Reading Time: ~ 3 min.
Most people are familiar with phishing attacks. After all,
they’re one of the most common forms
of data breach around.
At their most basic, phishing attacks are attempts to steal
confidential information by pretending to be an authorized person or
organization. Standard phishing is not targeted. It relies on achieving a few
successes out of hundreds or thousands of attempts. But because it’s so cheap
to pull off, both in terms of effort invested and cost to conduct, even one
person taking the bait make a campaign worth a malicious actor’s time.
But phishing has evolved. “Standard” phishing as we commonly think of it is now only a subsection of tactics carried out to achieve the same end: to swipe confidential information from an unsuspecting target in order to extract something of value.
To better be on guard across the diverse group of tactics
that fall under the umbrella of phishing, users should be familiar with the
ways these attacks are conducted.
If standard phishing is akin to trawling the High Seas to
catch users indiscriminately, spear phishers are out for the trophy catch. Where
most phishing attacks cast a wide net, hoping to entice as many users as
possible to take the bait, spear phishing involves heavy research of
pre-defined, high-dollar target—like a CEO, founder, or public persona—often
relying on publicly available information for a more convincing ruse. When the
target is sizeable enough, the CEO of a large, publicly traded company say, spear
phishing is sometimes called ‘whaling.’
SMS-enabled phishing uses text messaging to delivering
malicious links, often in the form of short codes to obscure the ultimate
destination of a link, to ensnare smartphone users in their scams. The term is
a portmanteau of SMS and phishing, and it’s an attractive method for
cybercriminals because oh the high engagement rates for texts. According to some
sources, SMS open rates are around 98% compared to 20% for email. Messages
are often are often disguised as sweepstakes winnings, flash sales, coupon
codes, and requests for charitable or political contributions.
Business Email Compromise (BEC)
One of the most
expensive threats facing businesses today, business email compromise involves a
phony email, usually claiming to be someone from within or associated with a
target’s company, requesting a payment or purchase be made (often of gift
cards). A “confidence game” according to the FBI, BEC attempts are
often accompanied by a sense of high urgency to discourage critical thinking. Of
the $3.5 billion the FBI estimates businesses lost to cybercrime in 2019, nearly half ($1.7 billion)
was blamed on business email compromise.
Search Engine Phishing
In this type of attack, cyber criminals wait for you to come
to them. Search engine phishing injects fraudulent sites, often in the form of
paid ads, into results for popular search terms. These ads often promise
amazing deals, career advancement opportunities, or low interest rates for
loans. Remember, if it seems too good to be true, it probably is. Often, the
only difference between the scam result and the one you’re looking for is a
.com that should be a .org or a .org that should be a .gov. Be on the lookout
for strange endings to URLs. It may be just a country-specific domain, but they
can also be hiding something more sinister.
Protecting Yourself from Phishing Attacks
Protecting yourself from phishing attacks starts with knowing what’s out there. But while staying vigilant will keep most attackers at bay, no one can be 100% secure on their own. That’s why it’s important to use an antivirus that relies on up to date threat intelligence that can block these threats in real time as they are clicked. Also, it is imperative for businesses to train their users on the types of phishing attacks employees could fall for.
For more types of phishing attacks, real-world examples, and more tips for keeping yourself or your business safe from such attacks, download the 11 Types of Phishing Attack eBook.
The post The Changing Face of Phishing: How One of the Most Common Attacks is Evolving appeared first on Webroot Blog.