Indentify Phishing

Understanding Phishing 

Phishing is a type of cyberattack that gets victims to reveal sensitive information to the attacker, such as credit card information, passwords, personal identification information, etc. Typically, phishing attacks are carried out through fraudulent emails, text messages, or websites that appear legitimate when quickly looking at them. The attacks often impersonate well-known companies, government agencies, or even friends and colleagues to trick victims into clicking on malicious links or downloading harmful attachments. People will often comply with these fraudulent messages without a second thought, without knowing they are compromising very sensitive information. Phishing is a form of social engineering that exploits human trust in order to gather sensitive information. Phishing is also one of the most common and effective forms of cyberattacks that has been around for a very long time.  

5 Types of Phishing: 

1. Email Phishing 

• Typically use fake domain names to impersonate organizations or other reliable sources. 

• The email typically sounds urgent or has a sense of threat to get a user to comply quickly without checking the authenticity of the source. 

• These emails are trying to get the user to click a malicious link, download infected files, reply with personal information, etc.  

2. Spear Phishing 

• Typically targets specific people with emails, already knowing some information about them. 

• Attackers use the information they know about people to pose as a legitimate source, manipulating them to provide more information or do actions such as transferring money. 

3. Whaling 

• Whaling attacks target highly privileged positions such as senior management. These people have a lot of public information that attackers have access to. 

• Attackers use the information available to craft a highly effective personalized attack for the individual. 

• Typically don’t use fake links and malicious files like other phishing attacks. Instead, attackers use personalized messages to discover sensitive information. 

4. Smishing & Vishing 

• Smishing involves sending fraudulent text messages and Vishing involves conversations over a phone call. 

• A very common smishing method is to act like a scam investigator, informing victims that their bank account has been breached, and requesting payment card information to “secure or transfer the account to a safe location.” 

• Vishing uses similar tactics through automated phone calls, pretending to be a trusted source. 

5. Angler Phishing 

• Use fake social media accounts to pose as the real organization.  

• Customers might contact these fake accounts with complaints or requests about an order or shipment. 

• The attackers will ask the customer to provide personal information and payment information. 

Ways to Avoid Phishing Attacks 

Employee Awareness Training – With so much work being related to online activities today, it is crucial for employees to be trained on how to recognize these phishing attacks. Some of these trainings could include proper incident reporting, role-playing scenarios, phishing identification workshops, and interactive training modules.  

Email Security Methods – Recent technological advancements have allowed us to apply email filters that will detect malicious links, attachments, language, and other malicious content in emails. It might be smart for organizations to apply these tools to employee devices. 

Multi-Factor Authentication – MFA is an effective method that is simple to implement. It is great for securing accounts even after login information might be compromised. MFA forces users to confirm their identity through another method, even after correctly entering a password, such as confirming on a mobile device, fingerprint scan, or another security method. This extra layer of security can make it much more difficult for attackers to access sensitive information, even if they gather it from a phishing attack.