WHAT IS PHISHING?
Phishing is a cybercrime that uses tactics including deceptive emails, websites and text messages to steal confidential personal and corporate information.
Victims are tricked into giving up personal information such as their address, date of birth, name and social insurance number. Cybercriminals use this information to impersonate the victim – applying for credit cards, opening bank accounts, applying for loans, and committing other fraudulent activities.
Criminals who use phishing tactics are successful because they carefully hide behind emails and websites that are familiar to the intended victim. For example, the email address might be [email protected] instead of [email protected] and urge the recipient to update their account credentials to protect them from fraud.
Phishing is a type of social engineering that criminals use to steal data, infect computers and infiltrate company networks.
What Are The Different Types Of Phishing?
This is the most common phishing tactic. An email is sent to multiple recipients urging them to update personal information, verify account details or change a password.
Typically, the email is worded with a sense of urgency and with the need for the recipient to protect themselves from crime. The email is designed to appear to come from a legitimate source, for example customer service for Apple, a bank, Microsoft, PayPal or other known company.
A familiar website, for example, an email account login page or online banking page is injected with malicious content. This can include a link, form or pop-up that directs people to a secondary website where they are urged to confirm personal information, update credit card details and change passwords.
A carefully worded email arrives with a malicious link to a familiar website such as Amazon or another popular website. When the link is clicked, it takes people to a fake website designed to look exactly like the known website where they are prompted to update their account information or verify account details.
This common type of domain spoofing includes sending emails that masquerade as coming from the CEO, human resources or a colleague. The email may ask the recipient to transfer funds, confirm an e-transfer or wire transfer or to send tax information.
Hackers create fake websites that look just like a highly frequented website. This fake website has a domain that is slightly different, for example, outlook.you.live.com instead of outlook.live.com. People believe they’re on the right website and accidentally open themselves to identity theft.
Mobile phishing can involve fraudulent SMS, social media, voice mail or other in-app messages that inform the recipient their account has been closed, compromised or expiring. The message includes a link, video or message aimed at stealing personal information or installing malware on the mobile device.
Spear phishing is advanced targeted email phishing. The criminal targets a specific individual or organization and uses focused personalized messages to steal data that goes beyond personal credit card information. For example, infiltrating a bank, hospital or university to steal data that severely compromise the organization.
With voice phishing or vishing, a phone caller leaves a strongly worded voicemail or reads from script that urges the recipient to call another phone number. Often these calls are designed to be urgent and encourage the recipient to act before their bank account is suspended or they are charged with a crime.
This type of phishing requires sophisticated techniques that allow the criminal to violate a web server and steal information stored on the server.
With man-in-the-middle phishing attacks, the criminal tricks two people into sending information to each other. The phisher or criminal may send fake requests to each party or alter the information being sent and received. The people involved believe they are communicating with each other and have no idea they are being manipulated by a third-party.
Malware happens with a person clicks an email attachment and inadvertently installs software that mines the computer and network for information. Key logging is one type of malware that tracks key strokes to discover passwords. A trojan horse is another type of malware that is installed and tricks the person into entering personal information.
This type of malware uses online advertisements or pop-ups to encourage people to click a link that then installs malware on the computer.
Evil Twin Wi-Fi
A fake wi-fi access point is created that acts as a legitimate wi-fi hot spot. This can happen for example in an airport, coffee shop, hospital or any location where people access wi-fi. People log into this wi-fi access point thinking they’re using the legitimate spot, allowing criminals to intercept any data communicated on this fake wi-fi account.
These different types of phishing are part of a greater social engineering scheme. Social engineering is a savvy way to trick people into giving up access, details and information that they know they should keep secure and private.
Did You Know?
Social engineering and phishing are successful because they rely on the natural human tendency to trust others. People assume the password update or wire transfer request is legitimate because they recognize the source and believe they are acting in the best interests of themselves and others.
How Does Phishing Happen?
Phishing happens when an unsuspecting victim responds to fraudulent requests that demand action. This action can include downloading an attachment, clicking a link, filling out a form, updating a password, calling a phone number or using a new wi-fi hot spot. A crucial aspect of successful security awareness training is in educating people about how easy it is to be tricked into giving up confidential information.
6 Clues That You Are A Target Of A Phishing Email
- Link or button
- Contact information
Just because you know the person whose name is on the email doesn’t make it safe.
A name is easy to fake.
Check the email address to confirm that the email is really from that person.
Phishing simulation allows you to identify which employees are prone to phishing and to educate your team on how easy it is for phishing to happen.
How to Prevent Phishing
- Educate your employees about phishing. Take advantage of phishing simulation tools to educate and identify phishing risk.
- Use proven security awareness training and phishing simulation platforms to keep phishing and social engineering risks top-of-mind for employees. Create internal cyber security heroes who are committed to keeping your organization cyber secure.
- Remind your security leaders and cyber security heroes to regularly monitor employee phishing awareness with phishing simulation tools. Take advantage of phishing modules to educate, train, and change behavior.
- Provide ongoing communication and campaigns about cyber security and phishing. This includes establishing strong password policies and reminding employees about the risks that can come in the format of attachments, emails and URLs.
- Establish network access rules that limit the use of personal devices and the sharing of information outside of your corporate network.
- Ensure that all applications, operating systems, network tools, and internal software are up-to-date and secure. Install malware protection and anti-spam software.
- Incorporate cyber security awareness campaigns, training, support and education into your corporate culture.
What Is A Phishing Simulation?
Phishing simulation is the best way to raise awareness of phishing risks and to identify which employees are at risk for phishing.
Phishing simulation allows you to incorporate cyber security awareness into your organization in an interactive and informative format.
Real-time phishing simulations are a fast and effective way to educate people and increase alertness levels to phishing attacks. People see first-hand how CEO fraud, emails, fake websites, malware and spear phishing are used to steal personal and corporate information.
What are the Top 10 Benefits of Phishing Simulation?
Phishing simulation gives your organization these top 10 benefits:
- Measure the degrees of corporate and employee vulnerability
- Eliminate the cyber threat risk level
- Increase user alertness to phishing risk
- Instill a cyber security culture and create cyber security heroes
- Change behavior to eliminate the automatic trust response
- Deploy targeted anti-phishing solutions
- Protect valuable corporate and personal data
- Meet industry compliance obligations
- Assess the impacts of cyber security awareness training
- Segment phishing simulation
Learn More About Phishing Simulations
To learn more about phishing simulations and how to keep your organization cyber secure, email our principal, David McHale, at [email protected]