Published on : 08 June, 2018
Phishing accounted for 48 per cent of all cyber-attacks in Q1 of 2018. India is among top 3 countries most targeted for phishing.
It’s important that all Organisations and Individuals should know how to spot and protect themselves from some of the most common phishing scams.
The most common type of phishing scam, deceptive phishing refers to any attack by which fraudsters impersonate a legitimate
company and attempt to steal people’s personal information or login credentials. Those emails frequently use threats and a
sense of urgency to scare users into doing the attackers’ bidding.
Two-factor verification can be used to protect yourself. You should also always look for tell-tale signs such as
grammar and spelling mistakes throughout the email or broad addressing terms.
In Spear phishing scams, fraudsters customize their attack emails with the target’s name, position, company, work phone
number and other information in an attempt to trick the recipient into believing that they have a connection with the sender.
According to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing.
To protect against this type of scam, organizations should conduct employee security awareness training that,
among other things, discourages users from publishing sensitive personal or official information on social media.
Whaling / CEO Fraud:
Whaling is an attempt to go after the “big fish.” First attackers will target high-level employees and executives to gain
access to their email accounts or spoof them. If they’re able to do that, it puts the entire business at risk.
Whaling attacks work because executives often don’t participate in security awareness training with their employees.
To counter that threat, as well as the risk of CEO fraud, all company personnel – including executives – should undergo
security awareness training. Organizations should also consider amending their financial policies, so that no one can
authorize a financial transaction via email.
The term "vishing" is a socially engineered technique for stealing information or money from consumers using the telephone network.
The term comes from combining "voice" with "phishing," which are online scams that get people to give up personal information.
Technique used in this case is Caller ID spoofing in VoIP. It might appear that someone close to the corporation is calling or
like an important outside entity like a bank or the Income Tax Department.
Be suspicious of all unknown callers. People should be just as suspicious of phone calls as they are of e-mails asking
for personal information. Register your number with the National Do Not Call Registry to avoid unnecessary promotional
and fraud calls.
Similar to Vishing, SMiSHing is done over the phone but in the form of text messages. These can be extremely wide-reaching as the
scammer can send out bulk amounts of the same text to many different numbers. Sometimes, the scammer attempts to trick people into
believing that they’ve won a contest. They will then attempt to get the person’s information either by a link in the text or a prompt
to call a number.
Never click a reply link or phone number in a message you're not sure about.
Pharming, a type of attack that uses Domain Name System (DNS) cache poisoning. By using cache poisoning, an attacker changes the IP
address associated with a website name and redirects it to a malicious website.
The best way to protect against pharming is only to use HTTPS protected and secured sites when entering personal information.
Dropbox, a file-sharing platform is particularly interesting to scammers looking for personal information. A Dropbox phishing attack
uses an email that appears to be from the website and prompts the victim to log in. Then, this information is logged by the attacker
and used to log in to the victim’s Dropbox. This often gives them the ability to access private files and photos as well as to take
the account hostage.
In the same way Google Docs platform is attacked to steal personal information.
This type of attack is best prevented against by enabling two-factor verification.
Phishing is constantly evolving to adopt new forms and techniques. With that in mind, it’s imperative that organizations conduct
security awareness training on an ongoing basis so that their employees and executives stay on top of emerging phishing attacks.