Phishing Attacks

Spear phishing

In this type of attack, phishers customize their attack emails with the target's name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they know the sender. The goal is to trick the victim into clicking on a malicious URL or email attachment so that they will hand over their personal data. - Given the amount of information needed to craft a convincing attack attempt, it's no surprise that spear-phishing is commonplace on social media sites where attackers can use multiple data sources to craft a targeted attack email. - To protect against spear phishing, organizations should conduct ongoing employee security awareness training that discourages users from publishing sensitive personal or corporate information on social media. - - -- Companies should also invest in solutions that analyze inbound emails for known malicious links/email attachments.

Phishing

Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication.

Pharming

- As users become wiser to traditional phishing scams, phishers are resorting to pharming. - This method of phishing uses cache poisoning of the domain name system called a DNS cache poisoning attack. The pharmer targets a DNS server and changes the IP address associated with a website name, thereby allowing an attacker to redirect users to a spoofed malicious website of their choice, even if the victim enters the correct site name. - To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. - Companies should also implement anti-virus software on all corporate devices and update it on a regular basis.

Whaling attack

- Phishers use a this kind of attack to try to harpoon an executive and steal their login credentials. Successful attacks can result in phishers engaging in CEO fraud. CEO fraud is when attackers abuse the compromised email account of a CEO or other executive to authorize fraudulent wire transfers to a financial institution of their choice. - This type of phishers may also leverage that same email account to request W-2 information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web. - Executive level employees may fall for these types of attack if they do not participate in security trainings so make sure CEO's and other executives are trained just like all the other employees.

Angler Phishing

- This type of phishing is the practice of masquerading as a customer service account on social media, hoping to reach a disgruntled consumer to trying to lure them into handing over access to their personal data or account credentials. - To protect against angler phishing attacks, organizations should identify their social media accounts, ensure they have strong passwords and are regularly changed, use verified accounts, and continually monitor for fraudulent accounts.

Smishing

- This type of phishing leverages malicious text messages to trick users into clicking on a malicious link or sharing personal information. - Like vishers, smishers pose as various entities to get what they want. - Users can help defend against smishing attacks by researching unknown phone numbers thoroughly and by calling the company named in the messages if they have any doubts.

Vishing

- Type of phishing attack that relies on placing a phone call rather than sending an email. An attacker can perpetrate this type of attack by setting up a Voice over Internet Protocol (VoIP) server to mimic various entities in order to steal sensitive data and/or funds. Vishing attacks have taken on various forms, but their goal is the same as most other phishing attacks: to acquire login credentials to be used to steal money. - To protect against vishing attacks, users should avoid answering calls from unknown phone numbers, never give out personal information over the phone and use a caller ID.