The number of phishing efforts to deceive users into giving up personal information nearly tripled last year compared to the previous year, and more than doubled during the months when individuals were forced to stay at home to combat the spread of Covid-19.
The Cyber Security Agency of Singapore (CSA) revealed this in its newest report, stating that there were 47,500 cases of Phishing in Singapore last year, up from 16,100 cases in 2018.
This reflects global trends, as the number of phishing assaults worldwide increased in 2019, reaching a new high since 2016. Here are the 6 common phishing attack examples and how to protect against them.
Phishing attack examples: Deceptive Phishing
The most common type of phishing scam is deceptive Phishing. In this scheme, fraudsters pose as a reputable company to obtain people’s personal information or login credentials. Threats and a sense of urgency are used in these emails to terrify recipients into doing what the attackers want.
How to Defend Against Deceptive Phishing
The success of a deceptive phish is determined by how closely an attack email resembles official correspondence from a phony company. Recognizing this fact, users should carefully analyze all URLs to see if they redirect to an unknown and questionable website. They should also look for generic salutations, grammatical problems, and spelling issues.
Phishing attack examples: Spear Phishing
In this type of scheme, fraudsters personalize their attack emails with the target’s name, position, company, work phone number, and other information to fool the receiver into thinking they have a connection with the sender. The goal is the same as with deceptive phishing, that is, to trick the victim into clicking on a malicious URL or email attachment for them to pass over their personal information.
Given the quantity of information required to build a convincing attack effort, it’s no wonder that spear-phishing is widespread on social media sites such as LinkedIn, where attackers can utilize numerous data sources to craft a targeted attack email.
How to Defend Against Spear Phishing
To protect against this scam, firms should provide continuing staff security awareness training that discourages users from disclosing sensitive personal or corporate information on social media, among other things. Companies should also invest in technologies that detect known malicious links/email attachments in incoming emails. This solution should be capable of detecting both known malware and zero-day threats.
Phishing attack examples: Whaling
Spear phishers can target everyone in a company, including executives. This is the reasoning for a “whaling” attack. Scammers attempt to harpoon an executive and grab their login information in these scams.
If their attack is successful, thieves can choose to commit CEO fraud. CEO fraud occurs as the second stage of a business email compromise (BEC) scam when attackers utilize a compromised email account of a CEO or other high-ranking executive to authorize fraudulent wire transfers to a financial institution of their choice. Alternatively, they can use the same email account to undertake W-2 Phishing. They seek W-2 information for all employees to submit fictitious tax forms on their behalf or put that data on the dark web.
How to Defend Against Whaling
Whaling assaults are effective because CEOs frequently fail to participate in security awareness training with their workers. To combat CEO fraud and W-2 Phishing concerns, firms should require that all corporate staff, including executives, participate in regular security awareness training.
Organizations should also consider incorporating multi-factor authentication (MFA) channels into their financial authorization processes so that no one can authorize payments solely through email.
Phishing attack examples: Vishing
Until now, we’ve talked about phishing attempts that mostly use email. However, fraudsters may occasionally use other mediums to carry out their attacks.
Consider the crime of vishing. This sort of phishing assault foregoes sending an email in favor of making a phone call. According to Comparitech, a vishing campaign can be carried out by setting up a Voice over Internet Protocol (VoIP) server to impersonate numerous companies to steal sensitive data and funds. According to the FBI, malicious actors employed these strategies to increase their vishing operations and target remote employees in 2020.
How to Defend Against Vishing
Users should avoid taking calls from unknown phone numbers, never give out personal information over the phone, and use a caller ID app to protect themselves from vishing attacks.
Phishing attack examples: Smishing
Vishing isn’t the only sort of Phishing that digital criminals can use their phones for. They can also engage in what is known as smishing. This approach employs harmful text messages to dupe users to click on a malicious link or disclose personal information.
How to Defend Against Smishing
Users can aid in the defense against smishing attacks by investigating strange phone numbers and calling the company mentioned in suspicious SMS messages if they have any questions.
Phishing attack examples: Pharming
As users become more aware of typical phishing schemes, some con artists have abandoned the concept of “baiting” their victims entirely. They are instead resorting to pharming. This phishing technique employs cache poisoning against the domain name system (DNS), a naming system used by the Internet to translate alphabetical website names, such as “www.microsoft.com,” to numerical IP addresses, allowing it to locate and lead users to computer services and devices.
A pharmer targets a DNS server and alters the IP address associated with an alphabetical website name in a DNS cache poisoning attack. This means that an attacker can route consumers to a malicious website of their choosing. Even if the victim provides the right site name, this is still the case.
How to Defend Against Pharming
Organizations should encourage employees to enter login credentials only on HTTPS-protected sites to avoid pharming attacks. Anti-virus software should be installed on all company devices, and virus database updates should be performed on a regular basis. Finally, they should keep up with security updates given by a reputable Internet Service Provider (ISP).
Organizations can detect some of the most frequent phishing attacks by following the guidelines outlined above. Even yet, this does not guarantee that they will detect every phish. Phishing is continually adopting new forms and strategies. With this in mind, firms must provide continual security awareness training to their staff and leaders to keep on top of Phishing’s growth.