The Real Threat of Phishing Scams
What is phishing? What are the different types of phishing? How can you prevent an attack?
Author: Leonard Rivera
Social engineering is the use of deception to manipulate individuals into doing something they wouldn’t normally do.
According to the National Institute of Standards and Technology (NIST), phishing is:
“[A] technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.”
Statistics on phishing attacks
According to Wombat, there are “3.4 billion phishing attacks per day which are highly effective 76% of the time.”
The cost of social engineering attacks is “1.6 billion dollar impact per business on average, ransomware, impact to customers, legal fees, brand and reputation cost.”
What is the “goal” of phishing?
The goal of phishing is to “trick individuals into disclosing sensitive personal information through deceptive computer or electronic communications,” according to NIST.
These goals include:
- Attaining user IDs and passwords to access emails, personal data, documents, or money.
- Gaining trust in order to attain access to higher levels of security clearance or access to higher level personnel, or obtaining access to larger companies or partners.
- Sending a malware attachment that allows malware to be downloaded.
- Harvesting credentials to access selected information system in order to modify data, IPO or the stock market.
Types of phishing
Spear phishing = targeted attacks
Spear phishing is a targeted attack which utilizes information gained through open sources to gain specific background information to aid in the deception. Fake emails with targeted information gained from social media sources are often used to gain this information.
Spoofed emails, which are emails that contain address which look similar to an authenticated sender but contain slight errors in spelling or domain mismatches, are red-flags of spear phishing.
Whaling = targeting executives
Whaling is “a specific kind of phishing that targets high-ranking members of organizations,” according to NIST. This type of phishing utilizes many of the same techniques as spear phishing, but aims to attain high level executive information or attributes that can be used to exploit a business.
Fake DocuSign documents are often used to attain signatures or other credentials. Information gained from lower level personnel emails may be used to launch a targeted whaling attack. Indications are often breaching in company process, procedure or protocol.
Once a target’s username and password is captured, phishing scammers then use software to bounce on other related websites and send fake email pages for benefits and other common services. Once access is gained, then the password is changed to deny the legitimate user access and/or to take advantage of the account.
SMishing (Text/SMS phishing)
SMishing employs many of the same tactics as typical phishing, but uses a different attack distribution (or “vector”) which is text/SMS. For example, you might receive a text message saying that your Apple ID or another accounts is disabled, followed by a “bit.ly” links (example: http://bit.ly.2ol59Uu). This malicious link gives attackers access to your accounts. Even phone numbers can be spoofed to seem like they are coming from your local area.
Vishing (voice phishing)
In this case, vishing occurs over the phone. An example would be a call from a person claiming to be Microsoft Tech support and saying that they noticed a problem with your computer. “Can you login to your device so we can fix it?” they might ask, which actually leads to a malicious website.
Customer support and call centers are frequent targets of voice phishing, so be sure to train your employees. IT help desk or other Tier 1 support is also susceptible to vishing.
How to guard against phishing attacks
- Don’t click on links from emails.
- Go to known secure websites and log into your accounts.
- Don’t save passwords.
- Use a new email to correspond back with suspected emails, or call the suspected sender if possible.
- If you receive a suspicious email asking for a deviation from company norms, call the contact directly to confirm the request.
- Implement good policies and procedures to avoid credential harvesting or other escalation threats.
- Never give personal information over the phone
- Establish and evaluate company process and procedures.
- Verify and clarify the caller’s intent and ask for a callback number.
- Train employees on current policies and procedures.
- Have mandatory continuous education and refresher information security awareness training.
- Double your login protection to enable strong authentication and utilize multi-factor authentication.
- “Think before you act” (or before your click) should be the company mantra.
- Take care with what you share, especially secretaries or front-line support personnel.
- Use unique and complex passwords when possible.
- Update your software on all devices and implement malware detection and anti-virus software for everyone.
- Only download apps from trusted sources.
- Ensure that only company approved programs are used on company computers and internet. If personal computers or phones are used on company LANS, insure they are connected to separate and protected company connections.
- Report all the incidents to supervisors and IT support — or to DHS Cybersecurity & Infrastructure Security Agency.
Phishing defense tips for small businesses
Small businesses that don’t have IT support are the most vulnerable to phishing scams because they are more likely to have old software, missing updates, or unsupported operating systems.
While not 100% foolproof, one method to defend against phishing is to implement a layered defense — that way even if one tactic doesn’t work, another defense will.
Lack of resources also means it’s important to find a quality outsourcing alternative. Find an MSP that can provide basic IT and network security.
Lastly, report phishing to your email provider. Report vishing to your cell phone company.
Here’s what to look for when receiving a suspected email, Text/SMS, or phone call:
- Spoofed sender address
- Misspellings, bad grammar
- Bad graphics
- Strange file names/URLs
- Sense of urgency
- Deviation from an established processes
- Scare tactics
- Buzzwords topics: money, cool job offers, important project, explicit photos, being sued
Trust your “spider sense” — if something’s not quite right, rely on your instincts and double check or make a call to check it out.
EnableIP is a telecom solutions provider founded by Wired Networks’ founder Jeremy Kerth and head engineer Steve Roos after they realized there was a deep market need for helping mid-size businesses establish better uptime rates for their Wide Area Networks (WANs). Armed with the best-in-class carriers and partners, Jeremy and Steve set out with a bold plan: Guarantee better uptime rates than the industry standard of only 99.5%.
Their bold plan became a reality. EnableIP’s solutions guarantee clients 99.99% (even 99.999%) network uptime. But we don’t stop there. Many telecom providers promise high availability network solutions but fail to deliver because they’re in the business of providing services, not solutions.
That’s the EnableIP difference: We deliver highly available networks by providing a complete system (called “Cloud Assurance”) that ensures 99.99% or above uptime.
We deliver this bold promise by:
- Owning the entire customer experience. From pricing, contracting, ordering and provisioning to installing, servicing and billing—we do it all! This means no stressful negotiations, confusing setups, or finger pointing if something goes wrong. We actually deliver on our promise.
- We manage the entire system, and monitor and manage issues as they occur so you can focus on your business—not your network.
The EnableIP solution is like no other. Contact us to get started and experience the difference of a system that truly delivers on its 99.99% network uptime promise.