Phishing attacks are some of the simplest types of cyberattacks, yet also the most dangerous and successful. Threat actors attempt to obtain sensitive information or data (i.e., login credentials, credit card information, bank information) by disguising themself as trustworthy within online communications, such as an email. Phishing attacks are similar to fishermen luring fish with bait. In both instances, fishermen and hackers create enticements that look like something the victims recognize or want.
Unlike other cyberattacks where hackers seek out vulnerabilities in an operating system, phishing attacks utilize social engineering or human error exploitation. No matter what device one is using, no operating system is entirely safe from phishing attacks. Furthermore, from a hackers point of view, why waste time working through security layers when you can lure someone into handing you the key?
3 COMMON TYPES OF PHISHING ATTACKS & EXAMPLES
Despite the variety of phishing attacks, the common denominator is utilizing fraudulent pretense to acquire valuable information. Three common types of phishing attacks include:
- Business email compromise (BEC) attacks have become increasingly common over the past several years. Last year alone, the FBI estimated financial losses of $1.77B across the country due to phishing attacks. These schemes involve identifying names and email addresses for victims and an appropriate name and email address to launch (i.e., CFO, President, or department manager). Threat actors then email the employees, asking them to complete a wire transfer or task using a made-up business pretext via fake email accounts. In that case, they go to an imitation website that looks incredibly similar to a legitimate website. If the victims comply, they log in with user credentials (at this point, they’re pretty far down the phishing well). Their credentials go directly to the threat actor, who uses it to steal identities, swipe bank accounts, and sell personal information on the black markets. BEC attacks most often target finance and accounting departments of large corporations.
- Smishing (SMS) attacks are messages that often ask users for personal or financial information, such as an account or ATM number. These messages often include a link for follow-up via a fraudulent email or phone number. These types of attacks rely on our human addiction to text and communication with others. The best way to avoid smishing attacks is to not engage with any unsolicited text messages.
- Vishing (voice phishing) attacks occur when attackers call potential victims, asking for personal or financial information. The threat actors may also impersonate someone else, such as the IRS, someone’s bank, or an executive at their company. They create a sense of urgency by claiming someone owes back taxes, there’s a warrant for arrest, or a credit card has suspicious activity, and verification is required.
REAL-WORLD PHISHING ATTACK
In August 2019, a Toyota auto parts supplier, Toyota Boshuku Corporation, fell victim to a BEC attack. The threat actors convinced an employee with financial authority to update account information on an electronic funds transfer. Total economic losses amounted to nearly $37M (¥4 billion).
Similarly, one of our Mission Essential CTS clients experienced a near-identical phishing attack worth over $250,000. Unfortunately, they didn’t have security measures in place before the attack. Again, BEC attacks are becoming more common. We must be hyper-aware of the warning signs to spot a BEC and avoid falling victim.
HOW TO PROTECT AGAINST PHISHING ATTACKS
Ultimately, phishing attacks exploit human social errors on any device. It’s critical to be aware of phishing scams’ warning signs and how you can protect yourself and your business. Here are a few of the most important best practices when it comes to phishing:
- Avoid opening emails from unknown senders, period.
- Don’t click on links inside emails unless you know where it’s directed (hover over the link to see if it’s a legitimate website).
- Be on the lookout for digital certificates as they’re used to establish the legitimacy of websites.
Talk to us about phishing training so your employees know how to spot fake communications, avoiding sharing sensitive information with cybercriminals. Our Mission Essential CTS Managed Security Services also provide you and your business with robust protection against phishing. We can detect fraudulent sites and prevent you from opening them before they wreak havoc.
Stay attentive, take precautions, and be on the lookout for anything phishy.
Follow along in this series, where we’ll dive deeper into unpatched software and hardware and how to protect your organization’s data.