With internet access and availability having increased significantly over the past few years, more people now conduct their transactions online. Knowing this, cybercriminals spend considerable amounts of time and money looking for ways to access private personal information or confidential business information for nefarious reasons. Of the many techniques used by cybercriminals to obtain private and confidential information, one of the most endemic is phishing.
With phishing, the cybercriminals do not focus on the security of the network they wish to compromise. These cybercriminals instead look for ways to trick users to offer up their network credentials or other sensitive information; once obtained, these credentials are used by the cybercriminals to penetrate and compromise a network. Successful phishing attacks cost businesses a lot of money. On average, American businesses lose about $500 million to phishing attacks yearly.
There are several variants of phishing attacks that cybercriminals use when trying to compromise a network. This post discusses seven of the most common phishing variations and provides some tips on ensuring that your business is protected against a phishing attack.
1) Email phishing
This is the most common and most widely known phishing variant. With this variant, the cybercriminal sends the unsuspecting user a seemingly innocuous email with an embedded link. Clicking on the link within the email initiates the download of a virus or malware which then infects the user’s device. Following this, the cybercriminal can then steal the user’s credentials and then access the network freely. To increase the chances of the corrupt link being clicked, cybercriminals try to make the email as realistic as possible, often using a name that the user is familiar with as the sender.
Good observation is the best way to safeguard against this phishing variant. Pay close attention to any spelling mistakes or bad grammar in an email as these may be signs of a phishing email. As much as possible, avoid clicking on embedded links within an email; rather you should copy the link and open it in a new web browser. Train your employees how to identify attacks and how to avoid them.
With Vishing, cybercriminals attempt to make users give up their network credentials over the phone. They may claim to be someone in authority, salespeople or account representatives, among others. They are oftentimes very convincing such that unsuspecting users readily offer up their network credentials.
To guard against this phishing variant, you should never provide your credentials to anyone over the phone, especially your password. As a general rule, any request to provide your password over the phone should be treated with suspicion.
Smishing is similar to vishing and email phishing, the only difference being that the user is sent a text message with an embedded link. Once the link is clicked, a virus or malware is downloaded to the user’s device, corrupting it and thereby allowing access to the network.
The only defense against this form of phishing is to avoid clicking links in text messages when you are not familiar with the sender.
With pharming, cybercriminals install malware on a server or computer such that when users type in the correct web address, they are redirected to a bogus site instead. These users, thinking they are on the correct website, then enter their account credentials which are subsequently stolen by the cybercriminals.
Pharming is one of the more difficult variants of phishing to detect. The best way to guard against this is to look for the lock and key symbol at the bottom of your browser or the “s” in https. The absence of these is a strong indicator that a website is not secure.
5) In-session phishing
With this technique, a fake pop-up is generated as users browse on legitimate websites. The pop-up typically requests for account credentials or other personal information. Users, thinking that the pop-up is tied to the website they are browsing, enter their information which is then retrieved by the cybercriminals.
The best defense against this phishing technique is to always ensure that your browsers have pop-up blockers enabled.
6) Watering-hole attacks
Watering-hole attacks are a passive form of phishing attacks. In this instance, the attackers infect legitimate websites and simply wait for unsuspecting users to access these sites. Once these sites are accessed, the attackers are then able to retrieve the users’ account credentials.
This type of attack is extremely difficult to detect and guard against since the website appears legitimate and there’s no way to identify the phishing attempt.
7) Search engine attack
Also known as search engine poisoning, cybercriminals attempt to manipulate search engine results so that infected websites are at the top of search results. Users, believing the websites returned through their search to be genuine, enter their credentials into these websites and in so doing, offer up their account information to the cyber attackers.
This type of attack is also difficult to detect and guard against since a user doesn’t typically think about the websites in the search engine being dangerous to their computer.
With many possible phishing attack vectors through which your network can be compromised, it is important to engage the services of experts who are well versed in these attack techniques. At Cyber Sainik, we know all about the various phishing techniques and how to ensure that you do not become a victim. Contact us today for more information.