calendar_month19/09/2021
Table of Contents
What is Phishing?
Phishing represents a criminal conduct, a subcategory of Social Engineering. A Phishing attack targets unsuspecting employees or persons and urges them to share sensitive and personal information like usernames, passwords and credit card information via trustworthy looking emails that are sent to millions of users and which evade common spam filters.
There are several types of Phishing::
Spear-Phishing
Spear-Phishing, or targeted Phishing, represents a professional form of Phishing. In a classic Phishing scenario, Emails are sent to as many recipients as possible. In contrary, Spear-Phishing targets specific organizations or even single end-users. The attackers usually engage in thorough background checks of their targets and customize the fake Emails to an extent, that makes them look trustworthy to their target. This process increases the chances of a successful attack.
Whaling
As the term whaling already suggests, this type of Phishing is also a targeted Phishing attack like Spear-Phishing, but singles out important decision makers within a company, for example C-Level-Executives and their secretaries. By attacking a high-level executive of a specific company, attackers can cause tremendous damage.
Email/Spam
The most common form of Phishing. An email is sent out to millions of recipients and the context usually urges the recipient to share sensitive information. In most cases, the context of the email also dictates some form of time pressure to persuade the user to act rash and unthoughtful. Some of the most common scenarios include the updating of personal information or activation of registered accounts. Via a fake link, the victim is transferred to a forged website, which then provides the information given by the user to the attacker and not to the intended online platform.
Vishing (Voice-Phishing)
Phishing but via the phone. This type of Phishing is not as common as the others but in return very specific and more successful than Email/Spam. The attacker usually asks the victim to call a specific, malicious number to clarify a fake scenario, whilst trying to get personal information. These attackers use fake caller-IDs and therefor present a fake sense of authenticity and trust towards the victim.
Smishing (SMS-Phishing)
Everyone in possession of a mobile phone has been a victim of Smishing. In the process of Smishing, fake and malicious SMS are sent out to a receipt, once again, trying to gain access to personal information under some amount of time pressure. In most cases, mobile device users are on-the-go and are usually prone to time pressure which makes this kind of Phishing very effective.
Top 10 Most-Clicked General E-Mail Subjects
- Password check required immediately
- Vacation Policy Update
- COIVD-19 Remote Work Policy Update
- Security Alert
- Failed Delivery
Source:: https://www.knowbe4.com/phishing
Most Poupluar Phishing Emails in 2021
- Zoom: Important Issue
- Mastercard: Confirmation – Your One-Time Password
- Facebook: Your Account has been temporarily locked
- Google: Take action to secure your compromised passwords
- Microsoft: Help us protect you – Turn on 2-step verification to protect your account
Source: https://www.knowbe4.com/phishing
How to Prevent Phishing
Understand which risks you face
This trivial looking proposal is the most important one. Important and relevant decision makers in a company need to understand that they are not only prone to Phishing attacks but to many other risks that target communication and collaboration platforms, end-user devices and the end-users themselves.
Develop and publish relevant policies
Many companies still do not own any relevant acceptable use policies for E-Mail, Web, and other IT tools. Policies should be developed to focus on legal, regulatory, and other obligations, e.g., encrypting Emails and content that contain personal information.
Keep systems up-to-date
Applications, operating systems, and infrastructure vulnerabilities allow attacker to avoid the corporate setup defenses. All applications and systems should be checked for vulnerabilities on a regular basis and should be updated with vendor provided updates if applicable.
Think, then click
Exercise a healthy amount of caution when it comes to links provided by suspicious looking emails. Use the provided link preview functionality to verify the correspondence of link name and destination.
Never share personal information
As a general rule, personal information such as usernames, passwords and credit card information should never be shared via the internet. Personal information should never be shared via links provided within emails. Never send sensitive information via email.