October is recognized as National Cybersecurity Awareness Month, an initiative established by the President of the United States and Congress in 2004. This year, the 20th annual Cybersecurity Awareness Month will focus on key behaviors that can help individuals and organizations enhance their digital safety. One of these critical behaviors is the ability to recognize and report phishing incidents.
As we delve into this topic, remember, knowledge is power. Understanding phishing and social engineering techniques can significantly reduce the risk of falling victim to these nefarious activities.
What is Phishing?
Phishing is a deceptive practice employed by cybercriminals where they mimic trusted entities to trick victims into sharing sensitive information. This information could range from personal details, financial data, to login credentials of business accounts. Phishing is a form of social engineering, where manipulation and persuasion are used to achieve the desired outcome.
Phishing attacks often leverage email or malicious websites, convincing users that they are interacting with a legitimate, trustworthy organization. For instance, an attacker might send an email that appears to be from a well-known credit card company or a financial institution, suggesting an issue with the user's account. When the user responds with the requested information, the attacker can use it to gain unauthorized access to the accounts.
Understanding Social Engineering
While phishing is a subset of social engineering attacks, the concept of social engineering extends beyond the digital world. Social engineering is a tactic that manipulates individuals into performing actions or divulging confidential information. It's a strategy that relies heavily on human interaction and often involves tricking people into breaking standard security procedures.
Social engineering attacks can take many forms, including in-person interactions. An individual might pose as a new employee, a repair person, or a researcher, asking seemingly innocent questions that can piece together enough information to infiltrate an organization's network.
Different Types of Phishing Attacks
Phishing is not a one-size-fits-all approach. Cybercriminals employ various strategies to carry out their malicious activities. Here are some common types of phishing attacks that use social engineering techniques:
Business Email Compromise (BEC): BEC attacks involve cybercriminals hacking or spoofing email accounts of a trusted business to fraudulently acquire money or sensitive data from a different firm. In non-technical terms a BEC attack is a kind of con where the con artist pretends to be a trusted business partner to trick you into handing over your company's money.
One major example of a BEC attack that occurred in the last three years is the $46.7 million vendor fraud against Ubiquiti Networks in 2020. In this incident, scammers impersonated a vendor of Ubiquiti, tricked the company's employees into believing that they owed money to the vendor, and successfully persuaded them to transfer the funds.
Spear Phishing: Spear phishing is a highly targeted, well-researched attack. The attacker uses information about their target to craft a malicious message that the target will find particularly compelling.
A prominent example of a spear-phishing attack is the case of a Lithuanian national, Evaldas Rimasauskas, who cheated Google and Facebook out of over $100 million. This scam is considered to be the largest social engineering attack ever recorded. Rimasauskas impersonated a trusted vendor that both tech giants frequently did business with and convinced the companies to wire funds to bank accounts he controlled. He studied the companies, learned who they did business with, and impersonated one of those businesses to make his attack. That's why spear-phishing attacks are considered a subset of phishing attacks - they're more targeted and use information about the target to make the attack more convincing.
Angler Phishing: Angler phishing is where cybercriminals disguise themselves as customer service agents on social media to obtain personal information or account credentials under the guise of resolving their grievances.
Most recently, scammers created fake customer support accounts for PayPal on Twitter. When customers tweeted about problems they were having with their accounts, the scammers would respond from the fake accounts, offering to help. They would then direct the customers to a malicious website that mimicked the PayPal's real site, tricking them into entering their login credentials. This technique allowed the scammers to gain unauthorized access to these bank accounts. Just like other phishing attacks, the primary goal of angler phishing is to trick unsuspecting individuals into revealing sensitive information. However, in the case of angler phishing, the deception occurs on social media and involves a more targeted approach.
Brand Impersonation: In this attack, cybercriminals impersonate a trusted brand to trick victims into responding and disclosing personal and sensitive information.
In 2020, Zoom was targeted by cybercriminals for a brand impersonation attack. Fraudsters spoofed the brand Zoom in a credential phishing attack to steal victims' Microsoft user information. In simple terms, impersonating a trusted brand like Zoom, the fraudsters created fake emails or login pages that looked like the real thing. They sent these to unsuspecting users, who, believing they were interacting with Zoom, entered their login details. These details were then captured by the fraudsters, giving them access to the victims' Microsoft accounts.
Spotting Phishing Attempts
Recognizing phishing attempts is an essential skill in maintaining cybersecurity. Here are some common indicators of phishing attempts:
Suspicious sender's address: The sender's address may mimic a legitimate business but often uses an email address that closely resembles one from a reputable company by altering or omitting a few characters.
Generic greetings and signature: A generic greeting such as "Dear Valued Customer" or a lack of contact information in the signature block are strong indicators of a phishing email.
Spoofed hyperlinks and websites: The links in the body of the email may not match the text that appears when hovering over them, indicating a spoofed link.
Poor spelling and layout: Misspellings, inconsistent formatting, poor grammar, and sentence structure are other indicators of a potential phishing attempt.
Suspicious attachments: An unsolicited email requesting a user to download and open an attachment can be a common way for malware to get introduced into your system.
How to Avoid Falling Victim to Phishing
The first line of defense against phishing is vigilance. Here are some steps you can take to avoid falling victim to phishing:
Verify the Source: If an unknown individual claims to be from a legitimate organization, verify his or her identity directly with the company.
Don't Reveal Personal Information: Do not provide personal or sensitive information unless you are certain of the person's authority to have the information.
Avoid Clicking on Links: Do not click on links sent via email. Instead, manually type the URL into your web browser.
Check Website Security: Before sending sensitive information over the internet, check a website's security. Look for URLs that begin with "https"--an indication that sites are secure.
What to Do If You Suspect a Phishing Attack
If you suspect you have received a phishing email or text, there are steps you can take to reduce potential damage:
Do Not Respond: Do not respond to the email or text.
Report the Attempt: Forward phishing emails to reportphishing@apwg.org, an address used by the Anti-Phishing Working Group.
Alert Your IT Department: If you're at work, alert your IT department about the suspected phishing attempt.
What to Do If You Fall Victim to a Phishing Attack
If you believe you have fallen victim to a phishing attack, don't panic. Here's what you can do:
Change Your Passwords: Immediately change any passwords you think may have been compromised.
Monitor Your Accounts: If your financial accounts may have been compromised, contact your financial institution immediately and watch for any unexplainable charges to your account.
Report the Attack: Report the attack to the police, and file a report with the Federal Trade Commission.
Strengthening Your Cybersecurity
While recognizing and reporting phishing incidents is crucial, it's just one aspect of maintaining robust cybersecurity. Here are some additional measures to consider:
Regular Data Backup: Regularly back up your data and ensure your backups are not connected to your main network.
Anti-virus Software: Install and maintain anti-virus software, firewalls, and email filters to reduce malicious traffic.
Employee Training: Regularly train your staff about the dangers of phishing and how to spot potential attacks.
Partnering with Professionals
Cybersecurity is complex and ever-evolving. Partnering with cybersecurity professionals can provide you with the expertise and resources needed to stay ahead of cyber threats.
Contact Quantum Vigilance
At Quantum Vigilance, we take cybersecurity seriously. Our team of professionals is dedicated to helping you understand, navigate, and mitigate the risks associated with phishing and other cyber threats.
Whether you need help developing a comprehensive cybersecurity strategy, training your staff, or responding to a suspected phishing incident, we're here to help. Contact Quantum Vigilance today and let us guide you to a safer, more secure digital future.