What is Phishing?
Phishing is a very common type of cyber-attack that everyone should learn about in order to protect themselves. Phishing attacks are where attackers send fraudulent communications that appear to come from a reputable source.
It is typically done via email although other forms of messaging and social media are used, and can be more effective in tricking the victim into taking the required action.
The objective is to steal sensitive data like credit card and login information, or alternatively, to fool the victim to clicking a link or attachment, which results in malware being installed on the victim’s computer.
As with other types of cyber-attacks, a layered defence approach is the best way to defend yourself as no single technology or policy can prevent phishing attacks. Technical security measures like multi-factor authentication, robust patching policies and outbound firewall rules need to be backed up by effective user awareness training.
What are the Main Threats from Phishing Attacks?
Direct financial loss is a key threat from phishing attacks. Attackers will target victim’s credit card information, bank details or other personal data for financial gain. This is far from the only threat, however.
Attackers will also send phishing emails to obtain employee login information or other information for use in further attacks against a specific organisation. Cybercrime attacks such as advanced persistent threats (APTs) and ransomware often start with a phishing attack.
Sometimes attackers may want to gain control of victim computers for their processing power to be use for crypto mining or to take part in botnets.
Increasing user Awareness?
One important way to protect your organisation from phishing is user education. Education should involve all employees. Senior management are often a target. Teach them how to recognise a phishing email and what to do when they receive one. Simulation exercises are also useful for assessing how your employees react to a staged phishing attack.
Examples of phishing attacks
Over time, different types or styles of phishing attack have been developed as both attackers and defenders become more sophisticated. The first phishing attacks mainly used a shotgun approach by sending thousands of emails with the hope of catching a small number of victims out.
This is still the most common type of phishing and often attempts to obtain confidential information from the victims. Attackers use the information to steal money or to launch other attacks. A fake email from a bank asking you to click a link and verify your account details is a common example of this type of attack.
Spear phishing targets specific individuals instead of a wide group of people. Attackers often research their victims on social media and company websites sites. This allows them to customise their communications and appear more authentic.
Spear phishing is often the first step used to penetrate a company’s defences and carry out a targeted attack. According to the SANS Institute 95% of all attacks on enterprise networks are the result of successful spear phishing.
When attackers go after a “big fish” like a CEO, it’s called whale phishing. These attackers often spend considerable time and effort profiling the target to find the opportune moment and means of stealing login credentials. Whale phishing is of particular concern because high-level executives are often able to access a great deal of company information.
Similar to phishing, pharming sends users to a fraudulent website that appears to be legitimate. However, in this case, victims do not even have to click a malicious link to be taken to the bogus site. Attackers can infect either the user’s computer or the website’s DNS server and redirect the user to a fake site even if the correct URL is typed in.
Office 365 phishing
Attack targeting the email systems themselves are becoming more common, particularly in attacks against companies and organisations. These phishing campaigns often take the form of a fake email from Microsoft. The email contains a request to log in, stating the user needs to reset their password, hasn’t logged in recently, or that there’s a problem with the account that needs their attention. A URL is included, enticing the user to click to remedy the issue.
If you think your business could be affected by phishing attacks, KRYPSYS may be able to help. Please feel free to contact us at www.krypsys.com/contact-us/