Phishing is a social engineering tactic that hackers use to obtain information, steal data (credit cards, SSN) or install malware. It is the number one method used by hackers to target individuals and companies! Phishing relies solely on human emotion.
In 2019, phishing made up 32% of confirmed breaches, as well as 78% of cyber-espionage incidents. In 2020, Phishing still remains one of the top threats to a company or individual.
2019 and 2020 Verizon DBIR
There are several techniques a user can take in an effort to avoiding these types of attacks. Phishing attacks are successful because they prey on human emotions. Bad actors tap into emotions, causing panicked reactions. Fortunately, there are several signs that a user can look out for in order to avoid being compromised.
“Bad actors tap into emotions, causing panicked reactions.”
The following is a list of definitions for the various types of attacks and steps to take to lessen the risk of a compromise.
Phishing Attack Types
Spear Phishing
Spear phishing targets a specific group such as software engineers at company. It is an in-depth version of phishing that requires special knowledge about an organization.
Whaling
Whaling targets specific individuals. Many think that since they are not executives such as Elon Musk, that they are not targets. This is completely untrue. Individuals with access to sensitive data, like PII or source code are targets too.
Smishing
Similar to email Phishing, Smishing uses text messages or SMS. Spam texts may include links or requests for OTP (One Time Passwords) that are target wide audiences or specific individuals.
How to Protect Yourself
- Check your LinkedIn/Social Media and look at it from an attackers standpoint. Do you specify what roles and access privileges you have unintentionally?
- Don’t respond to emails for asking more information about you or other coworkers.
- Check for misspellings – Often times these emails are poorly translated or contain intentional misspellings. Additionally, If a user is likely to click on a link that’s has enough misspelling, they are more likely to give up credit card info.
- Sender Address – Check to see if it looks real (misspellings, different domain name, etc.) if you are unsure, use the web to see if the email address is valid.
- Emotional Appeal – Phrases like ‘Urgent’, ‘Warning’, ‘Suspended’, etc. cause a panicked reaction which increase the chances that someone will click on the email. Make sure you are relaxed and try to follow the steps above to ensure that the email is not a phishing attempt.
- Verify links – Hover over links to see if they are the correct domain. The visual text is generally not the link, the link sits behind the text and hovering can ensure you are visiting the intended page. Even better, if possible, go to the site directly in your browser and log in instead of clicking the links. For example, Capital One is sending you an email with account suspension information, go to the site www.captialone.com in your browser and log in to verify.
A note about gift card requests – gift cards, unlike credit cards or checks are untraceable. It is quite common to see emails posing as your boss, friend, etc. requesting high value gift cards. Please call the person to confirm, its highly unlikely that this individual is actually who they say they are!
Good luck and stay safe!