Hackers have several complex ways they can attempt to infiltrate your organization’s IT systems, but most of the time, they will target your employees with a phishing attack. In fact, over 80 percent of SMBs were targeted by phishing attacks in the year 2019.
Cyber criminals and hackers often view your staff as the weakest link in your cyber security setup, and in our mission to keep you updated on the latest IT security threats and trends, we’ve detailed 7 different tactics that hackers might use to phish for your company’s information.
1. Spear Phishing
When you first think of the term “phishing,” what comes to mind? Is it an email that’s obviously spam, filled with spelling errors and phony claims? Or is it something a little more sophisticated, with no evident red flags other than a peculiar, nagging feeling in your gut telling you something’s not quite right?
While mass spam emails do still exist, spear phishing is several steps ahead of that and continues to become more prevalent.
Think of spear phishing as “professional phishing,” in which a hacker will target one particular individual or a small set of individuals. They will often conduct research, gathering information from social media, for instance, to learn about their target and send a message tailored specifically to trigger an emotional reaction in that individual—a reaction that will cause them to act rashly and click on an email or complete a desired action without thinking.
Whaling is spear phishing that targets a high-profile target, such as a business executive or other high-level employee. The phishing message will still compel the targeted individual to take urgent, yet unwanted, action, but exploiting executives is potentially more lucrative for a cyber criminal.
When conducting a whaling attack, a hacker is trying to capture sensitive information like credentials, intellectual property, a customer database or financial information.
But to do so, a hacker will have to step up their game. Executives will not be compelled by simple deadline reminders or stern emails from their superiors like standard spear phishing targets. Instead, they are more likely to react to legal action or someone threatening their reputation, and a hacker will take advantage of this when crafting messages.
Vishing is phishing done over the phone. The term actually stands for “voice phishing,” and uses social engineering techniques to defraud individuals in another medium.
Some examples of vishing include phony IT support who call and say they need you to visit a website in order to gain control of your computer; criminals posing as government entities like the IRS or even individuals using election fundraising as a front for illicit financial gain.
Again, the criminal will sound urgent, trying to tap into a sense of fear to get a target to act without thinking. They will also ask for personal information. When in doubt about a call you’re receiving, don’t answer it. Caller IDs can be spoofed, and it could be a criminal on the other end of the line.
Smishing, or “SMS phishing,” is a phishing message sent through an SMS, or text, on a cell phone. One of the most frequently seen smishing scams is a package delivery notification.
A text message will arrive stating that you need to select delivery preferences or check the status of delivery, and there will be a link to a site where you can set those preferences.
However, that link isn’t legitimate and actually redirects you to a phishing site, where you may be prompted to enter account information or may even trigger a download of malicious software—the possibilities are endless.
5. Domain Spoofing
You probably wouldn’t ignore an urgent email from a supervisor telling you to complete a money transfer, but be cautious when rushing to complete that request. A message like that, without any additional verification, is likely a phishing message using a domain spoofing technique.
When hackers use this method in their phishing attacks, they use your company’s domain to impersonate someone in the organization, such as a supervisor. When you receive an email like the one mentioned above, pay close attention to the from and reply-to addresses. They may appear legitimate, but one or two characters in the address might be altered ever so slightly, so on first glance you wouldn’t notice that it isn’t actually your boss emailing you.
6. Link Manipulation
Similar to spoofing a domain, hackers can also falsify links to make it look like you’re going to a real site, but you’re actually venturing to a phishing site.
Some of these sites are nearly identical in nature to the real thing, and they can be hard to spot. Always be sure to think before you click any link in an email. Hover your mouse over the link you intend to click on, and see if it shows that it’s actually going to the site you wanted. If you’re still in doubt, copy and paste the link into your browser, or simply delete the email.
When surfing the web, you see countless advertisements, but not all of them are what they seem. In fact, some turn out to be malicious exploits, known as malvertising. Malicious ads can show up anywhere, even on high-profile sites like Huffington Post, New York Times and Spotify. And, once a user clicks on one of these ads, often intending to go to a legitimate site, they are instead directed to a phishing site or trigger a malware download. What’s even more alarming about this technique is that, sometimes, the ads don’t even have to be clicked to trigger a download—sometimes all it takes is getting a malicious ad to load on the screen.
Awareness is the first step in preventing a cyber security attack, and CoreTech can ensure your end users are ready.
Phishing attacks are only going to continue to become more complex and sophisticated—which means they are also going to get harder to spot. By staying on top of the ever-evolving cyber threat landscape, CoreTech has the expert knowledge and experience to help your employees ward off an attack before it can wreak havoc on your systems.
We know that having adequate software like advanced endpoint protection and a firewall in place is essential, but that isn’t enough in today’s online world. Your organization needs a rigorous cyber security awareness training program, and CoreTech has the tools you need to put it in place.
Contact us today to learn more.