The term “phishing” is a spin in the word fishing because criminals hoping to “bite” users by providing the information requested by criminals such as credit card numbers, account numbers, passwords, usernames or other valiant information is the fake “wrenching” (legitimate-looking email, website or ad).
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.
Phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (apt) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.
Types of phishing attacks
1. Standard email phishing
Arguably the most widely known form of phishing, this attack is an attempt to steal sensitive information via an email that appears to be from a legitimate organization.
2. Malware phishing
Utilizing the same techniques as email phishing, this attack encourages targets to click a link or download an attachment so malware can be installed on the device. It is currently the most pervasive form of phishing attack.
3. Spear phishing
Where most phishing attacks cast a wide net, spear phishing is a highly-targeted, well-researched attack generally focused at business executives, public personas and other lucrative targets.
SMS-enabled phishing delivers malicious short links to smartphone users, often disguised as account notices, prize notifications and political messages.
5. Search engine phishing
In this type of attack, cyber criminals set up fraudulent websites designed to collect personal information and direct payments. These sites can show up in organic search results or as paid advertisements for popular search terms.
Vishing, or voice phishing, involves a malicious caller purporting to be from tech support, a government agency or other organization and trying to extract personal information, such as banking or credit card information.
Also known as DNS poisoning, pharming is a technically sophisticated form of phishing involving the internet’s domain name system (DNS). Pharming reroutes legitimate web traffic to a spoofed page without the user’s knowledge, often to steal valuable information.
8. Clone phishing
In this type of attack, a shady actor compromises a person’s email account, makes changes to an existing email by swapping a legitimate link, attachment or other element with a malicious one, and sends it to the person’s contacts to spread the infection.
How to prevent phishing attacks
1. Do not click on malicious links
it’s generally not advisable to click on a link in an email or instant message, even if you know the sender. The bare minimum you should be doing is hovering over the link to see if the destination is the correct one. Some phishing attacks are fairly sophisticated, and the destination URL can look like a carbon copy of the genuine site, set up to record keystrokes or steal login/credit card information.
2. Enable multi-factor authentication (or 2fa) for your online accounts
With 2fa, along with typing in the password, you will also be prompted to enter a security code sent to your phone. It’s a longer process, but it also makes your account much harder to hack.
3. Use a password manager
With a password manager app, you can log in without keeping a physical copy of your passwords.
4. Browse securely with a VPN
Using a vpn (virtual private network) allows you to hide your location or transaction details by encrypting any information you send. It’s like sending a coded message to the internet, and only the intended recipient has the key to break the code and access it. Thanks to this, phishers and other hackers can’t spy on your online activities.
5. Stay updated
Make sure you install the latest updates to your os/browser. We know updates usually come when you don’t have the time to install them. But they are made for a reason: the software provider may have found vulnerabilities in their system and created fixes to improve security.
Organizations must regularly give personnel awareness training in order to counteract the threat of phishing. Your staff can only establish healthy habits and recognize fraudulent messages as their second nature by repeating guidance on avoiding frauds.
Phishing tips for companies
Companies can use cyber security hive’s phishing simultion service to get the organizations phish rate. Once the phishing rate is identified cloud based security awareness training program can be performed on the organization.
Second round of phishing simulation will bring about results in the company’s cyber security posture and decrease in phishing rate.