The internet can be a dangerous place. There are several types of phishing attacks, which are just one form of cybercrime.
A phishing attack takes place when a criminal pretends to be someone they’re not to trick people into giving over their personal information, such as their credit card details. However, there are plenty of different ways that phishing can take place, with plenty of variations that scammers use over and over again to lure in their victims.
These phishing attacks are becoming increasingly sophisticated and recurring more and more often. Scammers are also using new and inventive methods for stealing information through phishing attacks. That’s why it’s so vital that people learn more about what phishing is, what it can look like, and how they can prevent an attack from happening to them.
Below is a list of different types of phishing and how you can prevent them:
Email phishing is also known as deception phishing. It’s probably the most common form of phishing attack. To perform the fraud, the criminal pretends to be somebody they’re not. They often impersonate a well-known brand or organization to send emails to potential victims.
These emails usually have dangerous links that, if pressed, take the client to websites that steal their credentials or install malware onto the user’s computer.
Often, these websites look very professional. In fact, they look almost identical to the actual brand and visuals of the company or organization they’re impersonating. The emails also tend to present a sense of urgency. This is used to create a heightened sense of immediacy that then leads the victim into acting before they have time to think better of it.
Once a victim’s credentials are inputted, little can be done, as these are pretty much sent directly to the criminal, who then has access to the identity and bank information of the victim. Your company should schedule recurring emails as reminders to look out for phishing so that employees don’t forget to stay vigilant.
How to prevent email phishing
The best way to prevent email phishing from happening to you is by learning the key aspects of this type of cybercrime so that you can identify and avoid falling into a criminal’s trap.
The biggest indicator of email phishing is incorrect information and a lack of good spelling, punctuation, and grammar. Phishing emails tend to be riddled with spelling mistakes and email addresses with incorrect domains. If you can spot any mistakes, then this is a good sign you should steer clear from clicking on any links, especially if they’re offering promotions or discounts.
Another indicator that a lot of people don’t know about is links that are very short. Short links are employed to fool Secure Email Gateways and should, therefore, serve as a red flag that the link isn’t safe.
Rather than sending emails out to as many accounts as they can get their hands on, cybercriminals send out malicious emails to very specific individuals within an organization.
This method actually targets specific employees at predetermined companies. For instance, if you work for a company that creates online courses, specific emails targeting course creators, maybe even referencing you and some of your courses by name, might be sent to you.
As a result, emails employing the spear-phishing method tend to be a bit more personalized to trick the victim into thinking the email sender has a professional relationship with them. They use full names, work telephone numbers, and even job functions to trick the victim.
Criminals gather this information through (OSINT), Open-source intelligence, to harvest information from published sites that are open to the public and usually associated with the company being frauded, such as social media accounts.
Suppose you’re only just learning how to scale a partner program and are beginning to employ multiple platforms (including social media) in your or your business’s marketing strategy. In that case, you should be particularly careful about spear phishing.
How to prevent spear phishing
In order to identify, and thereby prevent, spear phishing, you should look out for the distinct red flags outlined below.
Look out for links that are supposedly redirecting you to a shared drive, such as Google Suite or Dropbox, because these can redirect you to malicious websites.
Further, often criminals will attempt to gain your credentials by asking you to insert a username and password to access a document. If the email seems untrustworthy, do not enter any of your professional login details. It’s likely a scam to gain crucial information about yourself and the company you work for.
Lastly, look out for strange requests from people who supposedly work for your company, but say, in a different department. If someone is asking you to do something that seems out of the ordinary or not tied to their or your job description, this is potentially a scam, and you should definitely double check before you follow through with the request.
Vishing, short for voice phishing, takes place when an attacker calls a victim’s number and asks them to take action, usually in a highly harmful way for the unknowing individual. Commonly, a sense of heightened urgency is used to propel the victim into action, and criminals tend to exploit stressful periods when a company is most busy to set up these calls.
These calls often come from what is meant to be a legitimate institution, such as a government branch or bank. An automated voice message is played, attempting to trick the victim into giving away sensitive information.
A VoIP for call centers could help manage vishing threats. But either way, vigilance over phone calls in the workplace should be a priority.
How can you identify and prevent vishing?
Key areas to look out for when it comes to voice phishing include unfamiliar caller ID, calls coming from unusual locations, or blocked numbers.
Alongside this, be particularly vigilant when you receive calls that coincide with stressful work seasons and times when your workload is particularly heavy.
Lastly, as always, be wary of people asking you to complete an action, especially if it involves you handing over sensitive information. Remaining vigilant and managing calls isn’t easy, especially if you’re very busy and stressed. But it’s important to stay alert to potential vishing threats.
Similar to vishing, smishing, or SMS phishing, involves employing the same exact behavior, but through text messages instead of phone calls. Like email phishing, cybercriminals send messages from apparently legitimate sources, including malicious links that, if pressed, can compromise a victim’s computer with malware.
Always be wary of texts offering discounts in particular, as this is a very common way that criminals trick people into pressing on malicious links.
