We are forty years into the advent of phishing attacks! It began in the 1980s’ when a phising technique was described in detail to a HP users Group, Interex. Since then campaigns have become more and more devious.
In the era of the Covid Pandemic, whilst many people were already dazed and confused by the onslaught of day to day events, Phishing makes a clever entrance and catches many people out.
Tax extension deadline schemes: In early 2020, Even before COVID-19 became a widespread threat in 2020, the IRS saw more than $135 million in falsified tax refund claims. Phishers seized the extra time to send phishing emails, texts and phone calls to up their payday and steal tax refunds from working Americans.
Imitating the CDC: In 2020, Researchers find evidence of phishers sending emails posing as the Centers of Disease Control and Prevention (CDC). The messages often contain malicious links, claiming to direct readers to infection prevention measures and COVID-19 vaccine information. However, the links are laced with malware that can infect the user’s device, potentially opening the door to ransomware or serving as a foothold into the user’s company network.
The COVID-19 relief payment scam: In November 2020, the IRS teamed up with multiple states and industry organizations to warn U.S. citizens of an SMS-based phishing scam teasing a $1,200 economic impact payment from the ‘COVID-19 TREAS FUND.’ It stated, “Further action is required to accept this payment into your account. Continue here to accept this payment …” The message then directed the user to a phishing site imitating the IRS.gov Get My Payment website, where the victims were asked to share their personal and bank account information.
So whilst we recommend bolstering your security infrastrcuture it is also increasingly important to make your staff aware of the potential routes these attackers use.
Phishing attacks are a form of social engineering where a cybercriminal imitates a trusted entity and tricks an individual into opening a fraudulent email, SMS, or instant message. This message is designed to deceive the victim into sharing sensitive information or clicking a link that will run malicious code.
In the past year, 83% of all cyberattacks in the UK were phishing attacks. Unfortunately, if these lead to a data breach or ransomware attack, this can be devastating for businesses, and they often result in a loss of customers.
The phishing methods that cybercriminals use are becoming more complex, so it is important to understand these methods to be able to spot them before your business falls victim to a cyberattack.
Bulk phishing is the most common form of phishing attack. This is where a cybercriminal sends a large number of fraudulent emails to employees and individuals. Although they are not tailored to the victim, they can be effective as if enough emails are sent, eventually someone will open one.
Examples of bulk phishing attempts include emails relating to winning a prize, issues with the user’s account, or emails stating that a password has expired and needs to be changed. Some of these can easily be spotted due to poor grammar, spelling and design of the email, however others are nearly indistinguishable from an official email. You should always check where an email has come from and look for different spellings of the email address or URLs in the text. If you are ever in doubt, it is always safer to not open an email.
Spear phishing is an attack where the cybercriminal has researched their target and found personal information to be able to tailor the attack to them. This is typically more successful than bulk phishing as when an email contains personal information it lowers the target’s guard, making them more likely to open a malicious link or file.
These emails may include the victim’s name, or place of work, imitating a supplier or third-party technical support requiring the user to send their password for security purposes. Spear phishing attempts can be difficult to spot, however you should always verify suspicious requests in person if possible and never share your password with others.
Whaling is a form of spear phishing where the attacker targets a company’s executives in order to steal login credentials. This can be devastating for a company, as an executive’s account often has a high-level access to the network along with employee and customer data. Threat actors may also use a spear phishing attack to gain access to an employee’s email account then use their account to phish the executive as they are more likely to trust an email from an employee than an unknown individual.
It is important for an entire company to aware and educated about cybersecurity, especially executives, and there should be policies and software in place to avoid high level employees being phished.
Vishing and Smishing
Vishing also known as voice phishing are attacks performed over the phone or VoIP. These are often messages imitating a bank or technical support asking for account information for security purposes. These can be detected as fraudulent as a company will never ask for personal information over the phone. Another method of detecting if a call is fraudulent is by checking to make sure the number that has called is listed on the official company website and not a known scam phone number.
Smishing or SMS phishing, is using phone text messaging to mislead or deceive a victim. These can be particularly effective as text messages are more likely to be read and responded to, rather than emails. It is important to apply the same level of scrutiny to phone calls and text messages that you would an email, as it is just as dangerous of an attack vector.
What Can You Do?
Phishing has been a common cyberthreat for a long period of time, and it is unlikely to stop anytime soon, especially as cybercriminals are constantly changing their methods to be more complex and difficult to identify. It is important that all employees are aware of phishing methods to avoid being victim to an attack. However, it only takes one employee opening a malicious link or file to have a company-wide data breach. It is in a company’s best interest to have software that uses AI to block phishing attacks before they even land in your inbox.
We offer protection from phishing attacks along with a suite of email protection tools that will ensure that your company’s data stays secure, and you do not lose customers due to a cyberattack.
We also offer gamified cyber training so you can get your staff up to date and aware.
If you want to find out more on how to protect your business speak to us today. Call 01444 871200 or email firstname.lastname@example.org