Have you ever received an email asking you to click on a link to reactivate your online banking account because of a suspected fraudulent activity? Or have you ever gotten a text or phone call saying you owe money to a government agency? If you answered yes to any of these questions, you might have come across a phishing scam.
What is phishing?
Phishing is a type of cyberattack wherein cybercriminals trick unsuspecting users into disclosing personal and financial information, such as names, email addresses, passwords, and credit card data. They do this by posing as legitimate companies or someone the recipient might trust.
Phishing was the most common cyberattack in 2020, with 241,324 incidents recorded — more than double the number reported in 2019. The fact that cybercriminals have been exploiting the COVID-19 pandemic to victimise more people is making things worse.
To mitigate the risk of falling victim to phishing attacks, you must know what you’re up against. Here are the most dangerous types of phishing attacks you must watch out for, and how you can defend against them:
1. Deceptive phishing
In this scheme, cybercriminals use emails to impersonate a trusted organisation to steal sensitive information. These messages usually create a sense of urgency to scare recipients into doing what the attackers want them to do.
For instance, fraudsters can send out an email purportedly from PayPal that instructs recipients to click on a link to correct an urgent security issue with their account. If the recipient clicks on it, they will be taken to a spoofed (legitimate-looking but inauthentic) PayPal login page.
If the unsuspecting user enters their login credentials on the fake page, the details will be sent to the cybercriminals, who will then use them to infiltrate the user’s PayPal account to steal money and personal information.
To protect against deceptive phishing, users should always inspect the legitimacy of an email’s sender address, and any links or attachments that come with it. They should also look out for generic salutations (e.g., Dear ma’am/sir), grammatical errors, and spelling mistakes in the email.
You can also implement multifactor authentication (MFA) to protect your accounts. MFA requires the user to enter another proof of the account owner’s identity on top of a password, such as a one-time passcode, security key, or a fingerprint scan. So even if a hacker gets a hold of a user’s login credentials, they won’t be able to log in without providing the subsequent authentication factors.
2. Spear phishing
A spear phishing attack shares the same goal as deceptive phishing, which is to trick the victim into opening a malicious link or email attachment so they’ll hand over their personal data.
In a spear phishing scheme, however, cybercriminals target specific individuals instead of casting wide nets. Spear phishing emails greet targets by name and mention information that’s particular to them, such as their organisation, job title, mobile number, and other information they can find on social media platforms. This makes the scam look more convincing.
Last year, software company Armorblox came across a phishing attempt designed to trick recipients into opening what seemed to be a financial report. Once opened, however, a user would be redirected to a fake Office 365 login page that had the user’s email address pre-filled in the username field. If they enter their password, their credentials would be stolen.
To protect against spear phishing attacks, regularly conduct cybersecurity awareness training programs that discourage employees from posting sensitive personal or corporate data on social media. Your IT department must also regularly maintain your cybersecurity solutions to prevent, identify, and respond to ever-evolving spear phishing threats.
3. CEO fraud
CEO fraud happens when attackers abuse the compromised or imitated email account of a high-ranking company official to wire money to a fraudulent bank account.
Back in 2019, a man was sentenced to five years in jail for stealing $122 million from two US firms. The scammer sent out fake invoices while impersonating a legitimate Taiwanese company. Since neither of the two companies’ accounts departments did not flag the request as fraudulent, the victims wired the money to the attacker.
To reduce the risk of CEO fraud attacks, you need to have a multilayered approach to security. Some must-have solutions include:
- Anti-spam and anti-malware programs: These may prevent CEO fraud emails from landing in your employees’ inboxes.
- DNS authentication platforms: These can determine whether an email sent from a certain domain is legitimate or fraudulent.
- Anti-impersonation software: These programs block CEO fraud attacks by identifying known social engineering techniques used by attackers.
Finally, make sure that all of your employees participate in your cybersecurity awareness training programs to ensure that everyone knows what to do in case of a CEO fraud attack.
4. Smishing
Smishing, or SMS phishing, uses text messages to trick recipients into opening a malicious link or providing personal information. These messages typically claim that the recipient’s bank account has been locked or that they won a prize.
In fact, a smishing attack was discovered last year wherein fraudsters tried to trick people into thinking that they had been chosen to test the new iPhone. If the unsuspecting recipient clicked on the attached link, they would be asked to pay a delivery charge to receive the phone. However, this is only a ruse to steal financial information from the user.
Stay vigilant when it comes to smishing attacks. Remember that reputable companies will never directly contact you via text message to request sensitive information. If you know that your online accounts have not been infiltrated or didn’t join any contest, do not reply to the messages and report them to the Federal Trade Commission.
5. Vishing
Vishing, or voice phishing, involves attackers making phone calls claiming to be from government agencies or legitimate companies to steal sensitive information. According to the IRS, almost 400 vishing scams were reported in 2020, a 14% increase from the previous year.
Last year, county authorities in the US state of Virginia warned people about the dangers of Social Security number vishing scams. The Montgomery County Sheriff’s Office received numerous complaints from people who had been called by fraudsters, telling them that their Social Security numbers had been suspended and that their bank accounts would be seized unless they verified their data.
To protect your business from vishing attacks, always confirm the legitimacy of calls and be sceptical of those that ask for your personal data. Remember that government agencies and companies will never call you to request for immediate payment or seize your bank account unless you provide confidential information.
Need help keeping phishing attacks at bay for your business? Austin Technology can help. We will monitor your IT infrastructure 24/7/365 and deal with any threats before they can even take a toll on your business’s operations. Get a FREE, no-obligation consultation today.