Most people assume that phishing is exclusive to the cyberspace, when in fact it can occur in almost any given capacity outside of the digital environment. When we understand how the deception works, this will make more sense. However, besides the basic introduction to the topic, this post will exclusively focus on the scam being carried out through digital networks and systems.
Phishing is an attempt to gain sensitive information while posing as a trustworthy contact. With this explanation, it's clear that the deceptive behaviour has been going on for centuries, if not thousands of years. Criminals have been using the art of impersonation to dupe individuals and businesses for as long as we remember, so it's nothing new. However, the term became ubiquitous among information security circles, and it has been that way ever since.
Phishing is a basic form of social engineering where various methods are used to manipulate people, to extract data like usernames, passwords, and financial information on credit cards. It can be carried out in many ways, but we'll be discussing the most common strategies that trick businesses today.
In many ways, email is the preferred vehicle of choice for most criminals. It has worked in the past, and it still works today. That Nigerian prince who contacted you hasn't been truthful in any way, and people haven't caught on to that fact. Revised and revamped approaches of the scam now appear on social media, in addition to emails, and these scammers exploit people's vulnerabilities to gather sensitive information.
In a business context, a third party is most likely to impersonate a colleague or manager, scavenging their online profiles on websites and social media to construct an accurate representation to deceive employees. Emails are most likely to have wording mimicking those of your colleagues, along with the appropriate logos and signatures you're familiar seeing on a daily basis.
These are some practices you can follow to be wary of these attacks.
• If it's too good to be true, it probably is. Only a handful of individuals will request personal information from you in an organisation.
• Be mindful of email addresses with slight variations.
• Share attachments over file-sharing platforms as opposed to emails.
Forms and websites
With some types of phishing, a criminal will create an entire website or login form that is fake. The pages will use the necessary logos, security certifications, and similar-seeming URLs to copy those of banks or other institutions you might divulge personal information to.
One of the more prominent techniques is pharming, where a scammer redirects you to a fake version of a legitimate website. Your computer is infected with malware, so whenever you try to go to the legitimate site, you're redirected to the fake one.
While businesses become more educated in tackling the problem, criminals are also becoming sophisticated in their approaches. Most recently, there has been a growth in spear phishing attempts, where the criminal targets a specific individual or company using information that is specific to the victim.
A subcategory of spear phishing is whaling, where the target is in a senior management position. Criminals engaged in this method are after larger sums of money, so they spend more time on researching the company and the victim, crafting a duplicitous strategy that might involve payments to banks or vendors.
Other methods rely on voice calls (vishing) and SMS (SMShing), but the more noteworthy setups involve establishing an evil twin Wi-Fi network to intercept all communications and data from your business, and cloning. With cloning, A criminal uses an already compromised system of an employee to send malicious links, emails, and other communications.
• The first step is having a gateway filter for emails to combat massive scamming campaigns.
• Your mail server should have an email authentication standard to verify incoming messages, such as the Sender Policy Framework.
• A web security gateway is another great measure that checks URLs through a database of suspected malware-distributing websites.
• Employees should engage in training and awareness programs to be informed of the latest threats and how to avoid them.
• Follow the government's Scamwatch website for the latest updates and developments in the cybersecurity space.
Despite a long history of deceiving people in multiple ways online, phishing is still the bread and butter of cybercriminals. Implementing the above strategies should help, but it's always better to know how your employees will react when an actual threat appears.
At Triskele, we offer a Managed Simulated Phishing Service that goes beyond awareness training. We'll test your staff using simulations to see if they're susceptible to outside scams, helping you strengthen your defences should a real threat come along.