With today’s rapidly evolving digital landscape, prioritising office cybersecurity is crucial. Stay ahead and read these strategies.
23/10/2024 No Comments
In our previous blog, we talked about the signs you should look for in order to recognise a phishing attack. This time, we will talk about the different types of phishing techniques, new and old.
Advancements in technology and software has allowed phishers to innovate their attacks and expand their criminal range. Recently, phishers have been targeting their victims with sophisticated orchestrated attacks using COVID-19 as a lure. Experts report that there has been a 667% increase in COVID-19 related attacks since the end of February 2020.
Although phishers still prefer using emails in their attacks, there are various types of phishing techniques that they use. To help you become more aware of phishing attacks, we have compiled some of the different types of phishing techniques. This includes the most recent attacks documented by experts.
The Different Types of Phishing Techniques
Spear Phishing is a targeted attack on a specific individual or organisation, and requires extensive research. The attack is more personalised to ensure that the target takes the bait.
For example, users of streaming service Netflix in Brazil received phishing emails asking them to update their account information. Experts believe phishers took advantage of a Netflix announcement about reduced streaming quality for European viewers.
Whaling is a type of spear phishing attack directed at senior executives or high-profile members of a business or organisation. Phishers use this type to collect sensitive information about the employees or clients of the target.
For example, in 2019, a sophisticated hacking group called London Blue expanded their database of more than 50,000 financial executives. The database included chief financial officers, executive assistants and other finance leaders. London Blue used the identities of higher executives to trick other senior staff members to transfer funds into their accounts.
There are only two types of companies: Those that have been hacked and those that will be hacked.
Email/Spam is the most common phishing technique. Phishers use marketing strategies to bait their victims into providing their credentials. The messages usually have an urgent tone and will ask you to click a link to fill out a form and update or verify your information.
Contextual scam is when phishers use current events or issues in their phishing emails to bait victims into donating or giving out their information. One example is the increase of COVID-19 related phishing scams. The World Health Organization (WHO) warned people not to fall victim to phishing emails claiming to be from them. Moreover, they asked everyone to report such emails immediately to their office.
Another example is the recent phishing attacks on taxpayers in the US using emails, text messages and even voice calls. Phishers tricked taxpayers into giving away their stimulus cheques or spending money from the government. According to reports, the phishers told victims they need to confirm their banking information before they can receive their cheques.
Web Based Delivery, also known as man-in-the-middle, is a more sophisticated phishing technique. Here, the phishers trace transactions on a particular website that you often access to get your personal information. As you continue to transact with the website, the phisher will also continue gathering the information you’re passing to it.
Session Hijacking is another sophisticated technique used by phishers. Phishers steal your information by exploiting the web session control mechanism. The phisher will use a sniffer to intercept your account information and illegally access the website that you are logged into.
Pharming is phishing without a lure. Phishers alter an IP address to redirect you to a fake website or manipulate the legitimate website’s DNS server.
For example, Bitdefender found that phishers have altered the DNS IP addresses of websites with vulnerable routers. Victims, who were searching for updates on COVID-19, were directed to a website (fake!) to download the updates.
However, they were actually downloading a credential stealer called Oski, which can steal sensitive data from 60 different applications. Oski can extract not only your browser credentials, but also your cryptocurrency wallet passwords.
Homoglyphs is when a phisher will register a fake domain name of a legitimate business or organisation using the character scripts on the real domain. Victims are tricked into believing that the fake domain is authentic.
Cofense found a very intricate phishing attack involving the use of a fake Sharepoint domain, a redirect fromYoutube, and a fake Google Cloud landing page.
Phishers sent out emails from sharepointeonline-po.com, a fake domain masking as Sharepoint. The emails stated that a new file has been uploaded to the receivers’ company Sharepoint site. The victims were redirected to Youtube, which redirected them to the fake SharePoint, which sent them to a Google Cloud page where they were asked for their Microsoft login information.
If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked.
Clone phishing is when phishers clone the content and the recipients’ address from emails sent by a legitimate business or organisation. They will then replace the attachment or link with a malicious version and send it back to the recipient as a resend of the original or an updated version. This type of phishing technique is possible if the sender’s or recipient’s email has been compromised.
Link Manipulation happens when the phisher copies the website URL of a reputable business or organisation. No two domain names are the same. Hence, phishers will alter the real domain name by misspelling it or adding characters to trick their victims. Some phishers also “cloak” the link by using tags that encourage victims to click—e.g., Subscribe/Unsubscribe here, Click here, Order now.
Content or Web Injection is another sophisticated phishing technique. Here, a phisher will hack a reliable website and change some of its content. The phisher will “inject” or add a link to a different website or page. They also patch part of the browser processes to take their victims to a fake website.
