Many phishing schemes depend on malware to assist attackers in acquiring the information they’re after. This can include viruses, trojan horses, ransomware, and spyware.
Let’s briefly take a look at each type of malware and how a hacker can use them.
Virus – computer viruses work by attaching themselves to an actual program or document in order to execute its code. Many times, viruses depend on macros (specific automated input sequences, like keyboard shortcuts) in order to operate. Attackers might use viruses to corrupt a computer system or intentionally destroy data.
Trojan horse – a Trojan horse, or simply “Trojan,” appears to be a legitimate piece of software or a document; however, buried deep within it is a malicious code designed to wreak havoc. Like viruses, Trojans are built to disrupt or damage systems and inflict damage on your network.
Ransomware – ransomware is software specifically developed to encrypt data and block access to a computer or network and lock it down until a ransom is paid. Ransomware must be downloaded onto a computer, so it’s often hidden in email attachments or even fake advertisements on websites. Once the ransomware is activated and a ransom has been paid (i.e. cryptocurrency), hackers restore access to blocked data.
Ransomware attacks occur every 40 seconds and the FBI estimates there are nearly 4,000 ransomware attacks every day. What’s worse, 20% of victims never get their data back.
Spyware – Spyware is malicious software designed to operate on your computer or mobile device without you being aware. It gathers information about you including emails you send and receive, websites you visit, username and password information, and more.
Like other malware, spyware often piggybacks on other legitimate programs, lurks unsuspectingly in email attachments, marketing advertisements, or appears safe like a Trojan. However, spyware can also attach itself to your system via other security vulnerabilities, such as software bugs.
Spyware is difficult to remove because it is difficult to identify. Your computer or mobile device could be infected and you likely won’t even know it.
Phishing attempts are typically a part of a larger social engineering scheme, an effort to manipulate, influence, or deceive targets into doing the attacker’s bidding. As a result, there are many ways attackers can accomplish their objectives.
Now that we’ve covered the basics of what phishing is and how it works in general, let’s take a look at some of the most common types of phishing attacks.
Phishing’s origins in email and it makes sense – it’s an indirect medium that makes it easy for attackers to quickly deceive their targets. Estimates project there are nearly 270 billion emails sent every day with roughly 135 million of those being phishing attempts.
There are several ways attackers leverage phishing emails to deceive their recipients. Let’s briefly look at a few of them:
- Lucrative offers – if it’s too good to be true, then it probably is. Lottery winnings, free products, massive inheritances, or other lavish prizes are offers designed to grab your attention so you’ll open the attacker’s email.
- Sense of urgency – with most phishing attempts, the idea is to get you to react quickly without thinking about it. In order to do that, attackers try to create a false sense of urgency to provoke a response. They may pose as your bank and threaten to freeze your account, encourage you to make a payment to a “utility company” before time runs out, or something similar.
- Attachments are a feature of many phishing emails. As mentioned above, they can contain different forms of malware designed to harm your system. If you receive an email with an attachment and you don’t know the sender or it seems at all suspicious, don’t open it!
- Hyperlinks – many phishing attacks don’t need you to reply to the email as much as they need you to click a URL link inside of the email. The websites these links take you to may look like a legitimate website (i.e. your company’s financial institution) but they’re really imitation websites designed to capture personal information.
Phishing emails are also notorious for containing atrocious grammar and spelling, which can make them easy to identify. Many times, they’re written in the native language of the attacker and translated into English using an online tool. Fortunately, they’re never too accurate, which makes some phishing emails easier to spot.
It’s also important to pay attention to the email address of the sender. Even if an email looks like it’s from someone you know, if something seems suspicious or out-of-character, double-check the email address.
As demonstrated above (i.e. AOL), attackers can effectively use imitation websites to accomplish their objectives.
Whether it’s a website for a popular banking institution, eCommerce site, or social media platform, attackers are incredibly skilled in finessing an imitation website to look like the real thing.
The differences are usually subtle. One character might be different in the URL or a pop-up window may immediately appear when it doesn’t normally.
Internet Explorer, Mozilla Firefox, and other web browsers offer plug-ins or extensions that can help you easily identify phishing websites.
Another channel growing in popularity for phishing attacks are applications used for mobile messaging. These include native apps on Apple and Android devices as well as Facebook Messenger and WhatsApp.
SMS phishing, also known as “Smishing,” works like other phishing attempts. The attacker creates their bait (fake offer > URL), sends it to their target via an SMS message (hook), and waits for a response. Once the victim clicks the link (catch), it operates like other phishing attacks.
For example, an attacker might send an “automated” message indicating you have a delivery package on the way with a URL to track the delivery. However, when you click the URL, it takes you to a fraudulent website or even downloads malware.
Just one more reason implementing effective mobile device security is essential for today’s SMBs.
When a phishing attempt occurs over the telephone, it’s referred to as “vishing.” Attackers pose as an employee or representative of an actual company and make an effort to acquire their target’s personal information.
While senior adults are common targets of vishing attacks, unsuspecting and untrained employees at every level of your business can quickly become the victim of a vishing attempt.
If someone calls you and begins asking for personal or sensitive business information over the phone, ask them if you can call them back. Cross-check the number online and see if it’s been reported for scams or if it’s a legitimate number for the business that’s calling. And if someone you’re unfamiliar with emails you and asks you to call them at a certain number, do an online search to verify its legitimacy.
A little bit of research can go a long way in preventing you or your business from falling victim to a vishing attempt.
Social media platforms are a popular medium for phishing attempts. These include Facebook, Twitter, Instagram, TikTok, Snapchat, YouTube, and more.
Scammers create fake profiles, sometimes posing as well-known influencers, and then approach their targets via direct messaging tools on these platforms.
While fake profiles for celebrities are quickly flagged, for lesser-known individuals, that is not the case. Scammers can be known to operate a social media profile for years before making a phishing attempt. Over time, they create a false sense of trust and authority with their followers they then use to their advantage.
The social media accounts of most celebrities and influencers are verified via the platform and are easily identified. But be wary of direct messages asking for money, for you to click-thru to a URL, or to download an app.
Social media accounts are notorious for being hacked, so even if a message is from someone you know, as with phishing emails, be quick to identify suspicious or out-of-character behavior.
One of the more sophisticated types of phishing attempts is known as “spear-phishing.”
This type of phishing attack is aimed at a specific individual or group. When directed at a CEO, CFO, or another high-level employee of a company with access to sensitive information, it’s also referred to as “whaling.”
In this type of attempt, attackers don’t send generic phishing emails or messages to their attackers. Instead, they customize everything to the individual they’re targeting. They may pose as a legitimate vendor the organization uses or a person the CEO or CFO knows professionally. The more detailed and specific the attacker can be, the higher their chances of success.
Again, the goal is to get the victim to unsuspectingly do the bidding of the attacker.
Spear-phishing can yield significant losses for a business. When scammers successfully pose as legitimate sources, they can con victims into wiring large sums of money into their accounts. Called Business Email Compromise, it’s reported that nearly $700 million is lost to businesses every month due to these types of scams, which often begin as a spear-phishing attempt.
Need help identifying gaps in your company’s security? Commprise offers IT security and compliance auditing, including phishing tests. Book a call.