As the holiday season approaches and shoppers plan to spend more on online purchases buying toys, gifts, clothes, etc. for the loved ones, the Cyber criminals become more active during this time of the season trying to lure the online buyers into stealing their banking and credit card information. According to various reports published, October month is dangerous for organizations as attackers come out of their cave in search of prey. Email addresses, phone numbers, account numbers, and login credentials, are all akin to gold for the hackers. It has been proven by the reports that phishing is the top attack vector in multi-vector attacks.
Some Facts on Phishing:
- The season of phishing attacks ramp up in the month of October (with approx. 50% of annual average attacks) and continues up till January. Organizations need to train their employees to reduce the click-through rate on attachments, malicious emails, and other web links from the current 33%, to 13%.
- Adversaries lure their targets either by sending malicious e-mails or through texts and phone calls. Thus, enterprises need to be vigilant and need to provide training against such vulnerabilities, by considering past phishing attacks.
- Phishing fraudsters impersonate well-known companies or government departments (such as banks, tax departments etc.), to enhance their credibility in front of victims.
- Phishing attacks can be executed by emails, text messages, SMS and website pop-ups and also various URLs posted in online ads, tweets, status updates on the social media posts which can lead the users to malicious websites developed by cybercriminals to steal user’s personal and financial information.
- Money is everything for phishers, and this makes financial organizations extremely vulnerable to such attacks. However, e-commerce enterprises have also become an easy target for cyber-criminals these days.
The holiday season is a peak time for phishing attackers to breach into your system as this is the time when organizations are wrapping up their year-end work, and most employees are enjoying their vacations. It is also the season of extended discounts (both online and offline). No doubt then, people are on a shopping spree in this season. All these activities give leverage to the attackers to gain access and steal private information.
Phishing: Giving Away The Access
With the arrival of the holiday season, cyber-criminals switch to active mode users of computer systems should be more aware of the threats phishers poses on individuals and organizations. The phishing is considered one of the most successful attack vectors because it includes a large amount of stolen data. Login credentials, account numbers, social security numbers, credit card details, passwords, all are taken in one click as cybercriminals exploit vulnerabilities of the user, and gain access.
Modus Operandi Of Phishing Attacks
Although, the way cybercriminals try to lure the victims has changed with time, however, the psychological hook remains the same. Their strategy includes:
- Target selection: Finding vulnerable victims, their e-mail addresses, and social profiles, to find out that psychological hot button to lure them.
- Social engineering: This involves throwing a bait towards the intended victim, and luring him to part with his private credentials.
- Other Technical Methods: This includes setting up the digital infrastructure to trap the victim. For example: creating a fake website and crafting a malware.
These attackers build fake websites, craft malware, and use the encryption technique to evade filter checks by security scanners.
Types of Phishing Lures
People’s temptation is an easy target (such as fear, urgency, monetary greed, etc.) which lures them into opening the attachments or clicking on the phishing links. Most common attachments types are:
- Invoices attached: Attackers somehow manage to get partial information about the target from social networking sites or other sources, and send personalized emails to them with the statements such as “Due date: find invoice attached.” These type of Emails appear to be coming from a legitimate source and sometimes, are personalized with the victim’s name.
- Social network related: These emails alert you about the attack on your social network profile such as Facebook, Twitter, etc., in turn asking you to click on the attached link, which is fake and redirects you to an unsafe web page.
- Be on the lookout for the web address, extra letters, misspelt words in a URL, extra affixes at the end of URLs which seem to be navigating users to a trusted website but in fact are crafted by cybercriminals to trick users in revealing their personal or financial information, user credentials etc.
Malware is created to accomplish many things, and eventually, they find out a way to breach into the victim’s machine. Some of the common malware are Gootkit, Gozi, and Zeus, etc. Malware attacks change the proxy settings of the browser and redirect the websites’ traffic to them.
Prevention From Phishing Attacks:
Follow these steps to ensure the safety of your private information, in this digital age, filled with phishing attacks.
- Regularly update your browsers, as security patches are periodically released for loopholes in securities.
- Organizations should train their employees about these cybercrimes and guide them on how to avoid clicking the email’s link if it seems to come from an untrusted source.
- Use automated anti-phishing solutions to filters out the deceptive e-mails from the user’s inbox that appear to be coming from a popular commercial website such as Amazon.
- High-quality firewalls need to be installed in the systems, which act as a barrier between the user and cyber-criminals.
- Anti-Phishing software needs to be installed. All the browsers have anti-phishing toolbars which need to be customized to show a notification whenever the user visits an insecure website.
- Users can take help of some authentic spam filters, Next-Gen Intrusion Detection System (IDS), Next-Gen Firewalls, and Intrusion Prevention System (IPS) which will not only detect the malicious emails beforehand but also are capable of blocking unknown threats and prevent phishing attacks.
- They can even block phishing attachments from opening up. Therefore the organizations must choose to deploy Next Generation Endpoint Protection.