When reading the names of these attacks out loud, we wouldn’t be surprised if the first thought that comes to mind is “how malicious can attacks with such cutesy names really be?”. Well, phishing is used as the attack vector for 95% of all targeted attacks against enterprise networks, and a single spear phishing attack results in an average loss of $1.6 million according to Security Boulevard. So yeah, phishing is quite a big deal.
But it’s not only classic email phishing that is causing a fuss. The FBI issued a warning last month about voice phishing attacks, also known as “vishing”. In their statement, the FBI shed light on a new wave of cybercriminals “taking advantage of changing environments and technology” during lockdown and other COVID-19 restrictions. In this blog post, we will explain how phishing works across different platforms, how to recognize the attacks and how to make sure you’re protected.
The most commonly used attack method is email phishing. This type of phishing involves fraudulent emails that lure victims in to clicking a malicious link, downloading a malicious file, or providing personal information. In many cases, phishing emails will direct the victim to a seemingly-legitimate website where they are asked to enter credentials or bank/credit card details, which the attackers then cultivate to sell or use for additional attacks. Over time, phishing emails have become more and more realistic. Attackers today use a whole new level of sophistication to make everything about their phishing email seem legitimate, ensuring that victims fall for their trickery every time (research shows that 97% of users cannot identify a sophisticated phishing email). Novel types of phishing include Spear Phishing, where victims are targeted individually, usually with a more sophisticated, tailored email, and Whaling, phishing attacks that target CEOs and other high profile individuals.
SMS phishing, or Smishing, is a type of phishing attack deployed via SMS or WhatsApp messages. These mischievous messages usually include a malicious link, or ask victims to reply with confidential information. Since text messages are short and sweet in nature, smishing messages will usually be written in exciting language, enticing an sense of urgency. With a general lack of awareness that malware and scams can arrive by text, people are more vulnerable to this type of phishing. In a study by Lloyds TSB in which participants were shown 10 authentic and 10 inauthentic text messages, only 18% correctly distinguished between all fake and real texts. That’s 72% who didn't, and who could easily fall victim to a smishing attack any day.
In voice phishing attacks, the victim receives a fraudulent phone call asking them for sensitive or confidential information. Victims’ personal information and phone numbers can easily be found on the internet, allowing attackers to trick them in to thinking the caller is representing a legitimate service that knows the victim personally. Scammers may fake their caller ID or call from an unknown number. Vishing can occur in either a single-step method, or a two-step one. In a simple vishing attack, the caller will try their luck asking victims for information such as credit card details, account credentials, personal information and such. In the two-step method, cybercriminals are trying to access a victim’s online account for a certain service, but they need a code sent by SMS in order to validate their login. In this case, the attackers will call the victim, claiming to work for whichever service they are trying to hack (probably the bank), and asking for the code that was just sent to the victim's phone.
The FBI’s recent warning on vishing attacks is important for spreading awareness about this attack, considering that just last summer Twitter suffered its most famous hack via vishing. Employees at Twitter fell victim to voice phishing attacks, being tricked by attackers in to handing over their employee credentials over the phone. Over 100 accounts of the most famous people on the social media platform, including Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Kanye West and Kim Kardashian, were compromised. These accounts were then used to ask Twitter users for Bitcoin payments, claiming to double the amount sent and return it as a gesture of “giving back to the community” by the hacked celebrities and politicians.
Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?