As the growing dependence on the internet by general people has increased, a malicious practice adopted by cyber adversaries called phishing has become more widespread than ever. Research states that phishing accounts for 91 percent of all data breaches occurring currently. An average successful spear phishing attack can earn up to $1.6 million for the attackers. Yes, platforms might vary due to various types of phishing attacks; but, the attack method tends to remain identical in all situations. The attackers trick the victim into tapping a link and downloading malware or giving credential information via a duplicitous login page.
The Menace of Phishing
Emails are the most common vector in phishing attacks. The attacker may send the target emails designed to look like they come from well-known and trusted sources. The messages may try to influence him or her into taking specific actions and divulging sensitive information about themselves or their businesses.
As the good guys identify newly evolved phishing techniques used by adversaries, develop their security countermeasures, and spread the awareness to the general public, attackers are also becoming more sophisticated with their methods and techniques.
Barracuda, a security vendor, had found in a recent analysis of account-takeover attacks attempted on their customers that 29 percent of those organizations had their Office 365 accounts compromised by hackers in March 2019.
- Using attack methods like conversation hijacking, hackers get themselves into meaningful conversations or threads during financial transactions or other wire transfers.
- Through account-takeover attacks, hackers monitor and track email activity in the company so that they can maximize their chances of executing successful attacks.
- After they have done the scouting, the cybercriminals use the harvested credentials to target high-value accounts, especially of executives and finance department employees. They typically collect credentials through spear phishing and brand impersonation.
World Cup Scams
In year 2018, Russia alone had reported 25 million cyber attacks during the duration of the FIFA World Cup. Hackers exploited fan enthusiasm through social engineering attacks for financial gains. Besides fans, the attacks also hit numerous employees of organizations as they viewed matches on business-issued phones and computers or through personal devices over the company network.
The attackers used the powerful botnet of these malicious extensions to steal users’ data, perform DDoS attacks, send spam emails automatically, and even to access the users’ devices. Even after the installation of the malicious extension, the users remained unaware that attackers could change and read their data, read their browser history, replace pages while opening up, and even make changes to privacy settings.
Only early recognition of the risk before it reaches end users can solve this new wave of the growing problem. It is necessary to detect and prevent phishing attacks by contacting the page behind the link and kill the chain from which bad things happen.
Social Media Phishing Attacks
As the world becomes ultra-mobile, hackers also exploit new and powerful phishing attempts. The social media sites have provided them with the means to incorporate malicious elements over the network and abuse users to disclose their sensitive information. Research by John Seymour and Philip Tully on social engineering and E2E spear phishing says that around 66 percent of the targeted users open spear phishing attacks on social media, making attempts on these platforms more successful as compared to their email equivalents.
In 2018, Facebook discovered that a flaw in the platform’s ‘View As’ feature could allow attackers unrestricted access to over 50 million user accounts. With the lazy habit that people have of using the same password pattern for everything, it’s not hard to guess how big a door the vulnerability could have opened to millions of accounts worldwide. It is also very disconcerting to know that a similar scenario can very well happen with Facebook or any other platform again.
In July 2018, Corrata reported two scams named the ‘Martinelli’ video and the introduction of ‘WhatsApp Gold’. Generally, these scams are social engineering attempts. The messages warn users about the changes WhatsApp is about to introduce and advise them to inform people in their contact lists. As they get the messages from their love and dear ones, many users trust their contents and are willing to take actions on their instructions – meaning that they are primed for further social engineering attacks.
We can easily see from the above-highlighted attacks and the respective description that phishing examples are so legitimate-looking that a user cannot even imagine that he/she may be under a severe threat of being exploited by these online threats. Without reliable anti-phishing solutions and techniques, it is almost impossible to protect individuals and organizations from these global risks.
In this age of digital transformation, a phishing attack can take nearly every form imaginable. Thus, it is a responsibility of every user to be aware of the different techniques and learn to recognize an attempt when he or she sees one. Enterprises should also train their employees on scam identification so that they can instantly know the difference between an official message and a fake message.