Phishing attacks use email or malicious websites to infect your machine with malware and viruses in order to collect personal and financial information. Cybercriminals attempt to lure users to click on a link or open an attachment that infects their computer with viruses or malware, creating vulnerability to attacks.
Phishing emails may appear to come from a real financial institution, e-commerce site, government agency, or any other service, business, or individual.
The email may also request personal information like account numbers, passwords, or Social Security numbers.
When users respond with the information or click on a link, attackers use it to access their accounts.
In this guide I will be discussing the following:
- Types of phishing attacks.
- Phishing examples.
- Tips to avoid phishing attacks.
6 Most common Types of phishing attacks
- Deceptive phishing
Deceptive phishing refers to any attack by which fraudster impersonate a legitimate company and attempt to steal people’s personal information or login credentials.
These emails use threats and a sense of urgency to scare users into doing the attackers’ bidding.
The success of a deceptive phish hinges on how closely the attack email resembles a legitimate company’s official correspondence.
What to look out for to avoid this attack:
- Inspect all URLs carefully to see if they redirect to an unknown website.
- Look out for generic salutations, grammar mistakes, and spelling errors scattered throughout the email.
- Spear phishing
In spear phishing, fraudsters customize their attack emails with the target’s name, position, company, work phone number, and other information in an attempt to trick the recipient into believing that they have a connection with the sender.
How to protect against this type of attack:
- Organizations should conduct ongoing employee security awareness training that discourages users from publishing sensitive personal or corporate information on social media.
- Companies should also invest in solutions that are capable of analyzing inbound emails for known malicious links or email attachments.
- CEO Fraud
This is where attackers impersonate an executive and abuse that individual’s email to authorize fraudulent wire transfers to a financial institution of their choice.
This attack works because executives often don’t participate in security awareness training with their employees.
How to counter this CEO fraud threat:
- All company personnel including executives should undergo ongoing security awareness training.
- Organizations should also consider amending their financial policies, so that no one can authorize a financial transaction via email.
This is a method of attack which comes from domain name system (DNS) cache poisoning.
Basically, the internet’s naming system uses DNS servers to convert alphabetical website names, such as www.wikipedia.org, to numerical IP address used for locating computer services and devices.
A pharmer targets a DNS server and changes the IP address associated with an alphabetical website name.
This means an attacker can redirect users to a malicious website of their choice even if the victims entered in the correct website name.
How to protect against pharming attacks:
- Organizations should encourage employees to enter in login credentials only on HTTPS protected sites.
- Companies should also implement anti-virus software on all corporate devices and implement virus database updates, along with security upgrades issued by a trusted Internet Service Provider (ISP), on a regular basis.
- Dropbox phishing
These are specialized attack emails according to an individual company or service. For example, millions of people use Dropbox every day to back up, access and share files.
In this case, attackers would try to capitalize on the platform’s popularity by targeting users with phishing emails.
How to protect against Dropbox phishing attacks:
- Users should consider implementing two-step verification (2SV) on their accounts.
- Google Docs Phishing
Fraudsters could choose to target Google Drive similar to the way they might prey upon Dropbox users.
As Google Drive supports documents, spreadsheets, presentations, photos, and even entire websites, phishers can abuse the service to create a webpage that mimics the Google account log-in screen and harvest user credentials.
To protect yourself from this phishing attack, you should consider implementing 2SV. The security feature is accessible via SMS messaging or the Google Authenticator app.
Here are most common messages examples of what attackers may email or text when phishing for sensitive information:
- “We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”
- “During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”
- “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
Here are more examples of actual phishing emails, and steps to take if you believe you received a phishing email.
Tips to prevent phishing attacks
- When in doubt, throw it out
Links in email and online posts are often the way cybercriminals compromise your computer. If it looks suspicious – even if you know the source – it’s best to delete or, if appropriate, mark it as “junk email.” Contact the company directly (via phone) to be sure the email is not legitimate.
- Think before you act
Be wary of communications that implore you to act immediately, offer something that sounds too good to be true, or ask for personal information.
- Use stronger authentication
Always opt to enable stronger authentication when available, especially for accounts with sensitive information including your email or bank accounts. A stronger authentication helps verify a user has authorized access to an online account.
For example, it could be a one-time PIN texted to a mobile device, providing an added layer of security beyond the password and username.
- Make passwords long and strong
Combine capital and lowercase letters with numbers and symbols to create a more secure password.
- Install and update anti-virus software
Make sure all of your computers are equipped with regularly updated antivirus software, firewalls, email filters, and antispyware.
- Be wary of hyperlinks
Avoid clicking on hyperlinks in emails; type the URL directly into the address bar instead. If you choose to click on a link, ensure it is authentic before clicking on it. You can check a hyperlinked word or URL by hovering the cursor over it to reveal the full address.
Now I want to hear from you.
What do you think of phishing attacks and threats.
Or maybe I missed an important aspect of phishing.
Either way, let me know by leaving a comment below.