According to the 2017 State of the Phish survey, 76% of respondents reported being the victim of a phishing attack in 2016, and 2018 is no different. A phishing attack is when a cyber-criminal sends an email posing as a trusted entity in order to extract sensitive information from the target. Below are the five main types of phishing bait currently being employed. If you can train your employees to watch out for these threats, you’re on your way to preventing phishing attacks from successfully executing malware in your environment.
Cloning, as the name suggests, is where a cyber-criminal clones an email from a legitimate sender, replacing the original attachment (or link) with one that is malicious. The email is usually sent from a spoof email address that looks similar to the email address of the original sender. Cloning is a very common and effective form of phishing attack, as many are not savvy enough to cross-reference the senders address.
Spear-phishing is form of attack which targets specific users. Such attacks require careful planning as they are tailored to a specific individual within an organisation. It’s often the case with spear-phishing attacks where the attacker will attempt to build a rapport with the target in order to gain their trust.
Bring Your Own Device (BYOD) Threats
As the BYOD trend continues to gain popularity, a number of phishing attack vectors are starting to emerge which target mobile devices. One example is SMS phishing, where an employee receives a text message convincing them to download a malicious application. Alternatively, they may be asked to click on a malicious link, and using a technique known as “URL padding”, they are able to mask the URL so that it looks legitimate.
Internal Corporate Emails
A BEC attack is where a cyber-criminal sends an email to an employee – posing as a top-level manager – requesting sensitive information. BEC attacks are also very effective as employees tend to feel pressured into carrying out the request.
Whaling is essentially the same as spear-phishing, the main difference is that whaling attacks target managers, CEOs, etc. The principal behind whaling is that top-level executives will have greater access privileges than regular employee’s. A successful attack could therefore yield greater rewards in terms of the type of sensitive data they can obtain.
How can businesses protect themselves from phishing attacks?
Obviously, the first place to start is to train all employees, managers, and third-parties to spot phishing emails, and make sure they fully aware of their security responsibilities. If your employees know how to spot a potential phishing attack, they will be far less likely to fall for it. One of the best ways to ensure that your staff are vigilant in spotting potential phishing emails is to carry out a simulation. Send out an illegitimate email to all staff members asking them to click on a link, and then monitor who, and how many people go through with it.
Although it is unlikely that you will be using an email client that doesn’t come with a spam filter, it is still worth a mention. Spam filters are able to identify emails sent by suspicious senders and block them. Install the Windows Defender Browser Protection browser plug-in to help you identify links in phishing emails, suspicious websites, and so on.
Whenever possible, use multi-factor authentication, which can prevent the attacker gaining access to your system even if they manage to gain access to a user’s login credentials. Grant employees with the least privileges necessary for them to do their job. This will at least minimize the attack surface, should the attacker manage to obtain an employee’s login credentials. For example, if one of your junior employees falls victim to a phishing attack, the impact will be fairly minimal as their access levels should be limited. If, however, a senior administrator falls victim to the same attack, the malware could leverage domain account privileges to affect servers, endpoints and sensitive data from across the entire network.