PHISHING

Phishing is a type of cybersecurity attack during which malicious actors send messages pretending to be a trusted person or entity. The intent is often to get users to reveal financial information, system credentials or other sensitive data.

Cyber criminals use phishing emails because it’s easy, cheap and effective. With little effort and little cost, attackers can quickly gain access to valuable data. Those who fall for phishing scams may end up with malware infections (including ransomware), identity theft, and data loss.

Phishing attack examples

The following illustrates a common phishing scam attempt:

• A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many faculty members as possible.
• The email claims that the user’s password is about to expire. Instructions are given to go to myuniversity.edu/renewal to renew their password within 24 hours.

Several things can occur by clicking the link. For example:

• The user is redirected to myuniversity.attacker.com, a bogus page appearing exactly like the real renewal page, where both new and existing passwords are requested. The attacker, monitoring the page, hijacks the original password to gain access to secured areas on the university network.
• The user is sent to the actual password renewal page. However, while being redirected, a malicious script activates in the background to hijack the user’s session cookie. This results in a reflected XSS attack, giving the perpetrator privileged access to the university network.

There are many types of phishing that including spear phishing, voice phishing, pharming, SMS phishing, and pop-up phishing.

Spear Phishing

Spear phishing is also a specific and targeted attack on one or a select number of victims, while regular phishing attempts to scam masses of people.

Voice Phishing/Vishing

Voice phishing, or vishing, is the use of telephony to conduct phishing attacks. Landline telephone services have traditionally been trustworthy. Vishing is a cyber crime that uses the phone to steal personal confidential information from victims. Often referred to as voice phishing.

Pharming

Pharming involves hijacking the user’s browser settings or running a background process that automatically redirects users to a malicious site. The attacker uses redirects or popups on the user’s desktop that display the phishing website in a masked link.

SMS Phishing

Smishing, or SMS phishing, is the act of committing text message fraud to try to lure victims into revealing account information or installing malware.

Pop up Phishing

Pop-up phishing is a scam in which pop-up ads trick users into installing malware on their computers or convince them to purchase antivirus protection they don’t need.

Other common phishing types include:

Evil Twin Phishing

An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. The evil twin is the wireless LAN equivalent of the phishing scam.

Watering hole Phishing

A watering hole attack is a security exploit in which the attacker seeks to compromise a specific group of end-users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user’s computer and gain access to the network at the target’s workplace.

How can we identify a phishing message?

1. By verifying the sender

2. Common grammatical errors or uncharacteristic language in the mail

3. Asking for login credentials

4. Asking to click on unverified links

5. Checking for spelling errors in the email sender’s name and id (phishing attackers use slightly modified spelling than the trusted entity that they are claiming to be)

6. Commonly phishing emails are sent to a bulk of recipients

How to prevent phishing?

1. Educate your employees about phishing. Take advantage of the phishing simulation exercises to educate and identify phishing risks.

2. Use proven security awareness training and phishing simulation platforms to keep employees’ phishing and social engineering risks top of mind. Create internal cyber security heroes committed to keeping your organization cyber secure.

3. Remind your security leaders to regularly monitor employee phishing awareness with phishing simulation tools. Take advantage of phishing microlearning modules to educate, train, and change behaviour.

4. Provide ongoing communication and campaigns about cyber security and phishing. This includes establishing strong password policies and reminding employees about the risks that can come in the form of attachments, emails and URLs.

5. Establish network access rules that limit the use of personal devices and the sharing of information outside of your corporate network.

6. Ensure that all applications, operating systems, network tools, and internal software are up-to-date and secure. Install malware protection and anti-spam software.

How can we help?

Reflect helps in conducting Phishing simulation exercises within your organization. It is the best way to raise awareness of phishing risks and identify which employees are at risk for phishing.

Phishing simulation allows you to incorporate cyber security awareness into your organization in an interactive and informative format.

Real-time phishing simulations are a fast and effective way to educate people and increase alertness levels to phishing attacks. People see first-hand how phishing happens, fake websites, malware, and various types of phishing are used to steal personal and corporate information.

To know more about our services, please contact info@reflectsecurity.com. Also, subscribe to our newsletter to know more about cyber security and the latest trends.