The five most common Phishing attacks

22 / 10 / 2021

Simply put, ‘Phishing’ is the sending of fraudulent messages designed to trick recipients into revealing sensitive information or inadvertently deploying malicious software on their systems. Attacks are becoming ever more sophisticated as aptly named ‘Bad Actors’ (cybercriminals) seek to use workplace and socially pressured situations to make us do something we shouldn’t.

Although we’re well aware of the numerous scams and threats, criminals play the ‘numbers game’ and many are caught out as millions of people and organisations are targeted every day. And once access has been gained, attackers will spend a considerable amount of time planning an attack from within.

The five most common Phishing tactics that we should all be aware of are:

Email Phishing

Using email as the main method of contact is perhaps the most common method of phishing as it continues to dominate corporate communications. Criminals use fake emails and domain names by cleverly substituting and disguising characters in the email address, such as using characters from the Cyrillic alphabet that looks very similar.

Being on the alert for fake emails and messages of all types is essential, and you should always check the message sender details - especially if you are being asked to do something you were not expecting. Criminals hope that in our time pressured world, victims will hurriedly and carelessly click on malicious attachments or links when prompted.

Spear Phishing

This is more targeted phishing activity to steal information such as account credentials and financial information from more specific victims. Criminals try to obtain information about friends, places of birth, employers, recent purchases, hobbies and interests, and by disguising themselves as a trustworthy source with believable approaches, they try to acquire sensitive data from a more targeted audience, in contrast to random phishing activity. Spear phishing criminals invest more time, planning and effort in their activity in the belief that more lucrative outcomes can be manipulated.

Whaling

Further along the cycle we find more advanced and sophisticated phishing attacks that are known as Whaling or Whale Phishing. These attacks are more targeted than spear phishing and typically focus on senior executives and more powerful, wealthy and prominent individuals. Although the end goal of whaling is the same as other types of phishing, the techniques tend to be more subtle. Victims of a whaling attacks are generally considered to be ‘big phish’ or whales. Attackers masquerading as CEOs and other c-suite executives rely on an individual’s power in an organisation to ask employees to take some action. It could be a 5pm Friday email from the CEO to a finance manager, asking them to urgently make a payment to a supplier that must be done that day. Or an instruction from the HR Director asking employees to update their information by completing the details on the link provided.

Bogus tax return scams are also a common form of whaling. Such returns contain valuable information including names, addresses, national insurance numbers and bank account information.

Smishing and Vishing

Smishing and vishing attacks use phones as their method of communication and attack. Smishing is the sending of text (SMS) messages, and operates in a similar way to email phishing. With business mobiles and smartphone access to the internet, malicious links and websites can cause as much this way as with corporate laptops – the end result is often the same. Vishing is probably the oldest form of attack and involves a telephone conversation. They are essentially the scam phone calls of old, and during and since Covid, the number of finance related attacks has grown exponentially as criminals pose as bank helpdesks and security departments, calling to help customers with issues and problems relating to their card or account.

Angler phishing

The rise of social media has led to this latest method of online cybercrime with attackers masquerading as the face of many companies that people may want to contact. Use of social media as a way to contact organisations about customer service issues has become very popular as it typically reduces the need to queue on the phone for long periods of time to speak to the right department. Fear of an adverse and highly visible public relations storm prompted many companies to invest in social media customer service, and criminals have been quick to exploit this. Users contact companies through social media can be intercepted by cyber criminals and fake links, cloned websites, posts, and tweets are all used to persuade people to divulge sensitive information or download malware. ‘Too good to be true’ retail offers on social media are also highly prevalent with bogus sites offering expensive goods at knockdown prices to unsuspecting shoppers.

Organisations can protect against attacks and the consequences of phishing by working with security partners to ensure they always have the latest and most advanced methods of protection. Whilst employee awareness and malware protection remain essential, email safeguards and brand security measures provide assurance against domain impersonation and spoofing attacks.