By Keith Millett | Aug 30, 2018 | Blog
Recently, a number of our clients have fallen victim to phishing scams, leaving their executives asking, “How did this happen?” and “What could we have done differently to protect ourselves?”
Let’s take a look at some common types of phishing attacks as well as how you can protect yourself and your organization from becoming a victim.
The Most Common Types of Phishing
Phishing attacks take many forms, with new techniques being developed every day. A few common characteristics/methods to be aware of include:
1. Spear Phishing/Whaling
Whereas basic phishing leverages mass-mailed generic email communications in the hopes of garnering a greater number of clicks, spear phishing attacks are more targeted and personalized to increase the likelihood that a specific user will fall for it.
Similarly, whaling is thought of as being a form of spear phishing where the target is a high-profile or wealthy member of an organization or a community.
2. CEO Fraud/Business Email Compromise (BEC)
This popular scam involves an attacker impersonating an executive in an attempt to authorize fraudulent money transfers or purchases. These types of attacks are effective because the targeted employees do not feel comfortable enough to initiate communication with executive management to confirm the validity of the request.
Pharming is a method of attack that stems from domain name system (DNS) cache poisoning. The Internet’s naming system uses DNS servers to convert the URL to numerical IP addresses used for locating computer services and devices. Under a DNS cache poisoning attack, an attacker targets a DNS server and changes the IP address associated with an URL. That means an attacker can redirect users to a malicious website of their choice even if the victims entered the correct website name in their browser.
4. Forged Websites/URL Manipulation
Attackers can easily duplicate a website and modify its code to serve up a malicious website that mirrors the original site. When combined with a URL that appears similar to the address of the original site, users may not be able to distinguish between the legitimate site and the malicious site.
The Goals of a Phishing Attack
Phishing attacks can have a few different goals, including (but not limited to):
- Gathering basic information, such as software in use by the organization, in preparation for a larger attack. Clicks on information-gathering messages could also reveal users who are likely to fall for more complex and lucrative attacks.
- Enticing users to complete an action, such as clicking a link or opening a file, that results in the download and execution of malware in the context of the user account and/or captures the victim’s username and password.
- Conning employees with financial or accounting roles to transfer money to a fraudulent recipient, to purchase nonexistent products, or to purchase “cash alternatives” (e.g., gift cards) and provide the relevant card information to the attacker.
Protecting Against Phishing
Protecting against phishing is a two-pronged approach and requires the participation of both IT administrators and end users.
IT administrators should take the following actions:
- Implement phishing awareness campaigns.
- Conduct security awareness trainings.
- Distribute periodic reminders/newsletters.
- Require multi-factor authentication.
- Apply software updates to devices in a timely manner.
- Limit administrative access on user devices.
- Deploy email security that scans email attachments and hyperlinks.
- Deploy blacklists.
- Deploy sandbox solutions to detonate email attachments or open hyperlinks in an isolated environment.
- Deploy whitelisting for applications and processes.
As well, end users should:
- Limit personal information posted to social networking sites.
- Check the domain that the email appears to be coming from to confirm that the sender address has not been spoofed.
- Hover the cursor over the “hyperlink” to see where the link will really go.
- Never open an attachment or link from an unknown third-party.
- Look for bad grammar or urgent language.
- If in doubt, reach out to the purported sender outside of email (such as by phone) to verify the validity of the email.
By partnering with a third-party expert in IT security, your organization can also take advantage of additional layers of security by implementing a virtual CISO, performing a penetration assessment, and reviewing your security controls, among other solutions.
For more than three decades, companies have turned to CTI for a broad array of information technology solutions ranging from systems design to security, support, and data management. We’ve helped some of the largest companies in this region build cutting-edge technology systems to manage their businesses, lower their costs, and help their team members be more productive.
Contact us today for more information on how to protect against phishing scams.