providing personal information. In many cases, phishing emails will direct the victim to a seemingly-legitimate website where they are asked to enter credentials or bank/credit card details, which the attackers then cultivate to sell or use for additional attacks. Over time, phishing emails have become more and more realistic. Attackers today use a whole new level of sophistication to make everything about their phishing email seem legitimate, ensuring that victims fall for their trickery every time (research shows that 97% of users cannot identify a sophisticated phishing email). Novel types of phishing include Spear Phishing, where victims are targeted individually, usually with a more sophisticated, tailored email, and Whaling, phishing attacks that target CEOs and other high profile individuals.
SMS phishing, or Smishing, is a type of phishing attack deployed via SMS or WhatsApp messages. These mischievous messages usually include a malicious link, or ask victims to reply with confidential information. Since text messages are short and sweet in nature, smishing messages will usually be written in exciting language, enticing an sense of urgency. With a general lack of awareness that malware and scams can arrive by text, people are more vulnerable to this type of phishing. In a study by Lloyds TSB in which participants were shown 10 authentic and 10 inauthentic text messages, only 18% correctly distinguished between all fake and real texts. That’s 72% who didn't, and who could easily fall victim to a smishing attack any day.
In voice phishing attacks, the victim receives a fraudulent phone call asking them for sensitive or confidential information. Victims’ personal information and phone numbers can easily be found on the internet, allowing attackers to trick them in to thinking the caller is representing a legitimate service that knows the victim personally. Scammers may fake their caller ID or call from an unknown number. Vishing can occur in either a single-step method, or a two-step one. In a simple vishing attack, the caller will try their luck asking victims for information such as credit card details, account credentials, personal information and such. In the two-step method, cybercriminals are trying to access a victim’s online account for a certain service, but they need a code sent by SMS in order to validate their login. In this case, the attackers will call the victim, claiming to work for whichever service they are trying to hack (probably the bank), and asking for the code that was just sent to the victim's phone.
The FBI’s recent warning on vishing attacks is important for spreading awareness about this attack, considering that just last summer Twitter suffered its most famous hack via vishing. Employees at Twitter fell victim to voice phishing attacks, being tricked by attackers in to handing over their employee credentials over the phone. Over 100 accounts of the most famous people on the social media platform, including Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Kanye West and Kim Kardashian, were compromised. These accounts were then used to ask Twitter users for Bitcoin payments, claiming to double the amount sent and return it as a gesture of “giving back to the community” by the hacked celebrities and politicians.
Picture courtesy of wired.com
How to detect a phishing/smishing/vishing attack
- Spelling and grammar errors
- Compelling language and/or a sense of urgency
- Suspicious looking link or file
- Request for personal data, payment information or credentials
- Unfamiliar email (email phishing) or unfamiliar number (smishing and vishing)
How to protect yourself
- Be picky with who you trust - apply a healthy amount of suspicion to emails and text messages, and yes, even to phone calls. Check out the message you've received thuroughly before proceeding.
- Don't click links (especially if you don't need to) - received an email or text about a special promotion at your favorite online store? Great! But instead of clicking the link, log on to their website directly to ensure the offer is real. This should be a rule of thumb for all websites - it's best to type their known url or use bookmarks.
- Do regular security awareness training - as much as companies might want to save costs on this one (because what's awareness training in comparison to a shiny new security product), raising employee awareness is super important. When it comes to phishing, security is a weakest-link problem. All attackers need is one entry point, one distracted or unaware employee, and the hack is complete.
- Use a security product that blocks inbound AND outbound suspicious traffic - millions of phishing messages are sent daily. If someone in your network does happen to press on a malicous link taking them to a phishing webpage, about to steal your company's credentials and hack your accounts, there is a way to stop them. Make sure you have a network security solution that uses the most up-to-date threat intelligence to block incoming attacks, as well as outbound requests for malware in case someone in the network has fallen victim phishing.
Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?