Phishing Can Have Multiple Attack Vectors

Phishing is a pressing issue for everyone, not just businesses. The main problem is that the phishing messages keep getting more and more sophisticated and keep coming and coming until, eventually, something negative happens. For this week’s tip, we wanted to discuss the different types of phishing you can encounter.

Before we get started breaking down the types of phishing there are, let’s review what exactly phishing is.

Phishing is a Social Engineering Attack

Phishing attacks target users rather than the underlying computing network. These days, with the security controls that many organizations pay good money for, it is even harder to access a computing network without legitimate credentials; and, because of this, it is easier (and more cost-effective) to target the end users.

As a result, these hackers come up with a scam (or many scams, actually) that target people who may have access to a network that carries with it the sensitive information that most businesses have on file these days. Let’s take a look at some of the types of phishing scams.

Phishing Via Email

The phishing email makes up for over ninety percent of all phishing messages in total. Essentially, they are emails that come into an inbox seemingly through legitimate means and end up scamming the recipient to hand over their credentials. Here is some of the most prevalent information about email-based phishing attacks.

• Attachments - An unexpected attachment in an email can easily be used as a vehicle for malware and other attacks. These can be either individual documents, or in the form of a ZIP file.
• Spoofed links and senders - Many phishing emails will appear to come from certain senders or websites, trying to take advantage of the inherent trust that these senders or websites have in the public. Paying close attention to these links and senders will help you catch these efforts.
• Misspellings and grammatical errors - Most professional communications are (or should be) proofread fairly extensively before being sent. Therefore, an email that presents a lot of these issues is somewhat suspicious.

Phishing Via Text Message: Smishing

A form of phishing message that is sent via text message is called Smishing: The hallmarks of this type of scam include:

• Messages from unknown numbers - Messages that come from non-cell numbers can be a sign of a scammer using an email-to-text service.
• Unsolicited messages - If a message purports to come from an organization and you didn’t prompt any communication with them, take it with a grain of salt and reach out to that organization through another means.
• Personal Information - If there are personal details shared in the message itself, it could very well be a phishing scam, as scammers will try to add pressure on their victims.

Phishing Via Phone Call: Vishing

Getting a phishing message over the phone is called Vishing. Typically the call will try to determine facts about you to which the hacker will use to gain access to your accounts. Here are a few variables to watch out for:

• "Too good to be true" offers - Phishers will often place phone calls promising rewards or perks that are unrealistically appealing.
• Calls from authorities - If you receive a call from some organization or higher authority, don’t be afraid to question its validity…particularly if they start pressuring you and/or are trying to scare you.
• Personal details - A lot of your information can be found online so if a caller has more information than they should, that’s a red flag.

Social Media Phishing

Nowadays, phishing attacks are carried out through social media as well. To avoid falling victim to these attacks, keep an eye out for:

• Multiple accounts - Some phishers will find someone, make a copy of their profile, and start sending that person’s contacts invitations to connect. This is another time you should separately confirm that someone is who they claim to be.
• Bogus links - Social media platforms offer phishers a very convenient means to share out links to fraudulent websites, where personal details can be harvested from unwitting visitors.

We hope this little reminder helps. If you have any questions about phishing, how to ensure that your employees are sufficiently trained to ward off potential phishing attacks, or our security services, reach out to us.