Phishing attacks are still prevalent and organizations are continuously being targeted. According to a report from Proofpoint, 83% of businesses say they experienced a phishing attack in 2018. Phishing attacks are used to steal credentials/data and spread malware and ransomware to businesses. Just last month the city of Ottawa fell victim to a phishing scam and wired $130,000 to scammers.
Source: Proofpoint
Phishing attacks work because hackers are good at making their messages seem legitimate and people are not always paying attention when reading emails. Here are 4 types of phishing attacks and steps you can take to combat them.
1. Phishing messages via SMS or Messaging apps
Although phishing emails are still prevalent, hackers are also utilizing other forms of communication, such as text messaging and messenger apps, to target potential victims. These types of phishing attacks are similar to what you’ll see in email; the only difference is the method of communication. For example, instead of getting an email saying your account is compromised, you will get a message via text with a link. In some cases, they may send a phishing email but request the correspondence to continue via text and ask for your mobile number.
How to combat
Education and awareness is key to fighting phishing attacks. Employees should be enrolled in cyber awareness training at least once a year to make sure they are updated on the latest attack vectors. Cyber awareness training will also help employees think more critically about navigating online and learn how to build good security habits. They should never engage with unknown senders or click on any links in suspicious emails.
2. Business Email Compromise (BEC)
BEC scams involve impersonating a CEO or executive of a company or a business supplier/partner. The hackers then request a wire transfer of money or for the user to purchase gift cards. These scams usually involve building a rapport with the potential victim in order to build trust or having knowledge of a business’ suppliers to seem more legitimate. According to the FBI, BEC caused losses of $1.3 billion in 2018.
How to combat
Implement a warning message when users receive messages that originate from outside the organization. This can remind users to look closely at the emails they receive and to not download attachments/files from unknown senders. This can also help combat CEO fraud as messages from executives should originate from within the organization.
3. Credential attacks
Hackers targeting credentials will send phishing messages that try to steal them. This usually done by sending a message that entices you to log in. These messages can say you need to change your password or that there was a suspicious login. Some may say you have a tax refund or target credentials to your accounts on streaming services. These types of attacks will also provide a link to a fake website that looks legitimate. When you log in using these spoofed links, the hackers will be able to gain access to your credentials. This opens up the threat of malicious insider attacks, where hackers can use compromised credentials to steal data or spread more phishing emails to clients or business partners.
How to combat
To avoid clicking on fake websites, you should always hover over the link and inspect the URL before you click on it. If you are unsure if it’s legitimate, you should type in the website directly into the search bar.
4. Clone phishing
This attack takes a legitimate email and copies or “clones” the email to include a malicious link. This attack can be difficult to spot because it’s based on a previously delivered email. The attackers will also spoof the return email address so that it closely resembles the original sender.
How to combat
Implementing a secure email solution can help detect threats like phishing and spam. Secure IT – Mail includes several security features like Advanced Threat Protection to scan for suspicious email attachments, malware and malicious links. Additionally, you can backup and archive your emails with Secure IT – Mail.