Phishers have been using an old banking trojan called Zeus Sphinx to steal bank credentials from clients of major banks in Australia, Brazil, and North America. Using relief payments for COVID-19 as a lure, phishers sent emails asking victims to fill out the attached form which contains malware. Once installed in the victim’s device, it will use web injections to change the victim’s bank’s website. The victim will think they are logging into their bank’s website, but it’s actually a copy.
Phishing through Search Engines is when the phisher uses search engines to lead you to a website selling low-cost products or services or offering credit cards or loans at a low rate. However, these are acre actually phishing sites. When you try to order, buy or register, the phishing site will collect your credit card information.
Malware is when phishers attach a malware in emails containing downloadable files. The malware will automatically install itself in your device. Thus, allowing the phisher to collect your personal information and credentials.
Malvertising is a malicious advertisement in PDF or flash files that downloads malware into your device. They can also force unwanted content into your device once you click on the phishing ads.
Spy-phishing is a mix of spyware and phishing techniques. Considered a crimeware, spy-phishers usually target companies and corporations. They will hack into your company’s network, and surf and download sensitive files.
Keyloggers is a type of malware that can identify your keyboard inputs. The information is sent to the phisher, who will then decode or decipher your personal information.
Ransomware is a type of malware that uses a social engineering attack. When it is run in your device, it will deny you access to your device or files unless you pay the phisher a certain amount.
In 2018, the entire city of Atlanta, Georgia in the US have been attacked—crippling several of their systems. The phishers asked for $51,000 in bitcoins as ransom for the city’s services to be restored.
Trojan is also a type of malware designed to mislead you. Once the malware has been installed in your device, it will ask you to allow it to perform a legitimate task. After you “Allow” it to perform the task, it will access and collect your personal information and credentials and send them to the phisher.
It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.
Smishing is phishing using Short Message Service (SMS) or text messages. The phisher will pretend to be a legitimate business or organisation and send smishing texts. They will ask you to provide your personal information or click a link that leads to a phishing website.
Vishing or Voice Phishing is a phishing technique using phone calls. A phisher will call you through Voice over Internet Protocol (VoIP), pretending to be from a reliable business or organisation. They will then ask you to dial a set of numbers, which will allow them to collect your passwords and credit card details.
There are other techniques used by phishers to lure victims, such as:
- SaaS Phishing – phishers can steal login credentials to a Software as a Service (SaaS) site to gain access to sensitive data, which they can use for spear phishing attacks.
- File-hosting applications – phishers use file-hosting sites and sharing applications to upload files that contain malicious content or URLS, e.g., Dropbox, Google Drive.
- Money Mule Scams – this method is usually used on social media users. Phishers will ask victims if they can use their bank accounts to pass through money they have illegally acquired through phishing in exchange for a percentage of the amount.
- Romance scams – phishers use dating sites and social media to lure victims. They take advantage of people looking for a relationship and ask them for money.
Now that you know the different types of phishing techniques and how to spot them, you can avoid being a victim. By becoming more vigilant, you can help stop the spread of phishing emails. Moreover, you can guarantee the safety of your client’s data.
However, if you receive a suspicious email, immediately report it to your IT support staff or to the cybercrime division in your area. Moreover, if you accidentally clicked the link or think your personal data has already been compromised, contact your financial institution immediately.
If you need assistance with ensuring your organisation can identify and avoid the different types of phishing techniques, contact us now. Our team of cybersecurity experts will help reduce your vulnerabilities and strengthen your security protocols. Moreover, we can provide your people with the necessary training to proactive players in keeping your organisation secure.
Maann Sagun, MDC, DMP
Maann is a Communication Specialist and educator—masking as the Senior Content Writer of DBA. She is also a Digital Marketing Professional and specializes in SEO Audits. Maann has taken both her master’s degree in Development Communication, and bachelor’s degree in Mass Communication from the University of the Philippines.
Maann Sagun, MDC, DMP
Maann is a Communication Specialist and educator—masking as the Senior Content Writer of DBA. She is also a Digital Marketing Professional and specializes in SEO Audits. Maann has taken both her master’s degree in Development Communication, and bachelor’s degree in Mass Communication from the University of the Philippines.
Share
Facebook
Twitter
LinkedIn
Let’s explore the accounting mistakes SMEs overlook and know what strategies you can do to safeguard the financial future of your business.
23/09/2024 No Comments
Navigating the ISO/IEC 27001:2022 experience has been a transformative journey for DBA Global. Finally, we are proudly certified!
07/08/2024 No Comments
