We’ve discussed phishing before, how to spot a phishing email, and even how to prevent phishing on an organizational level. But what else should we be aware of beyond just a basic phishing attack? Today’s hackers are using more than just mass emails hoping to snag one of us on a busy day. They’re using targeted attacks across a variety of platforms. And many of these are variations of phishing emails, each with its own methods of imitation and dishonesty.
Phishing scams cast a wide net in hopes of catching a few unsuspecting victims, but spear phishing has specific targets in mind. With spear phishing, scammers use social engineering and spoofed emails to target particular individuals in an organization. By impersonating family members, colleagues, or business acquaintances, they legitimize themselves to individuals and fool them into following specific requests, such as revealing sensitive data or performing a wire transfer to their fraudulent company.
These hackers learn basic information about you or your contacts, such as name, place of employment, and job title, to specifically target you. Check out the example above. Here, the hacker has researched details about Andrew and his coworkers, even learning about their company’s speaking engagements, to convince Andrew that “Laura” is honest in her request.
Thankfully, spear phishing can be prevented much like regular phishing emails, despite its sophistication. Using general awareness of what to look for and employing protections such as encryption, MFA (multi-factor authentication), DMARC, SPF, and DKIM email protocols, you can create a solid defense against spear phishing.
Whaling, an even more sophisticated form of phishing, emulates spear phishing but is aimed at senior executives and their assistants, in our experience. They target individuals with the power to access confidential information to enable a data breach or steal large sums of money.
Smishing and Vishing
Ok, we swear we’re not making these up. As silly as the words smishing and vishing sound, the threats they pose are anything but. Smishing (a combination of SMS and phishing) involves text messages. You probably get a few of these a week on your phone, and while most are obvious to recognize as spam, a few are pretty convincing. With the example above, one of the most common examples encourages you to follow a link to schedule your package delivery. With most of us ordering online with increasing frequency, this method is easy to fall for as we often expect a package sometime each week. Other messages to keep an eye out for are accounts being disabled or fraud on your credit/debit card. If you’re not sure if a message is real, reach out to the service or bank directly from their website to ask, don’t follow any links sent to you by text unless you’re expecting them.
Vishing, like above, is another combination of voice and phishing. You probably recognize this in the form of the many calls you get during tax season from someone claiming to be the IRS. They might claim they need to do an audit or have a way to get you a larger refund, and all they need is your social security number. While these scams have been around for longer than the internet, they still threaten an unsuspecting person. Like smishing, calling them back and dialing their official business number can help verify any suspicious requests.
The rise of social media gave hackers plenty of new ways to steal your data. Besides causing data breaches for the social networking sites themselves (Facebook notoriously exposing 530 million people), much of the information hackers use is the info we put out there. Angler phishing utilizes these social media sites to gain information and entice us to follow fake URLs, visit cloned websites, and click on impersonated tweets or social posts. Using data that people willingly post on social media, they can create targeted attacks that can be near impossible to spot.
In the example above, look at how easily a hacker can easily impersonate Dominos’ Twitter account and quickly gain a user’s name, phone, email, or street address. There is no real foolproof way to guarantee you won’t fall victim to one of these attacks, but being cautious about what information you volunteer on public sites can go a long way to ensuring you don’t get caught up in one of these scams.
While pharming is a form of phishing, it relies less on user error and more on users having unprotected devices and networks. With pharming, hackers redirect internet traffic trying to reach a specific website to a different site imitating the original. These “spoofed” sites aim to capture a user’s log-in credentials, social security numbers, account numbers, and more. They can also be used as a vector to push malware onto the user’s device. Pharming often targets websites in the financial field, such as online payment platforms (usually a PayPal imitation), e-commerce sites, or online banks.
Thankfully, there are concrete steps we can take to ensure we aren’t a victim of pharming. First, choosing a reputable ISP is critical. Most common ISPs (Comcast, Google Fiber) will filter out suspicious redirects by default, so you only need to worry when using public WiFi. If you find yourself in that situation, check out our article “Staying Safe While on Public WiFi.” To take even further precautions against this method of attack, software like Sophos and Cisco Umbrella adds more layers of defense. These are protections we offer at TSP as part of our support stack of software.
Are you protected?
Are you worried about how well-protected you and your team are against phishing attacks? After all, your cybersecurity defenses are only as strong as their weakest link, and your people are your last line of defense against a breach. When you partner with TSP, you can rest easy knowing our stack of support software is protecting you and your data at all times. We even train your staff on how to identify and report cyber attacks, keeping them up to date with the latest scams and schemes used by hackers. This all leads to a well-protected organization, where you can focus on what matters most to you, leaving the technology to us. Contact us today to get started!