There are hundreds of different attack strategies used by cybercriminals. One of those techniques is phishing. While an older strategy, it’s still successfully used by cybercriminals with new variations being considered and implemented, but what is phishing and how can you prevent it?
What is Phishing?
Phishing is a form of cybercrime that involves the attacker contacting an individual claiming to be from reputable companies with the intention of tricking the user to gain access to sensitive, confidential and crucial personal and organizational data, or to deploy malicious software such as ransomware. Your bank details and company access password is the most wanted information by cybercriminals.
What are the Different Types of Phishing?
There are different kinds of phishing techniques used by scammers and the list constantly grows as cybercriminals think of new ways to gain access to the information they require. As technology and internet services evolve, hackers look for new opportunities to exploit weaknesses in security systems and gain access to confidential information and this can lead to users being caught in a newer, lesser known type of phishing attack. We explore some of the different types of phishing scams below:
- Deceptive Phishing
- Spear Phishing
- Whale Phishing
- Google Applications
- Fake Invoices
What is Deceptive Phishing?
Deceptive phishing, or email phishing, is the most common type of phishing attack and has been used for decades. A fraudulent, well-crafted and manipulative message is sent to impersonate legitimate organizations. Usually, there is just a slight variation in the from email address, and can often go unnoticed by regular internet users. The email contains a link, which leads to a fake webpage or installs malware on your device. These messages are not personalized or targeted to a specific individual and is also known as ‘bulk’ phishing. The intention is to hack your data and get access to your confidential or secretive personal information.
What is Spear Phishing?
Spear phishing is a strategy aimed at people who work at a particular business, or industry, in an attempt to gain access to the real target: the business itself. The emails are at least personalized and tend to use logos and email signatures, so that the emails are presented as a corporate marketing campaign, and give the receiver very little room to doubt its authenticity.
What is Whale Phishing?
Whale phishing is a highly targeted phishing attack aimed at the ‘big fishes’ of an organization – senior executives including business owners, directors, and key personnel. The attackers do some intensive research beforehand and in order to appear legitimate, the emails are presented in a personalized manner mentioning the essential details of the organization. The sender uses the email address similar to that of the taxation department or any other government body and often asks for some crucial information or money transfer. The overall impression of the email is very professional, but since it targets the higher-order smart personnel, its success rate is quite low.
What is Pharming?
Pharming is another phishing strategy where fraudulent emails are sent from authentic sources like banks and social media sites. These emails ask you to perform an urgent action in your account. This could be anything from changing the password to taking some security measures and manipulatively redirects you to a fake webpage. Pharming not only involves fraudulent emails but it also manoeuvres DNS cache. It uses the same web address as the source and appears to be exactly like the original site. It asks for your login details and hacks your accounts.
What is Smishing?
Smishing is a type of phishing attack that involves the use of SMS. False text messages are received, and either request a direct reply or contain a link to a phishing website, which is often a look-a-like to a site you are more familiar with.
Can I Be Hacked Through Google Applications Such As Docs?
A large number of internet users are dependent on Google apps, from the Play Store to Gmail. One Gmail account allows you to access and use a wide range of Google services. Most people use Google Docs, Sheets, Drive and other Google applications to store documents and photos as it seems very convenient and safe. This is the reason hacking Google passwords is one of the prime goals of the scammers. They devise emails and send it to Gmail users which directs them to their Google login page. Once you enter the password, your account and all files stored on it become accessible to the scammer.
Further to this, in early 2022, it was reported that the commenting feature in Google Docs was being exploited to send seemingly legitimate emails to convince targets to click malicious links. The threat actor creates a Google Docs document and adds a comment containing the malicious link, the victim is added via the “@” feature trigging an email with a link to the Google Docs file. The email will display the full comment, including the bad links and other text added by the attacker.
Can I Be Scammed From An Invoice?
Yes, fake invoicing is a type of phishing scam in which an invoice or bill is sent to a company or individual, requesting payment for goods or services. This can include demand for funds, the due date for the payment has passed, or a notification of a change in payment details.
How to Prevent Phishing
Phishing attacks are becoming an increasing concern for businesses. According to a recent report by IBM, phishing is the second most common cause of a data breach, but it is also the most expensive, costing businesses an average of $4.91 million. But what steps can your business take to prevent phishing attacks?
Double Check the Content
Most fraudulent emails have a lot of loopholes in their content. Though most phishing emails address you directly and use personal information to trick you, they don’t have the complete information. If you carefully examine the subject matter and content of these emails, you can get an idea about its authenticity.
- Be suspicious over attachments – are you expecting them (e.g. invoice or file download)?
- Be careful when giving sensitive information such as login credentials, credit card details, phone numbers or bank details
- Watch out for poor grammar and spelling errors
The major trick played by the scammers is that they create a sense of urgency with their phishing emails. You only fall into the trap if you take action hastily. So, it is essential to stay calm, think before you click and make your moves wisely.
Double Check All Links
To prevent phishing, it is recommended to double-check the email addresses and website links before clicking on any link. Fraudulent addresses are almost identical to the original ones, but they are not the same, often with a slight change in spelling or character use.
- If the link is requesting login details, go to the site directly not through the link on the email
- If you are on a desktop, you can hover over a link before you click to ensure it is a link you trust
- Look for HTTP secured sites for the signature of trust as a site with a TLS certificate
Secure Your Identity
A VPN, or Virtual Private Network, provides an encrypted tunnel for all your online activities. It disguises your original identity and location and allows you to connect with the world through secured remote servers. This eliminates the chance of spying and snooping, and cybercriminals cannot access your information and identity. A strong VPN also helps protect your connection from any attacking malware and makes your online existence safe and secure. VPN is a secure barrier in the way of phishing emails reaching your device.
Digitally Signed Emails
Counter phishing attacks with digitally signed emails and fortify your businesses email security with S/MIME certificates. Using two cryptographic functions, S/MIME can verify the origin of emails and sender identity and protect email communications in transit on mail servers through encryption. With S/MIME protocol, it is impossible to intercept and strip the digital signature from the email and digitally signed emails are guaranteed to be valid and legitimate.
Editor's Note - this blog was originally published in 2019 and was updated in October 2022.