Phishing scams
19
Nov

5 Phishing scams that keep cybersecurity professionals up at night


So far, cybercriminals have relied on emails to carry out phishing campaigns. However, with the advancement of technologies, perpetrators have managed to level the playing field. In such a scenario, conventional phishing has found its ways to target individuals through text messages, telephonic calls, and other media. Phishing attacks are challenging both – individuals and organizations alike!

For those who are not aware of how you can fall into phishing traps, here are a few examples:

Types of phishing scams

1. Email Phishing

Email phishing is one of the most common types of phishing scams. Cybercriminals usually register under a fake domain that imitates the features of an official website. Under the pretense of this false domain, perpetrators send out thousands of emails to innocent customers from seemingly-trusted sources. These fake domains usually rely on the character substitution method, such as using a capital ‘i’ (I) in place of a small ‘L’ (l). Attackers also change the domain name to confuse targets. For instance, altering [email protected] to [email protected], the email will appear to have been sent from XYZ (the legit source), and without paying attention, it becomes easy to fall victim to these emails.

Prevent Email Phishing

There are several tips to avoid phishing scams via emails, but the best way is to verify the source before responding to the mail. Apart from that, employees should follow these tips –

  • Avoid visiting banking-related websites through links provided in an email.
  • Enter your financial details only on those websites that use https
  • Be aware of suspicious activities linking with your accounts.

Note: Difference between http and https? Http is the unsecured version (uses port 80 to transfer data) while https is secured (uses port 443).

2. Spear Phishing

The most sophisticated and successful phishing attack is spear phishing. Cybercriminals focusing on this method of attack will already have information, such as –

  • The full name of the target,
  • Employment location and job title (if a work-related spear-phishing scam),
  • Email address, and
  • Other specific details on the target.

The recent attack (from 2018) on Airbnb customers revealed that scammers used social engineering methods to identify their targets.

Prevent Spear Phishing

Spear phishing is one of the smartest ways to target internet users. More often than not, AI-based solutions can help prevent such an attack.

  • AI-based tools can recognize whenever an account gets compromised.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) authentication prohibits domain spoofing and brand hijacking.
  • Enable multi-factor authentication.

3. Whaling

Another form of a targeted attack is whaling. It is aimed at the senior-level staff of an organization. As this targeted attack imitates senior executives, the use of fake URLs becomes an additional way to prey on the target. Scammers often use bogus tax return forms to get specific information – full name, address, social security numbers, and bank account details.

It also referred to as “CEO Fraud,” where the attacker impersonates the CEO of a reputable organization. Generally, the emails are sent to extract bank account-related information or to initiate a transfer of funds. This could take place in two ways –

  1. With name spoofing only (using a different email address), and
  2. With name and email spoofing where the cyber attacker uses a reply-to address to redirect targets.

Prevent Whaling

Here are a few measures that can be taken to prevent such attacks –

  • Set up a verification process before initiating financial transactions, such as face-to-face verification.
  • Use an email filtering system that automatically flags suspicious-looking emails for an inbound process.
  • Verify Client Certificates to ensure the authenticity of the source.

4. Smishing and Vishing

In these forms of phishing scams, email communication is replaced with telephone calls. Smishing uses text messages to target individuals, while vishing relies on telephonic conversations.

One of the most common vishing scenarios involves a fraud investigator impersonating an official from a well-known bank, asking for some details, or informing individuals regarding their account breach. To rectify the issue, the perpetrator then asks for the victims’ payment card details to gain access to their private bank account. On the other hand, scammers who use messaging channels, use the first or last few digits of an individual’s debit/credit card to build trust. The message usually comes with a legit-seeming link, which then leads to the compromisation of confidential information.

Prevent Smishing and Vishing

To stay protected from such attacks, it is essential to –

  • Be cautious when you answer a call from someone with a new/unknown caller ID.
  • Not call back when you receive a call from a number sent by a stranger through text messages or voicemails.
  • Always download mobile applications through official channels only.
  • Never click on links sent from an unverified source.

5. Angler Phishing

This is a comparatively new attack vector that uses fake social media accounts to hoodwink people into revealing personally identifiable information. These accounts often masquerade as online social media customer service accounts. As per one of Proofpoint’s reports, last year has witnessed 55% of attempted attacks using social media channels to lure victims.

Cybercriminals also upload engaging posts that increase the chances of issuing a highly targeted attack. In 2016, numerous Facebook users received a notification about them being tagged in a post. These posts were a two-stage campaign by cyber attackers that initiated the download of a Trojan containing a malicious Chrome extension on the targeted victim’s computer in its first phase. In the second phase, whenever the victim used the corrupted extension to log in, the account was hijacked.

Prevent Angler Phishing

Social media is the most convenient way to interact with the staff of an organization, but being aware of the fraudulent activities prevents you from becoming a cyber victim.

  • Ensure that you are interacting with a verified account. Official accounts have a blue checkmark badge (applicable to Twitter and Instagram).
  • It is better to have your issues addressed through the company’s official website.

Read more: How secure is your anti-phishing strategy?

All five phishing scams frequently target individuals and employees of an organization. These attacks can drastically impact the lives of an individual, and especially when the individual is linked with an organization. On average, a large-scale organization with 10,000 employees spend $3.7 million annually to deal with phishing scams.

The best way to handle these phishing scams is to hire a certified professional who can actively protect the organization against such threats. The Certified Ethical Hacker (C|EH) is one such credential that ensures that the professionals have all the skills and knowledge to fortify the security infrastructure of the organization. Its training program makes the attendees go through intense lab sessions where they not only gain the traditional, advanced, and trending knowledge but also acquire technical skills that can be used immediately. Not only that, the ANSI accredited C|EH is identified as one of the baseline programs by the United States Department of Defense. Hire a C|EH holder today for a secure cyber environment.

Becoming an Ethical Hacker on your checklist?

Make sure you choose the right pathway for your career progression!

get certified from ec-council
Write for Us
eccouncil track