To a cybercriminal, you’re nothing more than a big, juicy fish. You’re slow, you’re hungry, and they don’t expect much from you in terms of intelligence and strategy. That’s exactly why they throw their “worm” in the water and hope you gulp it down without a second thought. But you’re not the only one – the cybercriminals cast a gigantic number of lures out to try and snag anyone who is willing to take the bait.
The practice is called “phishing”, and it’s a pretty apt name for this type of cybercrime.
What phishing IS:
In short, it’s a type of cybercrime that aims to convince you to divulge information to the criminal. Instead of malicious code and software, the cybercriminal depends on deception and simple trickery to gather personal or sensitive information from the victims. From there, they gain access to critical files and data.
What phishing IS NOT:
Phishing is often confused and grouped with hacking. However, hacking requires the knowledge of programs and code that exploit (or create) gaps in security infrastructures. In other words, hacking extracts information involuntarily, while phishing requires users to hand over information willingly.
Though phishing isn’t necessarily invasive, it doesn’t mean it’s conducted without effort. Phishing attempts often rely on expertly crafted emails, documents, and even websites. If it can be copied or mimicked, cybercriminals will use it to phish for information (a process known as “spoofing”).
But it doesn’t stop there. Phishing isn’t a straightforward trick that you can easily ignore. It requires constant attention, intelligence, and a basic sense of awareness. Phishing attacks have become a natural part of running a business: the total number of phishing attacks in 2016 was 1,220,523, a 65% increase over 2015.
But all hope is not lost. The multiple different types of phishing attacks have their own unique twists that you can spot if you know what to look out for.
When cybercriminals get their hands on an email, they can do a lot with it. For starters, they analyze everything – from the user-sender relationship to the tone and kind of language used in the email. With this information, they can create an almost identical email that can be nearly impossible to distinguish from the real version. The difference with the clone is that it usually claims to be a “resend” of the original email due to one reason or another.
Usually, the email that they clone will be one that contains attachments. When they resend the email, they send an infected attachment with the same filename and size. This helps them to gain a foothold within an infected machine, possibly infecting others within the same network. These can be tricky and may require assistance to confirm authenticity when you have concerns.
This web-based attack is also known as a “deceptive site”. The cybercriminal goes through the process of building a site that is nearly an exact replica of the target website. When a user arrives on the site, they browse it like they would for the original site, since it contains the exact same functionalities. Often, the user won’t be able to tell that they’re on a fake site because a fake URL will be overlaid over the address bar on the site.
Once the user submits any information on the site (such as email addresses, passwords, credit card info, etc.), the criminal has won. This attempt is hard to spot and even harder to defend against. The credit giant Equifax recently fell for a website forgery attempt, and actually directed its users to go to the fake site on accident.
Phishing attempts don’t always find you through an email or a browser. Sometimes, the most convincing attempts actually come from phone calls. Usually, the cybercriminal will use untraceable VoIP services to conduct the calls.
The attempts usually go something like this: first, they claim to be important services, such as debt collectors, banks, and hospitals. Then, they prompt their users to enter in information such as account numbers and PINs. When the criminal has what they want, they simply hang up and move on to their next victim. It’s helpful to remember that most important account notifications or confirmations requiring personal information will not be delivered or requested by phone and usually not via automated voice service.
Generally speaking, phishing targets the masses. More than a fishing pole, it’s more accurate to think of it as dragging a large net. It’s imprecise, and it tricks only those that don’t know what to look out for.
But spear phishing is nowhere near as clumsy and imprecise as most other types of phishing.
Spear phishing targets a specific company or group of individuals. Criminals behind this approach take their time; they gather as much information as they can before taking any action. Because of this, spear phishing attacks often take many months, and in some cases, even years. In other words, while the approach is usually like types of phishing, there is a massive amount of research behind each and every word. According to Symantec, spear phishing emails have targeted more than 400 businesses every day, draining $3 billion over the last three years.
The most dangerous type of phishing is actually a variant of spear phishing. Whaling earns its name because it goes after the biggest targets in a business – the executives. The content of whaling attempts typically deals with executive-level issues while carrying itself as an important email. Often, they disguise themselves as legal subpoenas, customer complaints, or as fellow executives needing important information.
Once the executive of the company falls for the scam, the company can suffer greatly and even shut down completely.
So What Can You Do?
There are no two ways about it – phishing schemes are tricky cyberattacks to deal with. The number-one defense mechanism against them doesn’t come in a pre-packaged box, and isn’t sold in stores.
The best defense is user awareness and proper security training.
Diverge IT can help you attain and maintain proper security awareness. We’ve been protecting businesses since 1999 from hackers and all kinds of malicious cyberattacks. If you’d like to learn more about what we can do, reach out to us today.