Phishing attacks are now by far the most frequent threat to the cyber landscape.
Since 2006, Microsoft has published its Security Intelligence Report. And, it’s latest data, which is based on an internal scan of Office 365 email addresses, with over 470 billion messages analyzed, found that phishing attacks are much more frequent. Not only are phishing attacks more frequent, but they’re also more sophisticated.
Microsoft’s data also indicates that phishing attacks are now becoming the most common preferred practice of cybercriminals looking to steal confidential information. One of the reasons that phishing attacks are increasing is because they’re more accessible — phishing kits can be purchased from underground dealers. So, for a relatively small price, low-level and aspiring cybercriminals can forward a prefab email with malicious links already embedded to their desired targets.
What’s a phishing attack?
Phishing attacks attempt to gain sensitive, confidential information such as usernames, passwords, credit card information, network credentials, and more. By posing as a legitimate individual or institution via phone or email, cyber attackers use social engineering to manipulate victims into performing specific actions—like clicking on a malicious link or attachment—or willfully divulging confidential information.
As we previously mentioned, phishing attacks have become more sophisticated, so there is now a variety of phishing attacks targeting businesses each day.
Below, we’ve listed seven.
Seven types of phishing attacks
Although each attack listed below is dangerous to your business, it’s worth noting that our list is not in any particular order of importance.
So, let’s begin.
1. CEO Fraud/Business Email Compromise (BEC)
CEO fraud is often referred to as business email compromise (BEC), which the FBI says costs businesses billions of dollars. It happens when cybercriminals impersonate executives and try to fool lower-level employees — usually in the accounting or HR department — into executing unauthorized wire transfers or sending out confidential tax information.
2. Domain Spoofing
The next type of phishing we want to mention is domain spoofing. This method of attack uses either email or fraudulent websites. And, it occurs when hackers spoof an organization’s or company’s domain to:
- make their emails look like they’re coming from the official domain, or
- make a fake website look like the real deal by adopting the real site’s design and using either a similar URL or Unicode characters that look like ASCII characters.
So, in the case of an email-based attack, cybercriminals forge a new email header that makes it appear like the email is originating from a company’s legitimate email address. In a website domain spoof, the cybercriminal creates a fraudulent website and with a domain that looks legitimate or is close to the original (apple.com vs apple.co).
3. Spear Phishing
Spear phishing is a highly targeted form of phishing — the victim(s) in this type of attacks is well-researched. Instead of using spam-like tactics that blast thousands of emails, in a spear-phishing attack, cybercriminals tailor and personalize the emails to their intended victim. They may use email subject lines that would be topics of interest to the email recipients to trick them into opening the message and clicking on links or attachments.
Unfortunately, phishing emails are not the only way people can try to fool you into providing personal or financial information. Fraudsters also use the phone to solicit your personal information. This telephone version of phishing is sometimes called vishing. Vishing relies on “social engineering” techniques to trick you into providing information.
In vishing attacks, cybercriminals are also known to pretend to be someone else — the IRS, your bank, or an executive at your company who claims to work at another branch. They’ll claim that you owe taxes, or that your credit card has suspicious activity and needs to be shut down right away… they’ll first just need to “verify” your personal information before they can close the card and reissue a new one.
Just like phishing, smishing uses cell phone text messages to lure consumers in. Often the text will contain an URL or phone number. The phone number often has an automated voice response system. And again, just like phishing, the smishing message usually asks for your immediate attention.
In many cases, the smishing message will come from a “5000” number instead of displaying an actual phone number. This usually indicates the text message was sent via email to the cell phone, and not sent from another cell phone.
Do not respond to smishing messages.
Whaling is a form of spear phishing that’s targeted at high-profile business executives, managers, etc. The goal is to trick the executive into revealing sensitive information and corporate data. These targets are carefully selected because of their access and authority within an organization. These attacks often use email and website spoofing. And are tailored and personalized to include the victim’s name, job title, and other basic details in order to appear legitimate.
7. Evil Twin
Unlike the other methods we’ve mentioned, evil twin is a form of phishing that capitalizes on Wi-Fi. TechTarget.com describes an evil twin as “a rogue wireless access point that masquerades as a legitimate Wi-Fi access point so the attacker can gather personal or corporate information without the end-user’s knowledge.” This type of attack has also been referred to as the Starbucks scam because it often takes place in coffee shops.
Evil twin phishing involves a cybercriminal creating a Wi-Fi hotspot that looks like the real one — they’ll even use the set service identifier (SSID) that is the same as the real network. When end-users connect, the attacker can then eavesdrop on their network traffic and steal their account names, passwords, and view any attachments that the user accesses while connected to the compromised hotspot.
How to avoid falling for many types of phishing attacks
We’ve written a few articles on how businesses can improve cybersecurity, but some things are worth repeating:
Train your employees
This should go without saying, but again, some things need to be repeated. You can have the best security software in the world, and your business can still get phished. Why? Because as you’ve seen phishing attacks exploit human nature rather than technical vulnerabilities. So make sure cyber awareness is ingrained in your work culture — train your employees. All of them.
Use two-factor authentication
Two-factor or multi-factor authentication is the process of identifying users by validating two or more “factors,” or characteristics that are unique to that user. Common implementations of multi-factor authentication include the “something you know” factor (i.e., password) and “something you have” (i.e., one-time passcode sent to your smartphone or provided via a token).
Develop an incident response plan
An incident response plan is an organized approach to addressing and managing a security breach or a cyber attack. The aim is to limit potential damage and ensure a swift resumption of normal operations.
Having a strong incident response plan in place ensures that when stakes get high, and pressures intensify, every member within the organization knows their role and responsibility.
For more information, check out our post about the key elements of a strong incident response plan.