Phishing Attacks Archives

By: Krystal Rennie, Director of Corporate Communications, and Brittany Demendi, Corporate Communications Manager

Recently, we took a 360-degree view of phishing to examine various attacks and how harmful they can be to businesses. This blog will zoom in on a subsection of those attacks and learn more about six specific methodologies behind phishing.

You might already know that phishing attacks are increasing in popularity, and cybercriminals are finding new creative ways to strike. If you have had access to an email, phone, or social media account in the last decade, you have most likely been exposed to a phishing attempt.

When most people think of phishing, they think of email. This is often reinforced by awareness training and testing programs that disproportionately cover email-based campaigns. Unfortunately, this emphasis often neglects to consider other forms equally effective as tricking recipients into surrendering confidential information.

Phishing.org gave a highlight of popular phishing techniques, and below is a quick rundown of a few popular methods:

#1: Email

Email is the most common form of phishing, and it occurs when cybercriminals often send emails with phishing URLs to collect sensitive information. According to a Forcepoint article, “an email may present with links that spoof legitimate URLs; manipulated links may feature subtle misspellings (double “nn”s replace a “m” or uppercase “i” replaces lowercase “l”) or use of a subdomain.” Once access is gained through these links, criminals can successfully launch an attack.

More sophisticated email phishing uses infected attachments and contains evocative content encouraging recipients to open the attachment, automatically downloading malicious code. These emails can use positive messages, such as prizes or hefty discounts, or negative ones, such as complaints or lawsuits. They often appear to come from an authority to add weight to the recipient’s need for immediate action.

# 2: SMS and Text Messages

SMS and Text Messages are utilized when cybercriminals use text messages to target individuals to get them to disclose personal information via a link that would lead them to a phishing website and expose their information to the attacker.

During the early stages of Covid and work-from-home measures, executives were targeted through their assistants who received fake text messages from their boss. These themes often involved the fake boss reporting a stolen device, a new phone number, and an email. Once a persistent connect was made, the criminals would ask for confidential information in the hopes the assistant would surrender it over text.

# 3: Web-based forgery

Web-based forgery is a very sophisticated phishing techniques, as it uses fake websites to fool users. According to Phishing.org, this technique is “also known as ‘man-in-the-middle,’ the hacker is located between the original website and the phishing system. The phisher traces details between the legitimate website and the user during a transaction. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it.”

One ransomware gang used fake Microsoft Office 365 log-in prompts to collect credentials and then passed the legitimate log-in information to Microsoft servers to complete the log-in creating a seamless and expected transaction. The victims were oblivious to the credential scrape.

# 4: Malvertising

Malvertising involves malicious advertising with active scripts created to download malware or force undesired content into your networks. The most common and popular methods of malvertising include Adobe PDFs and Flash. You should steer clear if you have seen these advertisements pop up on your browser.

# 5: Content Injection

Content Injection occurs when the cybercriminal maliciously alters a portion of content hosted on a reliable website. This will mislead the user and make them go to a page that leads them outside their intended website. Once they land on that redirected page, they will be asked to enter personal information.

The criminal group, Gootloader, used this technique to solicit the credentials of executives and professionals looking for templates, tools, and other planning resources.

# 6: Keyloggers

Keyloggers use a specific kind of malware to recognize and record (or log) user keyboard input. The information collected is sent to cybercriminals so that they can decipher passwords and gain access to other types of personal information.

In one case, criminals used keystroke loggers to tailgate financial transactions and stole $1.9 million from a tech start-up in 24 hours. The money was moved to banks in China, Russia, and Turkey and was never recovered.

The first step to protecting yourself and your organization from falling victim to these phishing techniques is learning to spot them, which can be done through consistent training. In other words, by implementing a Proactive Defense Program. As we know, knowledge is power. Teaching employees to feel confident in their ability to report a phishing scheme can be the difference between temporarily shutting down operations, an organization folding, and conducting business as usual. The advantages and benefits are endless, educating employees on how to recognize cyber threats, the types out there, and what actions to take when they encounter one.

It is evident that IT staff already carry a heavy load, so many turn to third-party services to implement and manage security awareness testing and training. These pieces of training deliver real-world scenarios and context-rich security awareness programs in line with the organization’s security operation center services. So, what can an organization expect from a Proactive Defense Program?

How to Combat Phishing Techniques

Train employees internally for security threats in your industry
- Phishing campaigns are built with themes that imitate real-world phishing email styles quarterly, attempting to entice employees to browse an unknown website or open an infected attachment, the campaign targets employees with privileged access or that perform critical functions. The mock phishing emails expose high-risk users and an organization’s vulnerabilities. Specific employee emails are tracked with their campaign results.
Monitor training and test for understanding of key security concepts
- a. Following each quarterly phishing campaign exercise, on-demand training is set up for all employees. Enrollment notifications are sent to all users to track their completion activity and notify them if they still need to complete their training. It is suggested to customize training content.
Implement additional security training by a third-party expert
- A third party will take responsibility for implementing and setting up Security Awareness Training to ensure the organization can comply with its industry regulations and set policies. In addition, organizations can upload company-specific policies. Employees are assigned the policies and must agree to or acknowledge to develop policies to complete their training. Required training supports vertical and segment framework, which includes:
- Sarbanes- Oxley reporting requirements
- NIST
- HIPAA (Health Insurance Portability and Accountability Act of 1996)
- ISO
- PCI (Payment Card Initiative)
- FFIEC CAT
Remediate non-compliant employees with security awareness testing
- High-risk users who open an attachment, click a link or fail a phishing email campaign should be required to attend remedial training campaigns. These campaigns include additional programs to help empower them with more practice and knowledge. In addition to tailored and informed training suggestions based on the campaign results.
Continuous training that has a repeatable process
- Working with a third-party service gives an organization dedicated experts to manage all aspects of delivering campaigns, collecting the results, and reporting on employee activity to support awareness training and recommendations.Implementing security awareness has become a must-have within every organization, regardless of industry. These services solve the human element in cybersecurity by educating employees and properly training them to report suspicious activity by requiring them to agree or acknowledge to set policies to complete training.