How to identify smishing
There are two additional things to look out for. One is abnormal area codes, which, when compared to your contact lists, can indicate whether or not you should take any action.
The thing you should look out for in a text message is asking the victim to take action concerning a “change in delivery status.” This is a very common form of smishing attack. If you’re unsure about a parcel, go straight to the delivery service’s website. Don’t press the link.
Whaling also targets the corporate world by leveraging OSINT. This is why it’s sometimes also referred to as CEO fraud.
Cybercriminals use social media or company websites to figure out who the CEO is of a specific company. They then pretend to be that person, using an email address that’s similar to the actual CEO’s.
They then send emails out to company employees, often asking for money or for the victim to press a link to “review a document.”
Similar to how a customer sentiment analysis tool works, cybercriminals do large amounts of research about an individual before they employ their stratagems on their victims. This allows them to ensure their impersonation is as good as possible.
How to spot whaling
Usually, this one isn’t too difficult to figure out. If your CEO or a high-up member of your company has never emailed you personally before, then such an abnormal action should cause alarm bells to start ringing in your head.
The other big indicator is if either you or the email sender aren’t using your company’s email domains. Personal emails should never be employed in the workplace, so the use of these is a big giveaway that fraud is taking place.
Pharming is actually quite hard to detect because it’s far more technical than most other phishing attacks. The way it works is that a criminal first hijacks a DNS (Domain Name Server), which is a server that translates URLs into IP addresses. The victim, typing in a website address, is redirected by the DNS server to a malicious website IP address.
The tricky thing is that this malicious website often looks very close to the real thing, and because the victim has been unknowingly redirected, they may well not realize it until it is too late.
How to identify pharming
An obvious giveaway is a website that doesn’t look secure. For instance, watch out for a website that is HTTP rather than HTTPS.
And, as before, inconsistencies in design or information are the other key indicators. Color schemes that look slightly off, bad spelling, different fonts, or even a logo that doesn’t look quite right can all help you spot a malicious website.
Like smishing, angler phishing employs the same techniques but by targeting an ever-growing phishing arena: social media platforms.
Using direct messages, notifications, and other social media features, these seek to entice victims into taking some sort of harmful action, and all from your favorite, beloved platforms. On a large scale, this can be very damaging. That’s why contact center solutions for enterprises should be considered for large businesses and companies needing to manage significant numbers of devices.
How to prevent angler phishing
For this one, there are quite a few things you can look out for to prevent you from falling into a cybercriminal’s trap. The obvious one is to look out for people you don’t know trying to direct message you or offer you benefits by clicking on malicious links to strange websites.
So, in general, it’s good practice to never click on direct messages that include links, even if that account looks legitimate, because that account may have been hacked.
Lastly, keep an eye out and be wary of any notifications where you’re added to a post, especially from someone unfamiliar to you. These include links to malicious websites that could install malware onto your computer.
Evil twin phishing attacks
These attacks use fake Wi-Fi hotspots that are capable of intercepting data during transfer. These hotspots look legitimate but are able to collect your data, such as login credentials or sensitive information, across the connection created. An RDD could help you look after your data (what is RDD?), as can several other platforms that offer such services.
How to prevent an evil twin attack from happening
If pressing on a hotspot triggers an “insecure” warning on your phone or device, then don’t go ahead with this connection, even if the hotspot appears familiar.
Secondly, don’t trust a hotspot that asks you for a login – hotspots that don’t usually ask for one, then suddenly do, should be treated as suspicious.
Lastly, clone phishing also targets emails by leveraging services that a victim has previously used. Cybercriminals are smart and know which applications usually require links. They then, having researched the business applications they want to impersonate, send targeted emails that appear to come from particular services, tricking professionals who are used to using them.
How to identify clone phishing
Again, be wary of emails that:
- Are timed around hectic work times
- Come from unexpected email addresses
- Come from service providers that your workplace doesn’t use regularly
And, as always, be very hesitant about giving away personal information, no matter what reason it’s being requested.
The best way you can prevent phishing is by learning the identifying features of this type of cybercrime. This means you’ll be able to steer clear of it when it happens.
Every workforce should be trained in how to:
- Identify phishing and other forms of cyberattack
- Install preventative measures such as email filters and website alerts in browsers
- Limit Wi-Fi restrictions in workplace spaces
Or you could even consider two-factor authentication for workplace devices. This is an effective additional safety measure.
Learn to spot the types of phishing attacks commonly employed by cybercriminals so you can avoid your sensitive information being stolen.
Grace Lau – Director of Growth Content, Dialpad
Grace Lau is the Director of Growth Content at Dialpad, a cloud phone system platform for better and easier team collaboration. She has over 10 years of experience in content writing and strategy. Currently, she is responsible for leading branded and editorial content strategies, partnering with SEO and Ops teams to build and nurture content. Grace Lau also published articles for domains such as UpCity and Soundstripe. Here is her LinkedIn.