5 phishing attack methods every business should know in 2020
There was a time when the main tech-based worry for any business were viruses. Large companies spent thousands of dollars on antivirus software, while those that didn’t paid the price when one of their client machines became infected, crippling their infrastructure and effectively grinding the whole operation to a screeching halt. In the modern era, pretty much every computer terminal you can buy comes with some sort of virus protection, which tends to do a pretty decent job so long as the security patches are installed promptly on all machines across the business.
In addition, companies are also taking advantage of the internet. Many now have various components of their infrastructure such as workstations, servers, and web applications that are connected online. Hackers try to breach company networks by exploiting these components. Fortunately, their attempts are now easily thwarted by the use of web application firewalls (WAF) which can block malicious traffic and unauthorized requests sent to these devices.
This doesn’t mean that IT departments can rest on their laurels though, as a new threat has emerged over the last decade or so, that is equally as devastating if deployed correctly, but this threat doesn’t target weaknesses in coding, but rather weaknesses in us, the human being. That threat is phishing.
So, how do phishing attacks work? Well, rather than a program (virus) being installed on a computer, phishing relies on the weakest chink in the armor of any workplace, which is unfortunately, the workforce. Human beings are notoriously easy to fool (we are only human after all), and as such a phishing attack aims to lure a member of staff into a false sense of security, and allow a cybercriminal access into areas of a business they should not be privy to, resulting in loss of money and/or data. It can take many forms but detailed below are the 5 types to watch out for in particular, if you wish to avoid such falling victim to such a crime.
Email (or spear) phishing
Email phishing is probably the most common and least sophisticated version of phishing currently employed by cybergangs. A simple example of how this works would be that the accounts department receives an email from what looks like a regular supplier asking to be paid. The email looks authentic to the untrained eye, but in fact from a similar looking email account that has been registered by a cybercriminal. With only a letter or two different from the legitimate address, an unsuspecting employee might now follow the instructions within the email, signing into what looks like a payment website, but instead has just handed over the company banking details to someone they do not know.
Smishing and Vishing
Smishing, is similar to email phishing, but the deception takes places within a text message rather than an email. The idea behind the act remains the same, luring an employee into a false sense of security, and directing them to a website where sensitive information will be stolen. Vishing is the exact same technique but deployed via a telephone call.
Whaling is targeted at employees, with the aim of making them panic and act quickly rather than thinking things through properly. It takes the form of imitating a high ranking employee or CEO. When an email comes through to a low ranking employee pertaining to be from 'the boss', they tend to act quickly. A simple "I need you to pay this parking ticket for me right now" is often all that is needed to fool someone into clicking a link they really shouldn’t be clicking. A particularly popular ruse is to ask for a tax return to be sent over, which obviously will contain a huge amount of data that a cybercriminal can leverage to great effect.
Angler phishing is the use of social media to gain access to sensitive information in much the same manner as the other phishing types. Fake URLs and cloned websites can be put forward to a member of a company’s social media account, and trick them into divulging login details without the team member even realizing what has happened until it is too late.
Social media also plays a secondary role in phishing attacks when team members post all kinds of useful information publicly online, that cybercriminals are only too happy to take advantage of. That Facebook post about your dog may seem innocuous when you first publish it, but criminals can use that information to reset passwords for important sites that you use. If you have ever used your pet’s name, or mother’s maiden name as a backup answer to access your email, and you have also posted this information for all to see on a social media platform, you are brazenly showing the criminals your digital key is under your metaphorical doormat.
Education is the best defense
So, what is the best defense against such attacks? When it comes to phishing, there are only two options for you to combat this particular scourge. Firstly, and perhaps most importantly, you need to educate your team. A workplace that is aware of the various types of phishing out there is a team that is far better equipped to fight it. Talk to your fellow staff, explain and show them examples of such attacks, and teach them to be skeptical of anything that shows the key warning signs of phishing.
The second way businesses are fighting back against phishing attacks is with AI and machine learning. Computer programs are getting more sophisticated with each passing year, and AI and ML in particular are going from strength to strength. There are already products on the market that can warn employees that an email may not be from an official source, and we can expect these programs to get better as we (the employee) and they (the AI) gain further experience with phishing attacks.
For now, a phishing detector email client plug-in and a well-versed employee in the obvious warning signs is the best way for small teams to prevent a devastating phishing attack. "Knowledge is power", or so the saying goes, and as such make sure your company is as powerful as it can be when it comes to the threat of phishing, in any of its variants.
Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.