Six Phishing Techniques and How to Fight Them
By: Krystal Rennie, Director of Corporate Communications, and Brittany Demendi, Corporate Communications Manager
Recently, we took a 360-degree view of phishing to examine various attacks and how harmful they can be to businesses. This blog will zoom in on a subsection of those attacks and learn more about six specific methodologies behind phishing.
You might already know that phishing attacks are increasing in popularity, and cybercriminals are finding new creative ways to strike. If you have had access to an email, phone, or social media account in the last decade, you have most likely been exposed to a phishing attempt.
When most people think of phishing, they think of email. This is often reinforced by awareness training and testing programs that disproportionately cover email-based campaigns. Unfortunately, this emphasis often neglects to consider other forms equally effective as tricking recipients into surrendering confidential information.
Phishing.org gave a highlight of popular phishing techniques, and below is a quick rundown of a few popular methods:
#1: Email
Email is the most common form of phishing, and it occurs when cybercriminals often send emails with phishing URLs to collect sensitive information. According to a Forcepoint article, “an email may present with links that spoof legitimate URLs; manipulated links may feature subtle misspellings (double “nn”s replace a “m” or uppercase “i” replaces lowercase “l”) or use of a subdomain.” Once access is gained through these links, criminals can successfully launch an attack.
More sophisticated email phishing uses infected attachments and contains evocative content encouraging recipients to open the attachment, automatically downloading malicious code. These emails can use positive messages, such as prizes or hefty discounts, or negative ones, such as complaints or lawsuits. They often appear to come from an authority to add weight to the recipient’s need for immediate action.
# 2: SMS and Text Messages
SMS and Text Messages are utilized when cybercriminals use text messages to target individuals to get them to disclose personal information via a link that would lead them to a phishing website and expose their information to the attacker.
During the early stages of Covid and work-from-home measures, executives were targeted through their assistants who received fake text messages from their boss. These themes often involved the fake boss reporting a stolen device, a new phone number, and an email. Once a persistent connect was made, the criminals would ask for confidential information in the hopes the assistant would surrender it over text.
# 3: Web-based forgery
Web-based forgery is a very sophisticated phishing techniques, as it uses fake websites to fool users. According to Phishing.org, this technique is “also known as ‘man-in-the-middle,’ the hacker is located between the original website and the phishing system. The phisher traces details between the legitimate website and the user during a transaction. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it.”
One ransomware gang used fake Microsoft Office 365 log-in prompts to collect credentials and then passed the legitimate log-in information to Microsoft servers to complete the log-in creating a seamless and expected transaction. The victims were oblivious to the credential scrape.
# 4: Malvertising
Malvertising involves malicious advertising with active scripts created to download malware or force undesired content into your networks. The most common and popular methods of malvertising include Adobe PDFs and Flash. You should steer clear if you have seen these advertisements pop up on your browser.
# 5: Content Injection
Content Injection occurs when the cybercriminal maliciously alters a portion of content hosted on a reliable website. This will mislead the user and make them go to a page that leads them outside their intended website. Once they land on that redirected page, they will be asked to enter personal information.
The criminal group, Gootloader, used this technique to solicit the credentials of executives and professionals looking for templates, tools, and other planning resources.
# 6: Keyloggers
Keyloggers use a specific kind of malware to recognize and record (or log) user keyboard input. The information collected is sent to cybercriminals so that they can decipher passwords and gain access to other types of personal information.
In one case, criminals used keystroke loggers to tailgate financial transactions and stole $1.9 million from a tech start-up in 24 hours. The money was moved to banks in China, Russia, and Turkey and was never recovered.
The first step to protecting yourself and your organization from falling victim to these phishing techniques is learning to spot them, which can be done through consistent training. In other words, by implementing a Proactive Defense Program. As we know, knowledge is power. Teaching employees to feel confident in their ability to report a phishing scheme can be the difference between temporarily shutting down operations, an organization folding, and conducting business as usual. The advantages and benefits are endless, educating employees on how to recognize cyber threats, the types out there, and what actions to take when they encounter one.
It is evident that IT staff already carry a heavy load, so many turn to third-party services to implement and manage security awareness testing and training. These pieces of training deliver real-world scenarios and context-rich security awareness programs in line with the organization’s security operation center services. So, what can an organization expect from a Proactive Defense Program?
How to Combat Phishing Techniques
The first step to protecting yourself and your organization from falling victim to these phishing techniques is learning to spot them, which can be done through consistent training. In other words, by implementing a Proactive Defense Program. As we know, knowledge is power. Teaching employees to feel confident in their ability to report a phishing scheme can be the difference between temporarily shutting down operations, an organization folding, and conducting business as usual. The advantages and benefits are endless, educating employees on how to recognize cyber threats, the types out there, and what actions to take when they encounter one.
It is evident that IT staff already carry a heavy load, so many turn to third-party services to implement and manage security awareness testing and training. These pieces of training deliver real-world scenarios and context-rich security awareness programs in line with the organization’s security operation center services. So, what can an organization expect from a Proactive Defense Program?
-
Train employees internally for security threats in your industry
- Phishing campaigns are built with themes that imitate real-world phishing email styles quarterly, attempting to entice employees to browse an unknown website or open an infected attachment, the campaign targets employees with privileged access or that perform critical functions. The mock phishing emails expose high-risk users and an organization’s vulnerabilities. Specific employee emails are tracked with their campaign results.
-
Monitor training and test for understanding of key security concepts
- a. Following each quarterly phishing campaign exercise, on-demand training is set up for all employees. Enrollment notifications are sent to all users to track their completion activity and notify them if they still need to complete their training. It is suggested to customize training content.
-
Implement additional security training by a third-party expert
- A third party will take responsibility for implementing and setting up Security Awareness Training to ensure the organization can comply with its industry regulations and set policies. In addition, organizations can upload company-specific policies. Employees are assigned the policies and must agree to or acknowledge to develop policies to complete their training. Required training supports vertical and segment framework, which includes:
-
- Sarbanes- Oxley reporting requirements
- NIST
- HIPAA (Health Insurance Portability and Accountability Act of 1996)
- ISO
- PCI (Payment Card Initiative)
- FFIEC CAT
-
Remediate non-compliant employees with security awareness testing
- High-risk users who open an attachment, click a link or fail a phishing email campaign should be required to attend remedial training campaigns. These campaigns include additional programs to help empower them with more practice and knowledge. In addition to tailored and informed training suggestions based on the campaign results.
-
Continuous training that has a repeatable process
- Working with a third-party service gives an organization dedicated experts to manage all aspects of delivering campaigns, collecting the results, and reporting on employee activity to support awareness training and recommendations.Implementing security awareness has become a must-have within every organization, regardless of industry. These services solve the human element in cybersecurity by educating employees and properly training them to report suspicious activity by requiring them to agree or acknowledge to set policies to complete training.
To Learn More:
Six Popular Phishing Techniques and How to Combat Them is a part of Adlumin’s Cyber Blog content series. For more information about how your organization can protect itself from cybercriminals, browse more from our knowledge-rich series here.
Or contact our experts if your team is ready for a demo of Adlumin’s Managed Detection and Response Plus Platform extended risk management and security services.
