Phishing is a social engineering tactic in which an attacker attempts to gain personal data from victims by going undercover as a trusted source whether through an email or a phone call. Users are tricked into giving up their information. The goal of a phishing attack can vary; however, attackers usually try to solicit personal information like usernames, passwords, bank accounts, or credit card numbers. Users can be directed to respond to emails or to update their information on a fake website.
Types of Phishing Attacks
🐠 Spear Phishing
Specific users or groups are targeted such as an individual or an organization. Emails sent to victims are customized to legitimize the messages such as using their names or personal information. Customization uses manipulation and builds trust to get victims to give up information.
Like spear phishing, whaling targets specific individuals however, instead of going after the ‘small fish’ attackers target the ‘big fish’ or high-profile individuals like executives or the wealthy. High-profile employees usually have most or complete access to sensitive data. Attackers use highly customized and personalized emails to lure their victims.
🐠 Filter Evasion
Anti-phishing filters can detect and block emails containing links attachments. To circumvent these filters, attackers use images instead of text in emails.
🐟 Clone Phishing
Previously sent legit emails are replaced with clones or copies of the same email to deceive users into thinking they are real. Emails are resent to users using fake links and attachments containing malware. Attackers may add something explaining why the email was sent again to trick the user.
🐠 Pharming Website Forgery
Attackers create websites that resemble legitimate websites. When users type a website into the web browser, the IP address automatically changes. So when a user attempts to visit a website, like www.lifars.com, they are automatically sent to fake site that looks the same.
Identifying a phishing attack is not always easy, however, there are a few signs that can give off an warning. Emails that sound too good to be true or those giving a sense of urgency should be looked at twice, before users click on them. Some cautionary steps users should take include:
- If an email sounds urgent or says to ‘act now’ contact the company directly. Most organizations do not ask for sensitive information over email.
- Do not click on any attachments or links in emails
- Look at URLS in email links before you click on them.
- If you click on links, make sure the URL you are directed to matches
- Read over the email looking for any thing that looks off. Emails coming from legitimate sources will not contain grammar mistakes.
- If you receive an email from a known individual and it looks suspicious email them back through new email, rather than replying back to that email.
Contact LIFARS for cyber resiliency training today!