August 06, 2020
Common Types of Phishing Attacks
It seems that cybercrime has become a part of everyday life, and hackers are using any opportunity to take advantage of an unknowing victim to gain access to personal information for financial gain. As gatekeepers to the data of today’s small and medium businesses (SMBs), managed service providers (MSPs) are also becoming increasingly targeted by these attackers.
One commonly used cyberattack is phishing. Phishing is an umbrella term for attacks that are typically delivered in the form of an email, chat, web ad, or website that has been designed to impersonate a real person, system, or organisation. Phishing messages are crafted to deliver a sense of urgency or fear with the end goal of capturing an end user’s sensitive data and can result in wire transfer fraud, credential phishing, malware attachments, and URLs leading to malware spraying websites.
Here are a few different types of phishing attacks to keep an eye out for.
Spear phishing is an attempt to gain access to credentials or financial information from a targeted individual. Attackers pass themselves off as someone the target knows well or an organisation they’re familiar with to gain access to compromising information and exploit the victim. These attacks are purposefully crafted to target a specific user or small group of users. They are typically crafted after research of the target has occurred, resulting in a more personally relevant phishing attack.
Whaling is a form of spear phishing with a focus on a high-value target, meaning the fraudulent communication comes from a senior employee within an organisation, to boost credibility. This approach also targets other high-level employees within an organisation as the potential victims, and includes an attempt to gain access to company platforms or financial information. These attacks employ the same methods as spear phishing attacks.
Mass phishing campaigns cast a wider net than the targeted techniques of spear phishing and whaling. True to their name, they are sent to the masses in an effort to convince a subset of the wide net to fall victim to their efforts. Typically, these are sent via email from a knock-off corporate entity insisting a password needs to be updated or credit card information is outdated. The damage caused by falling victim to a mass campaign may not be as immediately evident as more targeted attacks as there is a lag time between the successful attack and sale of the data obtained in the attack.
Ambulance Chasing Phishing
This form of phishing is commonly a mass campaign, but can also be spear phishing. With ambulance chasing phishing, attackers will play off of current crises to drive urgency for victims to take action that will lead to compromising data or information. For example, targets of this form of phishing may receive a fraudulent email encouraging them to donate to relief funds for recent natural disasters or the COVID-19 global pandemic.
Pretexting is a highly effective method of phishing as it reduces human defenses by creating the expectation that something is legitimate and safe to interact with. Pretexting involves an attacker doing something via a non-email channel to set an expectation that they’ll be sending something seemingly legitimate in the near future. For example, attackers may call and leave a voicemail acting as a vendor saying that their contract will be sent shortly via email. Then, an email pertaining to the voicemail will be sent containing malicious links.
These are just a few of the ways malicious actors will try to exploit businesses and their unknowing employees to gain access to credentials and financial information. To stay ahead of the curve, it’s crucial to educate your clients on the risks they face as the cyber security landscape continues to evolve and hackers become more sophisticated.