Cybercriminals do not focus on just one or a few strategies to achieve their goals, but have multiple tactics at their disposal to breach the security of their prey. One of them, which we will discuss today, is the method known as Phishing.
At Inprosec we will tell you what it is, its different types and how to avoid get pished.
What is Phishing?
To cut to the chase, Phishing is a form of cyber-attack where the attacker poses as a trustworthy organisation or contact to deceive other users in order to obtain sensitive data such as personal information, business data or even generate opportunities to sneak in malicious software.
The most targeted information is usually passwords or bank details.
What types of phishing are there?
This is a technique that has been around for a long time, but it has not stopped being updated over the years. Cyber-attackers are always finding new ways to renew it, refining their communication and visual strategies and improvising new communication channels. With the development of the internet as one of the main means of communication, phishing has not ceased to increase in creativity and effectiveness.
Here are some of its variants:
Email Phishing
Email phishing, also known as deceptive phishing, is the most common phishing practice in general. Used for decades, its landmarks include the theft of bank accounts. Its procedure consists of arriving in the inbox of those affected in the form of a corporate email, created in a way that is trustworthy and attractive to the user’s eyes by copying colours, banners and fonts of legal or famous entities.
These emails contain malicious links which, once clicked on, are subject to data theft or the automatic installation of all kinds of malware on their computers. They are not usually personalised, but are created to be sent to a mass audience looking for a small percentage to take the bait.
The best way to spot them is to look at the email addresses, as they often contain characters or numbers that differentiate them from trustworthy corporate or personal emails.
Spear Phishing
This is a strategy that targets users working in particular businesses or very specific (or small) industries, with the aim of taking over the business itself. In this case, the emails are much more elaborate, using logos and signatures that mimic or copy the real thing, and the wording is more personalised and targeted to the user than in the case of traditional email phishing.
Whale Phishing
Unlike Spear, Whale Phishing is a large-scale attack targeting the leaders or “bigwigs” of large organisations. Before executing this type of attack, hackers carry out an intensive search to collect data on their targets, and carefully strategise their mailings. They often use sensitive data to build relationships with targets, such as stolen secret reports or information that should not be known outside the organisation. In addition, their mailings are well documented to make them appear reliable and from within the targeted organisations.
The idea behind these attacks is almost always financially motivated, asking for money for budgets or projects. Fortunately, very few of these emails are successful.
Pharming
In this type of phishing, the emails are sent from legitimate or official sources. Usually, urgent actions are requested, such as correcting banking information or changing the password of certain accounts.
The way the fraud works is in the redirection, passing through a fake website where the data is stored. It can also affect the DNS cache, sending those affected to a fake website identical to the original where sensitive data is stolen.
Smishing
In contrast to the above, smishing involves the fraudulent extraction of user data via SMS instead of email. These take the affected parties to fake pages, very similar to the original ones, where they are asked to fill in data that is stored.
Vishing
This is a type of scam, in the form of a telephone call, in which an attempt is made to intimidate the recipient into giving up his or her data and information. The name comes from combining the words voice and phishing.
Usually, the caller pretends to be an important and trusted entity and asks the user for sensitive data such as their ID number, bank account number or passwords to important services.
Although attackers often change their phone number, and bypass the SPAM filters on our mobile phones, we have to be aware that no entity would ask for our most sensitive data over the phone, but only through channels confirmed as official and secure.
How can we avoid Phishing?
These are the points to bear in mind when it comes to avoiding phishing:
Carefully review the contents of emails
Most fraudulent emails start to deflate if you look at their content. When they try to hold on to information about the person concerned, they rarely offer all the data, but only small drops. It is important to keep this in mind, as legitimate e-mails will always use complete information, especially if it is sensitive.
Do not overlook the issue of grammar and spelling, whether the content of the email is what you would expect from such an email, or whether you are asked for information that you would never be asked for (e.g. your passwords).
Pay attention to email addresses and links
As we have repeated several times throughout this article, the best way to avoid falling for this kind of scam is to look closely at the email addresses, as this is the most difficult element of an original email to replicate.
It is also advisable to pay attention to the structure of the links contained in the email, as despite appearing to be identical to real URLs, they will always have a different/erroneous character or UTM that can tip us off that we are dealing with a fraudulent email. For example, a good way is to make sure that the links have HTTPS protocol instead of HTTP, as Google marks the former as secure websites.
Secure your identity
Using a VPN (Virtual Private Network) allows you to interact within an encrypted tunnel that protects you while surfing the web. It makes your identity and location get masked thanks the direct connection to private servers. Of course, this minimises the likelihood that your data can be snooped on.
Surfing with the VPN activated as a matter of course is one of the most reliable methods to avoid phishing.
Digitally signing emails
Another increasingly reliable method is to use S/MIME certificates, which allows you to strengthen the security of your corporate emails.
This consists in the requirement of a digital signature for emails, which, without it, will be returned to the sender without the possibility of reaching their target.
In this way, S/MIME will be able to verify the origin of emails and protect you from phishing by means of cryptographic functions. It is practically impossible to replicate the cryptographic signature of these systems, so security will be unassailable.
