Social Engineering #2: Recognizing and Defending against common Phishing attacks
Written by Habeeb Kareem
Are we ever truly safe from the cunning clutches of phishing attacks in today’s digital world? Or can we spot the subtle signs of an impending online ambush?
These are questions that continue to haunt the minds of both seasoned internet users and newcomers alike.
Welcome to the second instalment of our series, where we will build upon the insights shared in our previous article on social engineering. We will delve into one of the most pervasive social engineering attacks that accounted for nearly one third of all data breaches in 2022: Phishing.
Here’s what we’ll be looking at:
- What is a Phishing Attack?
- 5 Most Common Types of Phishing Attacks
- 5 Best Practices to Detect and Prevent Phishing Attacks
- 5 Shocking Phishing Attack Statistic
What is a Phishing Attack?
The term “Phishing” is a play on the word “fishing”, as it involves attackers (cybercriminals) baiting victims (individuals or organizations) into disclosing their sensitive information (login credentials, credit card information, or other sensitive information).
Phishing attacks typically involve the attacker posing as a trusted entity or source, often through email, instant messaging, phone calls, or other communication channels.
These attacks are highly versatile, and the specific goals vary depending on the attacker’s intentions. However, most of the time, the purpose of a phishing attack is to steal data, money, or both.
5 Most Common Types of Phishing Attacks
As mentioned earlier, phishing attacks are primarily executed through emails designed to deceive individuals or organizations into revealing sensitive information or downloading malicious content.
Social engineers employ various phishing techniques, but we will focus on the five most common ones to help us identify these deceptive schemes and safeguard our digital lives in an interconnected world.
They are spearphishing, whaling, smishing, vishing, pharming.
Spearphishing
It is a highly targeted form of phishing attack that focuses on a specific individual, organization, or group of people.
In a spear phishing attack, the attacker conducts in-depth research to gather information about the target, such as their personal or professional relationships, job responsibilities, interests, and other relevant details.
Spear phishing emails are more likely to succeed compared to other phishing techniques because they are highly personalized, and often mimic legitimate communication.
Here are some examples of potential targets of a spear phishing attack:
- Corporate Executives: They are often targeted because of their access to sensitive company data, financial information, and the authority to approve financial transactions.
- IT Administrators: Due to their access to critical systems and data, they are often targeted with spear phishing attacks.
- Finance and Accounting staff: They are targeted for potential financial fraud or unauthorized money transfers.
- Healthcare professionals: Especially those handling patient records are targeted to gain access to Protected Health Information (PHI) for identity theft or fraud. Trend Micro’s Healthcare Cyber Security solutions can help detect and prevent spear phishing attacks targeted at healthcare organizations and employees.
Whaling
It is a subset of spear phishing attacks. The difference between whaling and spear phishing attacks is that whaling is targeted at high-profile or senior level individuals in an organization.
For example, CEOs and top executives. Furthermore, the term “whaling” is used since it targets the so-called “big fish” within a company.
Smishing
It is a blend of the words SMS and phishing. Smishing is carried out via SMS or text messages to deceive individuals into divulging personal information, clicking on malicious links, or downloading malware onto their mobile devices.
Vishing
It is short for voice phishing, a technique employed by social engineers using voice communication technology such as phone calls or voicemail messages, to deceive individuals into revealing sensitive information.
Pharming
It involves redirecting users to a fake version of an official website to harvest their credentials. An example of such is DNS poisoning. Pharming attacks can be particularly dangerous because they are often challenging for users to detect.
5 Best Practices to Detect and Prevent Phishing Attacks
Security Awareness and Training
It is one of the most important best practices as it helps us recognize phishing attempts in real-time, develop better email and communication skills to discern between legitimate and phishing messages, and instill a sense of vigilance and skepticism.
Trend Micro offers freemium PHISHinsight awareness training that empowers people to recognize and protect against the latest threats.
Utilize Email Filtering
Using advanced email filtering solutions that can detect suspicious email patterns and content associated with spear phishing is imperative. Some of the popular email apps we use (such as Gmail, Outlook, and Yahoo) come equipped with this feature to help us manage our email inboxes effectively, reduce spam, and flag potential phishing attempts.
Use Secure Browsing
It is encouraged to access websites using secure, encrypted connections (HTTPS) as this can help alleviate pharming attacks. Web browsers will often display a padlock icon for secure sites. However, do note it doesn’t mean the connected website is legitimate.
Use Caller ID and Call Blocking
Enable and use caller ID to screen incoming calls and verify the caller’s identity. This can help detect and prevent vishing attacks. Many of our smartphones offer caller ID and call blocking features. Apps such as TrueCaller, Phone by Google, and tellows – Caller ID & Block offer these features, mostly for free, on Android and iPhone.
Enable Multi-Factor Authentication (MFA)
Most common phishing attacks are not capable of bypassing MFA. For instance, if an attacker manages to steal your login credentials through a phishing email, they would still be unable to access your account without the secondary factor such as a code or fingerprint.
5 Shocking Phishing Attack Statistics
- According to Trend Micro’s email threat report, 92% of organizations fell victim to phishing attacks in 2022. Additionally, their data revealed a 4% increase in phishing attacks targeting credential theft in the same year.
- Google reports that Gmail blocks approximately 100 million phishing attacks every day.
- FBI’s internet crime report for 2021 revealed that phishing, vishing, smishing, and pharming were among the top five reported crime types from 2017 to 2021.
- According to Cofense Intelligence, 2022 witnessed a 569% surge in malicious phishing emails and a 478% increase in published threat reports related to credential phishing.
- More than 80% of survey respondents in Proofpoint’s study (2022) reported that their organization had experienced at least one successful phishing attack. Moreover, 40% of survey participants admitted to taking dangerous actions such as clicking a malicious link, downloading malware, or exposing login credentials.
Conclusion
Phishing remains one of the most pervasive and evolving threats in today’s digital age, posing significant risks to individuals, organizations, and society at large. While anyone can be a victim of a phishing attack, the key takeaway from this article is the importance of vigilance, education, and proactive cybersecurity measures to protect ourselves and our digital assets.
Thank you all for following through this journey and Happy National Cyber Security Awareness Month 🫶.
Resources
Cover Image Credit: Malwarebytes