Nearly 1 out of every 3 data breaches involved small businesses. That’s according to Verizon’s 2020 Data Breach Investigations Report (DBIR) calculations. And many of these data breaches involved phishing scams of one sort or another.
What exactly is phishing and how does it work?
Phishing is basically the name for what a online scam artist does. Scam artists trick their victims into believing a lie in order to get something in return. This is typically money, but it can also be critical information. Just like the scammer who walks up to an unsuspecting passerby on the street, the online scam artist will appear out of the blue and use various methods to gain trust and, therefore, money or information. They usually prey on the same normal human emotions that a “real world” scammer would: compassion, self-preservation, impatience, or curiosity.
Even though the bad news is that phishing tactics change in small ways every day, the good news is that there are major categories they fall into. These categories each have their own tell-tale signs if you know what to look for, so we compiled this list to help you help your employees and coworkers. Just note that these aren’t in any particular order or importance and it would be wise to treat all of them as serious.
1. CEO Fraud/Business Email
We know plenty of people who’ve received emails of this kind—even our own employees. The most common is the email that appears to be from your company’s owner, CEO, or high-level executive. It usually asks the recipient to wire money to a specific account or to check some unknown transactions in their business bank account. Without thinking, the victim does what is asked and—poof!—the money or the credentials are sent off to scammers.
2. Clone phishing
The idea behind clone phishing is to replicate an intercepted email in an authentic correspondence and tweak the links or information in it to veer the recipient down the attacker’s path. This email might point to the one previous, citing that the link was bad or that the instructions were incorrect. At first glance, it will appear to be from the original source, but a closer look can reveal an unfamiliar domain in the clone’s ‘From’ email address or an unusual hyperlink redirect.
3. Domain spoofing
Domain spoofing is just what it sounds like: it’s a domain or website that pretends to be a legitimate one. This sounds technically impossible which is correct, so scammers set up very close copies, like apple.co instead of apple.com. Or they use Unicode characters that look like ASCII characters. One method of using domain spoofing is sending a very well-crafted email from this domain and may point the recipient to the fake site. Here the site will entice them to perform some kind of compromising action like entering bank account information. Another is spoofing your company’s domain so the email you receive appears to be from inside your organization. This lends credence to #1 above and to any actions requested inside the email.
4. Evil Twin
This sounds like it’s similar to a clone phishing attack, but in fact, it’s quite different. This tactic actually capitalizes on Wi-Fi. The attacker owns an access point that masquerades as a legitimate one so they can gather information, habits, and data from end users. They’ll even use the set service identifier (SSID) that is the same as the real network. To further illustrate the definition, this type of attack has also come to be known as the Starbucks scam because it frequently occurs in coffee shops.
5. HTTPS phishing
This is a tactic that simply throws out a legitimate-looking link in the email body. That’s it. There’s usually no other content except for the link itself which is often times an HTTPS (or secure) URL. The link might be clickable, or it might only work if it’s copy/pasted into a browser.
So why would anyone actually click on that link? The answer lies in social engineering (an example of which lies in #1 above) in where an attacker pretends to be someone they’re not, like a trusted colleague or vendor, and get to information by using an established rapport.
6. Spear phishing
This is a very targeted phishing attack which also employs social engineering. Instead of blasting a phishing email to tens of thousands of people, this tactic focuses on a specific individual in a company. Attackers find out as much as they can about their target (see #4 above) and then tailor an email directly to them, citing known activities or interests. They win confidence quicker than other tactics because they create a “warm handoff” for themselves. Attackers may start casually inquiring about company information or talk the victim into visiting a particular site. Spear phishing is usually used in conjunction with HTTPS phishing (#5 above) so the process seems as legitimate as possible.
This one is fun to say, not fun to experience. smishing = SMS (texting) + phishing. It capitalizes on the world’s addiction to text messaging and instant communication. Like the reminder from your dentist for your next appointment, or the offer you received to get free chips and salsa with your next burrito. The text instructs the victim to click on it, then it sends them to a malicious site (where the victim provides information) or delivers a payload to the device (and their device is held for ransom). Either way, the attacker is getting information or money.
Like smishing, vishing = voice + phishing. This is another one that relies heavily on social engineering. They are known to use automated calls that announce they are from a trusted organization, then re-route the victim to the attacker once they interact with the prompts. They also call directly pretend they are from some important organization like the IRS or your bank. They can also impersonate an executive at your company, from your vendor’s company, or from one of your clients’ organizations. They ask for you to “verify” your personal or company information over the phone.
9. Watering hole phishing
This is a little-known tactic that takes patience on part of the attacker, but can have a big pay-off. Just like a crocodile lurking under water, waiting for an overheated zebra to wander down to a pool, the attacker infiltrates a website that your employees frequent, then waits for one to visit. They target the visitor and deliver malicious code which then infects the visitor’s machine and spreads to other systems. It grabs all the personal details and customer information that it can and—BOOM—data breach.
Whaling is pretty much the inverse of CEO fraud. Instead of targeting lower-level employees and pretending to be the higher-ranking officer or owner, the goal is to trick the executive into revealing sensitive information and corporate data. Fraudsters take months to research these VIPs, their contacts, and their trusted sources. Scammers pose as them, send fake emails, and illicit sensitive information. Since they target the highest level who typically holds the most business critical information, business losses can be huge which makes whaling attacks more dangerous.
Stay informed and stay safe
In our next post, we’ll discuss tips on how to identify phishing emails which—alongside implementing security technology best practices—is an important step to safety.
Help Desk Cavalry’s team of cybersecurity experts always stay up to date on the latest trends and improvements to ensure that our clients stay in front of changes that might increase risk. If you’re interested in knowing more about how our HDCav Cybersecurity solution will work for you, contact us at Biz@HDCav.com or call us at 360-930-6990. A short talk can lead to a lot of understanding.