While technical measures to secure our personal information and devices become more sophisticated, phishing remains one of the cheapest and easiest ways for cyber criminals to initiate a con. For example, when asked for credit card information by where you usually shop, be sure it’s legit before you provide any personal details.
Phishing is a growing cybercrime concern for businesses and individuals, and cybercriminals use phishing as a tactic to lure their victims into giving them sensitive information in order to steal identities.
Phishing is a method used by cyber-criminals who use fake emails, texts or instant messages in order to deceive victims into giving away sensitive information like their credit card details by either fooling them into believing they’re speaking to someone they trust or are in some sort of trouble.
How does phishing work?
Phishing campaigns usually use one of two primary strategies:
1. Malicious attachments
Malicious email attachments, which usually have enticing names, such as ‘INVOICE’, install malware on victims’ machines when opened. This malware may quietly steal important information from the victim’s computer or even use it as a resource to launch denial of service attacks against other computers.
2. Links to malicious websites
Malicious links may point to a website that is used as a fake copy or look-alike of a legitimate one which contains a malicious script intended for stealing your personal and private information.
Types of phishing website
1. Pharming/DNS cache poisoning
Pharming means to redirect false traffic from a website. It is committed by exploiting vulnerabilities inside the DNS (Domain Name System). The domain name system maps domain names to IP addresses on the Internet. A pharming attack impersonates a real site about which he is informed.
2. Typosquatting/URL hijacking
These spoof websites look genuine but are subtly different from the sites they impersonate.
- Misspell the legitimate URL;
- Use letters that are next to each other on the keyboard, such as ‘n’ in place of ‘m’;
- Swap two letters round; or
- Add an extra letter.
3. Targeted phishing attacks
Phishing attacks may come with a wide array of tactics and tricks, but it’s important to remember that these days there are many different hybrid versions of phishing emails too. While they’ve been in use for quite some time, the idea is pretty simple. Knowingly or unknowingly you might have witnessed or even taken part in one of these variants – like spear phishing – which targets specific organizations rather than individuals.
These types include:
- Clone phishing
- Whaling/CEO fraud
- BEC (business email compromise)
How to identify phishing emails
- Public email domains
- Misspelled domain names
- Bad grammar and spelling
- Suspicious attachments/links
- Sense of urgency
How to mitigate phishing attacks
Implement appropriate technical countermeasures appropriate to the size of your business to prevent potential phishing attacks such as those sent by random attackers from getting through your defenses.
As a security engineer, it’s important that you or your team takes a healthy approach to good habits. Security incidents can happen which is why you’re paid for your services! Encourage your team to admit when something has slipped through the net and have regular meetings with staff to make them aware of best practice.
After training people in staff awareness, put them to the test. The effectiveness of a phishing attack can be used to evaluate the clarity of your instructions and to determine who needs more follow-up.
How we can help you mitigate the threat of phishing
IT Governance is a company that has made it their business to deliver the best ever IT governance and risk management courses, as well as offer the best phishing solutions online. So if you’re looking for ways to improve your own IT policies or want to stay up-to-date with the latest cyber security threats in your area.
In closing, Phishing attacks are on the rise. Reports show record growth in recent years, and a solid security awareness program is an integral part of any defense-in-depth strategy. Phish Threat allows you to experience the life of a potential victim of phishing scams. It will also educate employees with well-thought training material that provides them with relevant information on how to protect themselves from these online threats.