Many of today’s cyber criminals have “gone phishing.” While ransomware and malware attacks continue to steal headlines, phishing remains a serious, but less reported, threat that costs businesses millions of dollars every year. One reason phishing is becoming more common is the ease with which attackers can launch phishing attacks. Cyber criminals can gather personal and targeted information from social sites, shop for and customize phishing toolkits, and scrape genuine websites for fonts, images, and anything else they need to develop malicious replicas of the real deal. So, what is phishing, exactly, and how does it work? Let us explain five common types of phishing scams below.
5 of Types of Phishing Attacks
- Normal Phishing
- Spear Phishing
- Clone Phishing
- BEC Phishing
1. Normal Phishing
There are plenty of fish in the sea, so normal phishing, sometimes called deceptive phishing, involves scammers sending out emails in large batches in an attempt to hook anyone they can. Usually, the scammer will impersonate a legitimate company and attempt to steal people’s personal information or login credentials.
These email phishing scams commonly use threats or a sense of urgency to scare users into action. For example, PayPal fraudsters might release an phishing email instructing recipients to fix a discrepancy within their account or face penalties; UPS schemers may claim you have a delivery notification and must respond within 24 hours; or Office 365 phishermen may state there is a storage issue that needs immediate attention. A link included in the email leads to a phony login page that collects credentials and delivers them right into the scammers’ duplicitous hands.
How to avoid phishing: Success of normal phishing scams often depends on how well the email resembles official company correspondence. Look for generic greetings, typos, and a misspelling in the link (for example, two L’s in PayPal). Also, websites where it is safe to enter personal information begin with "https"—with the S standing for “Secure.” If you don't see "https," hit delete. Of course, the best way to avoid these is to not click the link. Cybersecurity experts suggest manually typing in the company’s website into your browser and login that way; if there is an account issue, you’ll find a notification within the official site.
2. Spear Phishing
Whereas normal phishing aims to hook anyone willing to bite, spear phishing targets a particular individual or organization. Spear phishers personalize their emails, and use information specific to their target to lead the recipient to believe they have a connection with the sender. This is often accomplished by impersonating an employee or contractor to obtain sensitive data or banking details. And, no one is safe—not even the most tech-savvy pros. In 2017, spear phishers posed as Quanta Computer, a legitimate Taiwanese electronics manufacturer that boasts both Google and Facebook as its clients, and conned the tech giants out of a combined $200 million for “unpaid invoices.”
How to avoid spear phishing scams: Spear phishing scammers often lurk on social sites like LinkedIn where they can gain a target’s personal and professional information to craft a highly-personalized attack email. Just posted that you attended this year’s cybersecurity conference? A spear phishing scammer will use this to their advantage, sending an email on conference letterhead asking how you liked the event while phishing for personal credentials. Organizations need to discourage employees from publishing sensitive personal or corporate information on social media.
Whaling is similar to spear phishing, but rather than targeting just any employee within a particular organization, whaling goes after the big ones! In order to focus on these high-profile members of the C-suite, phishermen may spend months researching their targets, analyzing their routines, and mapping their personal relationships. The scam itself may last weeks as well; to harpoon a whale, phishermen may wait to snare their target by first gaining trust through a series of back-and-forth exchanges.
Why spend all of this time and effort? Because bigger targets usually equal a bigger payday. The account credentials belonging to a CEO, for example, opens more doors than an entry-level employee.
How to avoid whaling: Top executives are unlikely to participate in security awareness training with their employees; they’re too busy focusing on the big picture. However, to avoid whaling it’s critical that they make time for training or engage sophisticated anti-phishing software. Organizations should also consider eliminating the ability to authorize financial transactions over a specified amount via email.
4. Clone phishing
Ever received a legitimate message from a company, only to receive a nearly identical one shortly thereafter? These clone phishing schemes replicate a recent message you’ve received, swap out the link for malicious one, and usually state that they’re resending an updated version in an effort to explain the duplicate nature of the email and persuade you into re-clicking and re-entering personal information.
How to avoid clone phishing: Reputable companies rarely send the same message twice. Rather than click the link, it’s always best to visit the company site directly or contact them via phone.
5. BEC Phishing
No one questions the CEO! Business Email Compromise phishing, or BEC, targets lower-level employees who still possess administrative rights by pretending to be a member of the C-suite and requesting specific and sensitive information.
This phishing scam works well in large corporations where employees know the name of the executives, but rarely, if ever, interact with them. It preys upon social engineering; because most employees don’t want to question or say no to an executive, the scam often goes off without a hitch. So, after reconnaissance is complete and targets have been selected, the phisherman sends an email disguised to look as if it came from top brass.
This email differs from most phishing attacks, however, as it doesn’t usually include a malicious link or attachment. Instead, it’s simply a message from an “executive” requesting a transfer of funds or access to sensitive data such as an employee’s tax information.
How to avoid BEC phishing: Recipients should check domain names, because while they may look like the corporate domain name at a glance, there can often be a slight variance upon further inspection. Employees should also be instructed to contact the executive directly if they are wary; what’s worse, a million dollar loss or a minute or two out of a CEO’s day?
Phishing is easy and the chances of getting caught are slim — making it a win-win for novice hackers and experienced pros alike. To avoid getting caught in a phishing trap, individuals and organizations must remain vigilant. But, humans are fallible, and relying on a so-called “human firewall” is never going to be 100% effective. To eliminate the need for often ineffective training, Clearedin is today’s answer to phishing. Clearedin attacks the phishing problem in a completely new way—by understanding an organization’s communication patterns and building a framework that identifies legitimate communications while flagging potential phishing with tremendous accuracy.