Small Business Owners Beware
Did you know that 91% of data breaches start with some type of phishing scam?
You've undoubtedly heard the term "phishing" analogous to "scams", but do you know what it really is? Did you know that there are more than ten different, distinct types of phishing attacks? Do you know how to identify them? We're going to discuss these phishing types here, as well as explain how to identify them and what the best course of action is to avoid them.
Email Phishing
Probably the most common type of phishing is email phishing. You've probably seen some of these fraudulent emails that make it past your spam filters to your email account. A phishing email often has misspellings and malicious URLs that are a letter or two off the real URLs.
This fraudulent website is set up just to steal personal data. An email phishing attack on a business can result in a business email compromise.
Phishing emails are designed to trick users into clicking on malicious websites that download malware, or with a malicious attachment of some sort, or are designed to elicit information, such as your login credentials for your email or a website. Email phishing is often launched through generalized phishing campaigns. Beware of images or logos in an email with little text; they may have hidden malicious code written within them. If in doubt, go to your web browser and type in the URL of the company that the email appears to be from directly; then go about your business with them.
Clone Phishing
Clone phishing is a more targeted phishing attempt, typically done by a more experienced hacker. A clone phishing hacker does his research and uses services someone has used in the past in order to trick its victims. In this manner, the email is designed to appear as if it's from this known vendor. Banking and financial websites are targeted for cloning often.
Clone phishers usually take a little more time to create more authentic-looking web pages to steal data from their victims. Sometimes, elaborate fraudulent websites are also created in a "cloned" version. A clone phishing attack can result in the cybercriminal gathering all your personal information, including login credentials, to what you thought was a trusted site.
Spear Phishing
Spear phishing attacks are some of the most sophisticated, therefore scariest types of phishing attacks. Spear phishing attacks are a very targeted and premeditated sort of attack. In the case of a spear-phishing attack, the hacker does research using OSINT or open-source intelligence.
This is all public online information, including company social media sites, gathering real names, job titles, and other personal information of executives who work at the specifically targeted company.
Then, the cybercriminal formulates an email that appears to be from a coworker. Spear phishing often works because the recipient believes the spear-phishing message is actually coming from a colleague.
If you receive an odd (in relation to job function) email request that appears to be from a coworker, be careful. Check the email address that the email actually was delivered from. Contact the person directly that appears to have sent this message and ask it's a legitimate request. Take the time and the few extra steps to make sure it is a legitimate message and not a spear phishing scam. In addition, beware of shared drive links and even password-protected documents.
Vishing - Voice Phishing
Voice phishing, also called vishing, is when a hacker uses voice phone calls to try and get personal information like bank account information. Often hackers claim to be from Microsoft, alerting you of a virus on your computer. They claim it can be taken care of with a new version of antivirus software. Or, it may be some other large, well-known software or banking company that is impersonated that informs you of a required update that must be installed for your systems to continue to function or to protect you from some known threat. Most employees will try to be helpful or to take responsibility to resolve issues without having to involve a superior, so they provide bank account information or credit card numbers or the needed log-in credentials to take care of the necessary actions. This is exactly the human nature element that nefarious actors are counting on!
Not only does the hacker now have your sensitive information to make unauthorized purchases with, but given remote access to your computer, instead of installing the antivirus software, they've likely installed malware on your computer. Typically the malware tracks your online banking with a banking trojan, stealing the rest of your sensitive information including your password.
It could also contain a "bot" and launch a DDoS attack (distributed denial of service), which can be catastrophic for any business. Vishing or voice phishing is a dangerous type of phishing that can do an incredible amount of damage. Voice calls like these from blocked numbers are typically hackers, or oddly timed calls with a sense of urgency and a call to action.
Smishing - SMS Phishing
Smishing (SMS phishing) consists of text messages sent to your phone that purport to be from a trusted source and contain a malicious link or phone number to click on. Often malicious links are shortened links or done in hypertext to hide the real URL. The goal is still to gain access to personal details and identity theft, in one form or another.
Whaling - CEO Fraud
Whaling attacks are so named for exactly what they sound like - catching the whales, the big ones! This is the type of spear phishing, that also employs OSINT and research, targets the employees by impersonating the CEO of the company with that intelligence. Any unusual email request from superiors, especially when the communication is from someone who has never done so before, should be suspect.
Angler Phishing
Angler phishing scams utilize social media platforms and direct messaging features to trick victims, often into clicking a link to a malicious website. Any messages from people you don't know, or from people with who you don't normally use direct messaging, maybe an angler phishing attempt.
Search Engine Phishing
Search engine phishing is extremely dangerous because in this case, the cybercriminal sets up a website and works to be on the first page of search engine results, so people will click on their link and subsequent fake website. Often these are detectable only by paying close attention to detail on the websites you visit. Spelling errors, color schemes slightly different, even changes in the font can be a clue to malicious websites.
Evil Twin Phishing
Evil twin phishing establishes a fake WiFi hotspot and when anyone uses it, they steal login credentials and intercept sensitive data during transfer across the connection. Look for and use only secured connections displaying 'HTTPS' instead of simply 'HTTP'.
Watering Hole Phishing
This type of phishing is more sophisticated and research is done on the websites that company employees access often. Then the hackers infect IP addresses with malicious code. Pay close attention to any browser alerts, don't just discount them out-of-hand, and keep your firewall up to date.
Pharming
Pharming is scary because it's so difficult to detect. The hacker actually hijacks a DNS server and can redirect users to fraudulent websites on that level. Because of this level of sophistication, the user must look for the smallest of details to detect these authentic-looking yet infected websites, just as with search engine phishing.
Blue Oak Technology Solutions
Blue Oak Technology Solutions can help you prevent phishing attacks from being successful, including employee training and education. It seems like it should be so easy - if in doubt, don't open any emails, or email attachments, or follow any links contained within it. But there is more to it than that. They can be very realistic and convincing. Sometimes you need to have an IT professional review the suspicious email to verify whether it's legitimate or not. Or help to remediate the situation if partial or complete success is achieved. Plus we can provide some tools or solutions such as ransomware protection and spam filtering to help your employees out. Let us show you how as your off-site IT department.
We have a comprehensive list of security and IT solutions for your business you can use here at Blue Oak Tech.