Beware!! Phishing attacks are made by cyber criminals to grab sensitive information (i.e. banking information, credit card information, stealing of customer data and passwords) to misuse them.

How does a phishing work?

Hackers spread their phishing net to catch different types of phish. Be it a small phish or a big whale!

Phishing attacks are carried out by cyber criminals who trick the victim by concealing their identity, by masking themselves as a trusted identity and luring them into opening deceptive emails in order to steal sensitive information. These attacks are successful because of a lack of security knowledge. In short a phishing attack is a disguised attack made by hacker in a very sophisticated way.

Phishing Scams can involve thousands of users being targeted at a time by cyber criminals. e.g. A fake Google Mail login page is created and emails are sent asking customers to check their accounts. Huge scams lead to huge losses, Surveys show a phishing increase of approximately 250% according to Microsoft.There are many types of Phishing Attacks and Phishing Scams carried out by hackers:

Email phishing:

Many business owners are oblivious to the insecure email links. e.g. the victim gets an e-mail from the hacker to check some unknown transactions in their bank account, a fake link is attached to a site which looks legitimate. Without thinking the victim opens the fake link and enters the account details and passwords. That’s it. You have been attacked!

Spear phishing:

Spear phishing is an email attack is carried out by a perpetrator pretending to be your friend. To make their attack successful, these fraudsters invest a lot of time and effort to gather specific information about their victims; i.e. victim’s name, position in their company, contact information etc.

They later customise their emails, with the gathered information, thus tricking the victim to believe that the email is sent from a trustworthy source. Fake URL and email links are attached in the email asking for private information. Spear phishing emails are targeted towards individuals as well as companies to steal sensitive information.

Domain spoofing:

The attacker forges the domain of the company, to impersonate them. The victim receives an email with the domain name of the company, they believe that it’s from a trusted source and open.

A few years ago there were only 2 types of phishing attacks. Email phishing and Domain spoofing. Either the email name was forged, or the domain name was forged to attack victims. But as time goes by cyber criminals come up with various types of attacks.

Whaling:

A Whaling attack or CEO fraud as the name suggests are targeted on high profile individuals like a CEO or senior executives of a company. The attack is almost like spear phishing; the only difference is that the targets are like whales in a sea and not fish. Hence the name “whaling” is given to these phishing attacks.

Fraudsters can take months to research their high level victims, also their contacts and their trusted sources to send fake emails in order to get sensitive information, later stealing important data and money, hampering the business. As they target senior management the business losses can be huge, which makes a whaling attack more dangerous.

Vishing:

VoIP (Voice) + Phishing = Vishing.

Until now phishing attacks were made by sending emails. But when attacks are done by targeting mobile numbers, it’s called Vishing or Voice Phishing.

In Vishing attacks, the fraudsters call on a mobile and ask for personal information posing as someone else e.g. a bank employee, they get bank account numbers, pin numbers or passwords and once you have handed that information over you have given these people access to your accounts and finances.

SmiShing:

SMS + Phishing = SmiShing.

Just like Vishing, SmiShing attacks are also related to mobiles. This is when the attacker sends a text message to the target person asking them to open a link or an text alert. Once they open the fake message the virus or malware is instantly downloaded to the mobile. In this way, the attacker can get all the desired information stored on your mobile.

Clone phishing:

Clone means to duplicate giving this it’s name. Clone Phishing is when an email is cloned by the fraudster, to create another identical email to trap employees. As it’s a perfect replica of the original, fraudsters take advantage of its legitimate look to execute their malicious intentions.

Search engine phishing:

This is a new type of phishing whereby the fraudster makes a web site comprising of fake products, fake schemes or fake offers to attract customers. They can even couple up with fraudulent banks for fake interest schemes. They get their website indexed by search engines and wait for their victims. Once a customer visits their page and enters their personal information to purchase a product, their information is in the hands of fraudsters, who can cause them as they please.

Watering hole phishing:

In this type of phishing the attacker keeps a close watch on their targets. They observe the sites their targets usually visit and infect those sites with malware. It’s a wait and watch situation whereby the attacker waits for the target to re-visit the malicious site. Once the targeted person opens the site again the malware infects the victims computer which can then grab all the required personal details or customer information it can.

Although the cyber hackers are very clever, there are certain precautionary measures which can help prevent them succeeding:

  • Check the URL before clicking unknown or suspicious links
  • Do not open suspicious emails or links
  • Change passwords frequently
  • Educate and train your employees to identify phishing attacks
  • Check for secured sites; i.e. HTTP sites
  • Install the latest anti-virus software, anti-phishing software and anti-phishing toolbars
  • Don’t install anything from unknown sources
  • Always opt for 2-factor authentication
  • Trust your instincts
  • Update your systems with latest security measures
  • Install web-filtering tools for malicious emails
  • Use SSL security for encryption
  • Contact Kerbury for advice

The main point of phishing emails is to trick users to click emails or links causing monetary loss to them. Ongoing cyber security training given to all employees from top to bottom will keep them alert against such attacks, preventing your business from financial damages. Contact us to see how we can help you! 01440708686 www.kerbury.co.uk