Our last blog took a look at what is phishing and some ways to prevents phishing attacks. But in order to accurately identify such attacks, one needs to know the different forms such hacks can take. There are several variations of phishing attacks that are utilised by attackers. It is crucial to understand the differences between these variations and how to combat them, this article will aim to shed light on this.
Below are six main types of phishing attacks utilised by cyber criminals, with an explanation of how they work:
This type of Phishing attack involves attackers targeting key employees in key departments in an organization, for instance managers in the finance and accounting department of an organization. During Business Email Compromise or CEO Fraud an attacker impersonates a CEO or finance officer in an organization and sends an email on their behalf to a subordinate asking them to initiate a transfer of funds into a fake account owned by the attacker.
How it works - Typically attackers compromise the account of an authoritative figure in an organization like a senior executive by exploiting an existing infection planted in the system, for example, through a spear phishing attack. The attacker then studies the email activity to decipher the procedures and processes surrounding communication in the organization. Once the attacker has a good idea of the communication habits of the compromised account, he or she sends a fake email to a regular recipient. The fake email will usually urge the recipient to make an unauthorized transfer of funds to an external account in control of the attacker.
Vishing stands for ‘voice phishing’ and refers to phishing attacks over the phone. Attackers typically utilise Interactive Voice Response (IVR) technology that is commonly used by financial institutions, to trick victims into divulging sensitive information.
How it works - A message sent by the attacker will request recipients to call a number and enter their account information or PIN number for verification or security purposes. The source of these malicious messages are typically disguised as coming from a bank or government institution, essentially an entity that is trustworthy. But in reality when victims dial the number provided it puts them in touch with the attacker using IVR technology.
Smishing similar to Vishing is a portmanteau of the term ‘Phishing’ and ‘SMS’ and refers to phishing attacks carried out via the text message function of mobile phones. The reason why attackers have started to target victims via text message is because statistics show that humans are more likely to open and read messages on their phone compared to a message received via email.
How it works - Attackers send their victims messages on their mobile phones masquerading as a trusted person or organization, these messages are designed to trick victims to provide attackers with exploitable information or access to their mobile devices. Cyber criminals have decided to target mobile phones because research has proven that individuals are less likely to secure their mobile devices compared to their personal computers or laptops.
Clone Phishing is a type of phishing where the attacker creates a replica of an actual message sent between an employer and employee in the hopes of tricking the victim into thinking it’s real. The email address that the message is being sent from resembles the address of the legitimate sender along with the body of text which matches a prior message in terms of style and substance. The only difference between the legitimate message and the illegitimate one from the attacker is a file or attachment that carries an infection.
How it works: The idea behind this type of phishing attack is that the victim is supposed to think that the original message is simply being re-sent to them, so there is no reason to doubt it’s legitimacy. Which makes it more likely that they will fall for the attacker’s trap and click on the malicious attachment or download a file that has malware embedded code in it.
While Phishing involves cyber criminals fishing for random victims by using spoofed email as bait, Spear Phishing consists of attackers picking their targets. Instead of targeting 1000 victim’s login credentials, attackers who utilise a spear phishing method, target a single organization or handful of businesses. An example of where spear phishing is used is between nations, a government agent from one nation may target another country for sensitive intel via fraudulent emails.
How it works - unlike regular Phishing, attackers spend time researching their victims and crafting messages specific to the recipient, for example, messages may refer to a recent event the target attended or the message may be spoofed to resemble a communication from the organization the victim is employed to.
This is a social engineering tactic used by cyber criminals to ensnare senior or other important individuals in an organization by acting like another senior player, in the hopes of gaining access to their computer systems or stealing money or sensitive data. Whaling has an added element of social engineering compared to phishing as staff are more likely to carry out actions or divulge information without giving it a second when the request is coming from someone who is a ‘big fish’ or ‘whale’ in the organization, like the CEO or Finance Manager.
How it works - this social engineering tactic is very similar to phishing as it also uses email and website spoofing to trick individuals, the key difference being, phishing tends to target non specific individuals while whaling involves targeting key individuals or ‘’whales’ of the company like the CEO or Finance Manager while masquerading as another influential or senior individual in the organization.
Organization’s need to realise that their employees are the weakest link when it comes to information security and training and awareness need to be prioritized if they want to avoid succumbing to cyber criminals. By studying the different types of phishing attacks utilised by attackers, you and your organization can prevent the consequences of falling for a cyber attack. By understanding how popular phishing attacks work you and your employees will have an easier time identifying red flags in fraudulent emails.
StickmanCyber's team is equipped to help your employees recognise such attempts, and prevent social engineering attacks.