A Phishing attack is a type of social engineering attack that malicious attackers often use to steal sensitive data such as login credentials, credit card information, etc. Phishing is one of the biggest Cyber threats organizations face in the Cyber world. 80% of organizations fell for phishing attacks in 2021 according to Proofpoint’s 2021 state of the phish report. There are multiple ways threat actors carry out some of these phishing attacks. Let us look at the different phishing attacks out there.
Types of phishing
Email Phishing: This type of phishing attack is sent via emails asking you to perform some sort of action with some sense of urgency. This type of attack will normally require you to click on a link that redirects you to a fake website that might request some sort of login credentials. These fake websites are normally cloned versions of legitimate websites that are used to trick users into entering their login credentials.
Spear Phishing: This is a phishing attack that is targeted more at a single entity. Before attackers perform this type of attack, they normally have some sort of basic information about the victim. This kind of information could be their name, place of employment, Job title, email address, or specific information about their Job title. These types of phishing attacks are much more convincing since the attacker has some information about the victim.
Whaling: Here, the attack usually targets senior executives. It commonly uses the pretext of a busy executive who wants an employee to do them a favor and normally plays on an employee’s willingness to follow instructions from their boss.
Smishing and Vishing: The medium of communication here is via telephone. Smishing normally comes as a text message suggesting being from your bank alerting you of suspicious activity on your account. In the image below, the attacker sends a text telling the victim he has been involved in fraud and should follow the link to resolve the issue to prevent further damage.
Phishing attacks are nothing new. They have been around for decades. However, it is only recently that the frequency and effectiveness of phishing has skyrocketed. Now, more than ever before, businesses (and consumers) need to be on high alert when receiving emails or phone calls from people or companies they do not know. But how can you tell whether an email or phone call is a phishing scam? If you think an email might be a phishing attack—for example, if it asks you to give up personal information or click on a link—then it probably is. Phishing scams almost always have obvious warning signs you can see with a bit of careful consideration. The good news is that the more aware you are of these signs of phishing emails, the less likely you are to fall victim to one of these malicious attacks.
Some Phishing Techniques
The sender is requesting your credentials
One of the most obvious signs of a phishing scam is when the email you receive requests for your login credentials or financial information. Unfortunately, this is a trick malicious actors use to gain access to your sensitive information and steal your identity. If you receive an email that asks you to enter login information, username, password, or credit card information, it is more than likely to be a phishing attempt. There are a few different ways that people try to get you to enter your credentials, including "customer service" emails from banks, utilities, or other companies you have an account with; emails from companies that you have an order with and are asking for your log-in information; or emails from companies with which you do not have any kind of account.
The email asks you to click on a link
Another common phishing attack technique is to entice you to click on a link in the email. Threat actors will often craft their emails, so they appear to be from a trusted source, such as your bank or credit card company. These emails may direct you to click on a link, usually to update your account information, and promise that doing so will help you avoid any problems. But that link may take you to a phishing website that will steal your information or, sometimes, have full control of your device via a zero-click attack when you visit their malicious website by clicking on the link sent to you. The same is true for emails from companies with which you have an account. If an email from your bank or credit card company directs you to click on a link, the best thing to do is contact them through their legitimate phone number or website to ensure that the email is authentic.
The email’s language is awkward or poorly written
Another tell-tale sign that an email is a phishing scam is if it is awkwardly or poorly written. If you receive an email from a company, especially one you do business with, they will probably address you by your name. However, phishing emails rarely address you by name, or they will use a general salutation, such as "Dear User," "Dear Customer," or even "Hello." Phishing emails are often written in an overly formal or corporate style, which is typically a clear sign that something is amiss. Likewise, the tone of the email may sound off, or the language may be riddled with spelling or grammatical mistakes.
You are unfamiliar with the sender
Another red flag is if you do not recognize the sender of the email. If you receive an email from a company with which you do not do business, scrutinize it before taking any action; if the company has a wrong address or contact name, or if the email is from a person you do not know, it is likely a phishing scam. If you have an account with a company, but the name of the person emailing differs from the one listed on your account, it may be a phishing attack.
You were not expecting the email, or it was not requested but responded to beforehand
Finally, a sure-fire sign that an email is a phishing attempt is if you were not expecting it, or it was not requested but responded to beforehand. Companies will not send you an email out of the blue and expect you to know what they want. If you are expecting an email from a company, but you do not receive it, you should not send them an email asking when to expect it. You should always be careful when receiving unexpected emails from companies; if there is something you need to do or update, they will probably contact you through another means, such as a phone call or postal mail.
Phishing attacks are nothing new, in that they have been around for decades. However, it is only recently that the frequency and effectiveness of phishing attacks have skyrocketed. Now, more than ever before, businesses (and consumers) need to be on high alert when receiving emails from people or companies they do not know. But how can you tell whether an email is a phishing scam? If you think an email might be a phishing attack—for example, if it asks you to give up personal information or click on a link—then it probably is. Phishing scams almost always have obvious warning signs you can see with a bit of careful consideration. The good news is that the more aware you are of these signs of phishing emails, the less likely you are to fall victim to one of these malicious attacks.
Author: Enock Augustt | Penetration Tester | Member, IIPGH
For comments, contact email [email protected] or Mobile: +233 (25) 686-7366