To Learn More:

Six Popular Phishing Techniques and How to Combat Them is a part of Adlumin’s Cyber Blog content series. For more information about how your organization can protect itself from cybercriminals, browse more from our knowledge-rich series here.

Or contact our experts if your team is ready for a demo of Adlumin’s Managed Detection and Response Plus Platform extended risk management and security services.

By:
Krystal Rennie, Director of Corporate Communications,
and Brittany Demendi, Corporate Communications Manager

Have you ever received an email informing you that you’ve won an all-expense paid trip to the Bahamas in a raffle you never entered? Or received an email from a streaming service notifying you that your credit card was rejected and to click on the link to update your payment method? You’ve been exposed to a form of phishing. These are examples of email phishing, which use tactics that are untargeted but appear everywhere. By comparison, more targeted versions of phishing are more dangerous and can lead to identity theft, unauthorized access to sensitive data, or the defrauding of funds.

To an organization, phishing is always a severe risk. Phishing is an early-stage and reliable tactic used by hackers to gain access to networks as a part of a larger attack. For example, if you’ve been mentoring a graduate student for weeks and they send you an academic survey would you open it? If your CFO receives formal notification of a lawsuit from a competitor, would you contact the law firm? If your IT department sends a message about service upgrades that require a new log in, would you follow the instructions? These can all examples be examples of phishing.

Cybercriminals commonly use phishing to lure potential victims into performing harmful actions that could put your organization’s data at risk. This technique is the art of manipulating people to give up confidential information by either typing their login credentials to a fake company website or clicking a malicious attachment they thought was an invoice. Because phishing is effective and straightforward, cybercriminals launch thousands of attacks daily and can often be successful.

Five Most Common Types of Phishing Attacks

Regardless of the type of organization, large or small, they will be targeted by cybercriminals attempting a phishing attack. Phishing attacks are getting more difficult to spot, as some attacks will even surpass the most observant employees. Education on these different types of phishing attacks is essential. Below are five common types of phishing attacks:

Spear-Phishing is a targeted attack that aims to steal sensitive data from a specific organization or individual. Cybercriminals lure in the victims with personal information specific to the organization or the employee to seem more legitimate.
Vishing is a phishing attack that occurs over the phone. Calls are usually made using a spoofed ID to make it seem safe to answer. As an example, a hacker could pose as a representative at your bank or credit union and call to alert you that there has been questionable activity on your account. Once they’ve gained your trust, the hacker will ask for your personal account information and can use that information to commit identity fraud.
Whaling is a cyberattack that includes a high-level choice of target in an attempt to steal and misuse private, personal information of senior management at a company/organization. Whaling occurs in the form of emails that are more sophisticated than phishing and are often harder to recognize due to their use of elite corporate language. The email will include personalized information about the target or organization.
Smishing uses SMS to text personal information like credit card information, passwords, and more to appear legitimate and acquire additional information. The text message usually includes a call to action to demand an immediate response or reaction.
Clone Phishing involves receiving a spoofed email that looks identical to one sent by someone you already received emails from. The spoofed email is malicious however, and contains new information along with malicious links or attachments.

Consequences of a Successful Attack

Although the types of phishing attacks vary regarding risk levels, one thing they all have in common is the power to damage a business. Below are a few possible results of a successful phishing attack:

Unauthorized transactions
Password and username manipulation
Account takeovers
Identity theft
Credit card theft
Stolen data
Stolen funds
Sensitive data sold to third parties

These are just a few examples of what could become compromised when these attacks occur. Companies must invest in the proper Managed Detection and Response platform and Proactive Defense Program to help protect sensitive information and train employees on security awareness.

Be Proactive Against Phishing Attacks, Not Reactive

Equipping employees with the proper knowledge is the best defense when protecting an organization’s data and assets from phishing attacks. In 2019, a major healthcare company reported that one of its employees stopped a phishing attack within 19 minutes, according to Comparitech. Their employee said that they received suspicious emails, and their Security Operations Center was able to take care of it immediately. Creating a security culture within every department, not just IT, is vital.

As phishing emails become harder to detect, investing in security awareness training like a Proactive Defense Program will be the main differentiator between robust risk management plans from the weak ones. The truth is that phishing attacks’ future depends on many factors. Cybercriminals are discovering new ways to step their game up daily and have become more sophisticated with their attacks. That said, it is up to the rest of us to find new ways to combat their tactics. At the end of the day, there is too much at stake if we do not think multiple steps ahead of cybercriminals.