Phishing is a form of scam or attack that involves tricking the victim into sharing personal information or taking an action online. The intent of the attack is to obtain the user’s system credentials, financial information, or other sensitive information to be used for their benefit. These attacks can range from fairly simple to complex cyber security issues.
Generally, the scammer disguises as a trusted entity from a reputed source to entice the victim to take an action using emails or other forms of communication. Phishing emails are commonly used to distribute vicious links or attachments that can perform numerous functions such as extracting account information and login credentials and even installing malware on the victim’s system or directing them to cloned websites. Phishers use text messages, emails, and phone calls to entice their victims.
Phishing and Email Fraud Statistics presented by Retruster is as follows:
· The average financial cost of a data breach is $3.86m (IBM)
· Phishing accounts for 90% of data breaches
· 15% of people successfully phished will be targeted at least one more time within the year
· BEC scams accounted for over $12 billion in losses (FBI)
· Phishing attempts have grown 65% in the last year
· Around 1.5m new phishing sites are created each month (Webroot)
· 76% of businesses reported being a victim of a phishing attack in the last year
· 30% of phishing messages get opened by targeted users (Verizon)
Email phishing – Fraudsters use emails that are designed to imitate legitimate companies to entice individuals into providing information such as login details, financial details, bank details, and even social security numbers.
Spear phishing – This involves personalized targeting of high-profile account holders by the attacker by sending email messages to specifically targeted victims. The scammers gather or buy information about the target victim and mount their scam. This is one of the most effective forms of phishing resulting in about 90% of the attacks.
Clone phishing – This phishing method is one of the most difficult to detect. As the name sounds, scammers replicate an identical version of a recently received email and re-send it from a seemingly credible source, thus tricking the victim to take action. Although the message of the email could remain the same, links and attachments are replaced with malicious ones and upon clicking them they are directed to fake websites or infected attachments.
Whaling attacks – In plain terms, whaling is targeting the ‘big fish’ or senior executives of a company with the goal of extracting highly sensitive corporate data. The targets are generally high-ranking offices such as CEO, CFO and other high-level executives with access to highly sensitive data. After considerable profiling of the target, a well-timed attack is launched by the attackers to steal login credentials.
An example is the attack on Sydney hedge fund Levitas Capital to the tune of $8.7 million in November 2020.
Pop-up / scareware phishing – Here pop-up ads are used to trick users into installing malware on their system. They generally use scare tactics to prompt users to act fast to address an alleged cybersecurity concern. This is an effective way to gain access to the victim’s computer or steal credit card information. Some common pop-up techniques are – fake antivirus scams, clickjacking, virus removal scams, tech support scams, in-session pop-ups.
Link manipulation – Also known as URL hiding, this is used in different ways. Malicious URL links are created mimicking legitimate websites and unsuspected victims are directed to these malicious websites on clicking on these links.
Vishing – Also known as voice phishing, phone calls are used to make attacks. Attackers use automated voice messages that seem to be from legitimate institutions such as government entities or financial institutions that are communicated to individuals enticing them to provide their credit card credentials or Social security number. Generally, scammers entice victims to share personal information to claim rewards.
Smishing – SMS phishing or smishing is similar to email phishing and vishing. Here text messages that contain malicious links are sent to victims from what seems like legitimate sources. These links can be disguised in any form such as offers, chances to win something, or even discount coupons.
Social medial phishing – Social networking sites like Instagram, Twitter, Facebook, and LinkedIn are used by attackers to lure victims into clicking on malicious links. Attackers create fake accounts of individuals or businesses to prey on their victims.
Phishing will continue to be a persistent problem as it is versatile, cost-effective, and highly scalable thus proving to be effective for scammers to gain access to the organization’s network system. Also, since employees are easier to be tricked into handing over sensitive data scammers are deploying these techniques to achieve their goal. Scammers leverage on user behavior of individuals to gain entry into computer and then take control of their valuable information.
According to the 2019 Internet Crime Report by the FBI, “Internet Crime Complaint Center (IC3) received 467,361 complaints in 2019—an average of nearly 1,300 every day—and recorded more than $3.5 billion in losses to individual and business victims.”
Typically, thousands of phishing attacks are launched every day by scammers and often they are successful. Therefore, it is necessary to be aware of the various techniques employed and be able to recognize them.
Some signs that you need to look out for:
· Beware of suspicious emails – especially supposedly from a financial institution with subject lines like “account suspended” or “funds or hold”.
· Beware of suspicious links in emails as they could lead you to fake websites or install malware on your system.
· Beware of emails asking for password, PIN, bank account number, Social Security Number.
· Avoid clicking on pop-up ads that warn that your computer is infected or to call on particular numbers.
· Use spam filters to block emails from illegitimate sources.
· Make sure your device is protected by trusted multi-layered security software to protect financial information and personal files.
· Using secure email gateways in your organization will help detect suspected emails and prevent them from reaching employees’ emails as these are the first line of defense against a breach. Built-in spam filters and junk folders may not be reliable.
· Two-Factor Authentication (2FA) – This requires email users to verify their identity through other channels like a text message or security token – thus permitting only legitimate users to access their email account and also warning the user when someone is trying to access their account.
· Practice password hygiene and create strong passwords, and change passwords often.
· Employees and coworkers should be trained and educated on the common phishing techniques, how to identify suspicious messages, using password hygiene, email security, and reporting any suspicious incidents.
Since phishing is versatile and proves effective for the scammers, it bound to see an increasing trend. Despite the various preventive measures taken, phishing is continually evolving and adapting new forms and technologies to lure victims. Organizations should use advanced tools and security awareness programs should be conducted regularly so that employees will not fall prey to the scammers and be updated on the evolving phishing techniques