Don’t be Phish Food
The best way to protect yourself from phishing attacks is to remain educated and vigilant. In order to do that though, we must first figure out what, exactly, phishing is before exploring some of the more common varieties of phishing attacks to be on the lookout for. So…
What is Phishing?
First, let’s be entirely clear: Phishing is a type of cyber-attack that is more than capable of standing on its own, but is often the first step in more grandiose schemes. Generally speaking, phishing is the sending of fraudulent communications to an individual under the guise of legitimate source with the intent of doing some form of harm. The harm is usually the acquisition of personal information (usernames, passwords, credit card information, social security numbers, bank accounts, etc.), or the installation of malware or other flavors of nefarious software. Typically, we wouldn’t just hand that information over to anyone, or allow malicious software to be installed on our system(s), so phishing attempts are usually heavily camouflaged (for lack of a better term) in order to appear as though they originate from legitimate sources. Fake password reset requests from Google or Apple, account verification requests from your bank, and spoofed emails from your boss or co-workers (or friends/family) are all examples of how a phishing attack may attempt to trick you into lowering your guard.
Phishing aka Deceptive Phishing
This is the most traditional and common form of phishing, and is likely what most of us are already aware of. This flavor of phishing is one in which the attacker sends a generic email requesting information to a large number of users. Deceptive Phishing attacks, more often than not, usually appear to come from a trusted source (Google, Apple, etc.), will likely request some form of account action be taken (verification, password reset, etc.), and will include a link to a legitimate (in appearance only) website. Phishing emails can often be identified by the sender’s email address (it will either not match the company, or appear ‘off’ in some way), hovering over any included links to see their destination, and by remembering that almost any company that keeps track of your personal information will never imitate contact with you to update and/or verify it.
Where deceptive phishing is casting a wide net to see what gets caught, spear phishing is a targeted attack on an individual. Emails and communication will often be much more customized in order to make the target more trusting. Details from social media, or an existing company/personal web pages, could be included to add more authenticity to the attack. Spear phishing is usually the first step in more elaborate schemes and can be used to ferret out specific user information that can later be used to access company-specific resources.
When the target of a spear phishing attack is a C-level executive, or another key member of an organization (aka a “big fish”) we find ourselves in the realm of what is referred to as “whaling.” A slightly less-than-flattering term, but in the management hierarchy we are targeting the “big fish,” so to speak – the ones that hold the keys to the kingdom in many cases. Even more so than a regular spear phishing attack, a lot of time and effort will usually be spent profiling and establishing communication with the target(s) in order to best determine how to gain access to critical information. Whaling affects every industry, but the technology, banking, and healthcare industries are targeted the most due to the amount and type of data those fields handle.
As individuals become more educated in regards to traditional phishing attempts, Internet ne’er-do-wells have had to up their game to accommodate – hence the rise in what is known as pharming. In traditional phishing, the goal is to get the target to click a malicious link to a bogus website and then enter personal information. This method, as we have seen, has a lot of easily detectable red flags associated with it. But what if the bad guys could get you to give up your information without all the obviously bad links/site involved? That’s what pharming aims to accomplish. Pharming is a type of DNS cache poisoning attack in which a DNS server is targeted/compromised and has its IP address associations modified. This means that the attackers can make “google.com” point to any IP address they want – meaning that they can direct the DNS traffic through the targeted server to go to their harvesting website (that looks/acts like the expected destination) even though the end users think they are simply going to Google.
A form of phishing that calls back to old/standard forms of social engineering and is conducted via phone calls to the target. As with traditional phishing emails, these attackers on these calls will often pose as members of legitimate organizations in an attempt to get you to surrender vital information. Microsoft tech support cold calls, IRS frauds, and many of the current health care related robo-dialings that are currently everywhere are all examples of what is now being labeled as vishing.
A form of phishing that is conducted via SMS text messaging. Like with all other phishing attempts, the attacker will try to pass as a legitimate organization – which isn’t overly hard via text message if you think about it. Most common scams will involve a prompt to verify some form of personal information with a link to a separate website. Again, any organization that has access to that information in the first place is never going to reach out to you in an attempt to verify it.
This is where Meeting Tree Computer comes in, our expertise in email management and cyber security can help you find the right tool specifically for your business's security needs. We'll implement systematic control of the quality and quantity of specified electronic messages that are sent from within, and received by your organization. You'll feel more relaxed when your email security is effectively managed and monitored.
Give us a call today for a free assessment: (845) 237-2117.