Phishing attacks are proliferating on the web. Their sheer volume has helped them become one of the most common sources of data breach used today.
From the time it was first described in a paper by the International HP Users Group, Interex in 1987 to today, phishing has become one of the most well-known strategies for stealing credentials among both cybersecurity experts and the general public.
Itself a subset of social engineering, phishing has exploded in diversity in recent years, evolving from error-riddle, wide-net attempts to fool one user out of thousands to a highly sophisticated and often narrowly targeted con. The endgame remains the same: to swipe confidential information from an unsuspecting target in order to extract something of value.
We’ll dive into a few of these methods here, but for examples of these attacks and additional techniques, download the 11 Types of Phishing eBook here.
Taking standard phishing one nasty step further, this type of phishing injects bugs onto a device by convincing the user to click a link or download an attachment. The action is used to smuggle malware onto the machine, resulting in damage, a ransom, spyware, keyloggers, or some other syndrome. Malware phishing is currently the most widely used form of phishing attack. If you've received an email from an unknown sender, it best to delete it before clicking anything or downloading attachments. Never accept an invitation to "enable macros" in order to view a document.
Phishing can happen over the phone, too. Vishing involves a fraudulent actor calling a victim pretending to be from a reputable organization and trying to extract personal information, such as banking or credit card information. Most often, the “caller” on the other line obviously sounds like a robot, but as technology advances this tactic has become more difficult to identify. You may have recieved a call at home or work claiming the IRS has issued a warrant for your arrest for non-payment of taxes. This is common vishing scheme. In fact, vishing usually makes the IRS’s "Dirty Dozen" list of scams targeting Americans each tax season.
The deceptive tactic of taking advantage of exploits within advertising or animation software becomes phishing when used to steal information from targeted users. Malvertising is usually embedded in otherwise normal-looking ads—and placed on legitimate websites like Yahoo.com—but with malicious code targeting the platforms they run on implanted within. The RIG exploit kit, one of the most successful malvertising tools to hit the internet, takes the split seconds it takes for an ad to redirect to its intended location to inject malware into a browser commanding it to begin encrypting files that can then be held for ransom.
Generally, a man-in-the-middle attack involves an eavesdropper monitoring correspondence between two unsuspecting parties. When this is done to steal credentials or other sensitive information, it becomes a man-in-the-middle phishing attack. These attacks are often carried out by creating phony public WiFi networks at coffee shops, shopping malls, and other public locations. Once joined, the man in the middle can phish for info or push malware onto devices. On most personal computers, especially those running on Windows operating systems, local file sharing is turned on by default. To prevent malware from being pushed to your device, toggle this setting to off when on unfamiliar networks.
Knowledge is Protection
Protecting yourself from phishing attacks starts with knowing what’s out there. But while staying vigilant will keep most attackers at bay, no one can be 100% secure on their own. That’s why it’s important to have a secure, encrypted backup and recovery solution in place in case the worst happens and to educate users on the threats they face online.
For more types of phishing attacks, real-world examples, and more tips for keeping yourself or your business safe from such attacks, download the 11 Types of Phishing Attack eBook.