If there is one kind of online scam that people need to be more cognizant about, it would be phishing—where a scammer tries to hack the user instead of the computer, tricking them into sharing sensitive information. Phishing can come in enough forms that it has splintered into a few different varieties to watch out for. Let’s go over what a basic phishing attack looks like, some of the different types you may encounter, and how to deal with such an attack appropriately.
Phishing is the approach that a scammer will use to get a target to hand over the information that the scammer needs, as opposed to the scammer using technical methods to extract it. In essence, the scammer will put on the guise of something or someone they are not to motivate their intended victim to facilitate their own downfall.
Through some means of communication—traditionally, but not exclusively, email—the scammer will begin their pitch. Whether they use an innocuous-seeming request, a looming threat that needs immediate attention, or even a bait-and-switch malicious attachment or link, the cybercriminal has no shortage of means to take advantage of you and your team members.
Let’s go over how different varieties of phishing work, followed by a few best practices that will help you avoid falling into any traps.
In this form of attack, an attacker will pretend to be a trusted contact as it can be very effective when used to target different members of a company or an organization—effectively, any group of people with a representative or authority figure at the top. By posing as this trusted contact and expressing urgency in some way, an attack can be that much more effective. These attacks can net a cybercriminal a significant sum, simply because the target isn’t anticipating an attack to come from an otherwise known source.
There are a lot of emails that are consistently predictable—the kind that are generated automatically in response to certain notifications, for instance. However, some phishing attacks will replicate these emails and instead direct the included links to malicious sites. These emails are often crafted to almost perfectly replicate a legitimate version, so they can be hard to catch.
SMiShing is simply a phishing attack that is sent via text message, as compared to an emailed message. Due to the notoriety that emailed phishing messages have gained in recent years, most people simply aren’t expecting the same threat to come to them in this much different format. It certainly doesn’t help that texts are read far more often than emails are, and that a mobile device often won’t feature a comparable level of security as the typical workstation or email client.
While many phishing attacks are designed to be somewhat vague so that they can be sent to the largest number of people simultaneously, spear phishing attacks are researched and crafted to be sent to a very specific target. This investment means that they are frequently leveraged against higher value targets and can often be exceptionally convincing.
Vishing, like SMiShing, is a form of phishing that can catch a target unawares, simply because it comes from a lesser-thought-about source. In this case, a voice call is used to convince the recipient to disclose some personally identifiable information.
Whaling is the practice of specifically targeting the top dog in an organization with a phishing attack, or a specific type of business compromise where “the boss” will suddenly demand something of an employee—often for funds to be transferred somewhere or a set of access credentials to be shared. This second variety has been particularly common as of late, with entire organizations having fraudulent links or requests sent to them from what appears to be their leadership.
While it may seem that these kinds of attacks would be rare, their efficacy usually makes the research into conducting them well worth it for a cybercriminal.
Phishing is no joke, as it can easily bypass your cybersecurity protections and leave your team members as your only defense. This is a serious issue if they haven’t been prepared to deal with an incoming phishing attempt.
Let’s more closely examine the trajectory of a whaling attack as an example.
Put yourself in the shoes of one of your team members: how would you react if the boss (or one of the bosses) suddenly emailed you out of the blue asking for the credentials to a company account, stat!? How likely is it that you would start questioning the request? Anyone who has worked in the lower levels of a business knows that you don’t argue with the boss, save for some very specific circumstances, so they are far more likely to acquiesce to the request without thinking.
However, once your team has been made aware of the threat, they can be made much more resistant to these efforts… particularly if you also educate them on what to look for, and how to appropriately deal with suspected phishing attempts.
Make sure your team knows to look critically at every email that comes in, watching for irregularities in:
If they have any reason to suspect an email’s legitimacy, make sure they also know to reach out to the supposed sender by a different means to confirm that they were the one who sent the message. If they confirm that the message was indeed a phishing attempt, they also need to know to alert whatever IT resource you have available to find out what needs to be done to safely resolve the potential issue.
At BNMC, we’re well aware of what a successful phishing attack can do to an unprepared business, which is why we do all we can to make sure everyone who works with us is as prepared as can be. To find out what we can do for you, give us a call at 978-482-2020.