Some examples of phishing you should be aware of, how to identify phishing attempts, and important measures to implement to prevent workplace phishing attacks.
What is Phishing?
Phishing is the use of a lure to trick the targeted individual into taking the bait and doing the wrong thing, which is often the disclosure of the sensitive information the attacker is seeking or running malicious code that will allow a device or network to be compromised. The methods used in phishing to trick people are often referred to as social engineering and often involve the impersonation of a trusted individual or a company the targeted individual does business with.
The sensitive information sought by attackers in phishing campaigns includes account credentials (Microsoft Office 365/online banking/Netflix/Facebook etc.); Social Security numbers and contact information for identity theft; tax information for filing fraudulent tax returns; medical information for medical fraud; or sensitive company information (intellectual property/trade secrets). Phishing is also used for distributing malware which provides attackers with access to business networks for large-scale information theft and ransomware attacks.
The Different Types of Phishing
Phishing can take many forms, although the goals of the attackers are the same with each type of phishing. The most common attack vector is email, which accounts for around 96% of all phishing attacks.
- Email Phishing – Emails are sent containing attachments that execute malicious code if opened and download malware or link to websites where sensitive information is harvested. Some attacks simply request sensitive information – W-2 forms for instance – by impersonating a trusted individual such as the CEO of the company.
- Website Phishing – The use of ‘phishing kits’ on websites that harvest credentials, often by spoofing a trusted company.
- Social Media Phishing – The use of social media sites to trick people into visiting malicious websites or disclosing sensitive information, often by impersonating a company. These campaigns may attempt to obtain information that could make guessing passwords easier.
- Spear Phishing and Whaling – Targeted phishing attacks on small numbers of individuals. These attacks are personalized, targets are researched, and the emails are carefully crafted to maximize the probability of the individual responding.
- Smishing – Phishing attacks that take place over SMS or instant messaging services. Often conducted to obtain online banking credentials and 2-factor authentication codes.
- Vishing – Voice phishing where targets are contacted by phone and the attacker impersonates an authority figure and gets the user to disclose sensitive information, make a fraudulent payment, or install malware.
Examples of Phishing Attempts
There are many examples of phishing attempts using the above attack vectors – too many to list here. Below are some of the most common examples of phishing that are used in mass phishing campaigns. Knowledge of these examples of phishing and the red flags to look for will help you avoid the most common phishing attempts. Further examples of phishing should be provided in workplace security awareness training.
- Outstanding invoice – An invoice has not been paid and has been resent
- Shipping notice – A package has been dispatched – Details of the shipment are included in an attachment
- Delivery Failure – The delivery of a package has failed – Request to log in to reschedule delivery
- Order notification – Email for an order with all information included in the attached or linked file
- Suspicious account activity – Notification about a potentially suspicious log-in attempt or a pending suspicious charge requiring a login to verify
- Account closure – Your account will be closed unless immediate action is taken
- HR notifications – Email impersonating the HR department advising of disciplinary action, redundancy, salary review, or bonus
- Job offer – A notification – often spoofing LinkedIn – that a big company has headhunted the recipient for a new position
- Scanned document – Simple email providing a scanned document
- Voicemail message notification – Email notification about a voicemail message
- Collaboration request – A request from a colleague for collaboration on a report or presentation
- Security alert – A warning about unauthorized account access, malware infection, or another security incident that requires immediate action – often spoofing an Internet service provider, an antivirus company, or the IT department.
Examples of Phishing Red Flags
The following are examples of phishing red flags that indicate a message is not what it seems. Phishing emails may contain one or several of these red flags.
- Unknown sender
- Email sent to multiple individuals that are not known
- From name and email address do not match
- Email sent outside of business hours
- The subject line does not match the message content
- No contact information
- Unsolicited request
- Unsolicited email attachments
- Information is included in an attachment but next to no information is present in the email
- An attachment has an unfamiliar extension
- Unexpected links
- Links to unfamiliar or unrelated websites
- Link text does not match the destination URL (hover the mouse arrow over the link to check)
- Urgent action demanded
- The threat of adverse consequences if no action is taken
How to Prevent Workplace Phishing Attacks
There are several different types of phishing, and no single cybersecurity solution will be able to block all attacks. Businesses should put several layers of protection in place to ensure that if any safeguard fails to block an attack, others will be there to provide protection.
- An email security solution – Prevents phishing emails from reaching inboxes
- A web filter – Blocks access to the websites where malware is downloaded and credentials are stolen
- Security awareness training – Ensures the workforce is trained on how to recognize and avoid phishing attempts
- Multi-factor Authentication – If credentials are stolen, they cannot be used to access an account without further authentication
TitanHQ provides three anti-phishing solutions: SpamTitan Email Security, WebTitan DNS Filtering, and the SafeTitan Security Awareness Training and Phishing Simulation Platform. For more information check out the links in the top-level menu above or give the TitanHQ team a call.