Three people were charged for their alleged roles in what the Department of Justice has called an attack on “one of the world’s most prolific social media platforms.” “Humans Hacking Humans: 4 Lessons from Twitter”
The world of cybersecurity is always growing and changing to combat new threats. To stay on the cutting edge, we know that it’s important to not only learn about the latest threats but to anticipate where the next danger could be coming from. “A Look into the Future of Cybersecurity”
In our initial blog, Phishing 101, we covered the basics of phishing, including what phishing is and how to prevent it. Today, we will cover the different types of phishing attacks that your organization could be vulnerable to.
Deceptive phishing is the most common type of phishing scam. These scams occur when a recognized source emails you in order to compromise information. Typically, these emails request that you:
- Verify account information
- Re-enter information, such as logins or passwords
- Request that you change your password
- Make a payment
Once this information is input, hackers can access your accounts and then utilize the sensitive information in order to steal payment card information, sell your personal information or otherwise utilize your sensitive information for gain.
The Campaign Chair for Hilary Clinton had his personal Gmail account compromised through this type of phishing attack. This phishing attack involved an email that appeared to be sent from Google requesting that the Chair changes his account password. This email linked to a malicious site where he input is log in and password information, which was then key logged by hackers.
Spear phishing is a more sophisticated version of deceptive phishing, which uses your information in order to trick you into thinking you have a relationship with the sender. Information that is utilized includes full name, position information, or other semi-private information.
However, the result of these phishing attacks is the same: click on a URL or email attachment in order to input sensitive information that hackers then use to access your accounts.
CEO Fraud/ Whaling
Hackers attempt to gain executive and director information in order to access their email accounts. At times, this type of phishing attack can be easier as executives typically don’t attend the same security training that employees are subject to.
Once hackers achieve success, they utilize the email address in order to impersonate the executive. From there, they request personal/trade information or authorize transactions that result in money being pilfered. If attackers are unable to access the executive’s email accounts, similar email accounts can be used in order to impersonate the individual. For example, firstname.lastname@example.org instead of email@example.com.
In February of 2016, Snapchat revealed that their organization was breached due to a scam in which the CEO was impersonated by a hacker. The hacker then asked for employee payroll information, which was disclosed to the external source.
While email and web browsers are the most common manners to execute phishing attacks, phone phishing calls are becoming increasingly common. In the same manner, individuals pretend to be a reputable organization, your credit card company or the bank in order to gain information.
These attacks occur in a variety of different manners but are built upon trust. These individuals approach you with your information, such as your name and where your account is located. From there, these individuals can pilfer information in a variety of different ways: they may ask you sensitive questions, such as your password, or inform you that your account has been locked and you must provide your payment information in order for it to be unlocked.
Creating awareness about the different types of attacks to anticipate can assist organizations in preparing for the future. In addition, implementing an educational program that highlights these types of attacks and how individuals should manage them can be a boon for organizations looking to bolster their security.
Is your organization looking to build a security and compliance program customized to your unique needs? Contact the professionals at A-LIGN at info@a-lign or 888-702-5446 to find out how we can help.
What is Phishing?
Phishing is a series of communications that are sent in order to deceive individuals to provide sensitive information. Phishing can take the form of email messages, website forms, or phone calls and can be designed to reveal different information. This information can take the form of:
- Credit card or other financial information
- Social security information
- Account logins and passwords
- Personal Identification Numbers (PINs)
Phishing employs both technical wherewithal and social engineering in order to steal consumer information. Recent phishing attacks have used authorities like Gmail, Netflix and Drobox in order to trick users into inputting their information. More than 400,000 phishing sites were detected per month in 2016, reaching an all-time high.
Preventing Phishing Attacks
Preventing phishing attacks starts with education: the more that we learn about these types of attacks, the better that we are able to prepare employees. Creating a program for your organization to handle these types of attacks is important in preventing vulnerabilities.
- Report Attacks
Organizations should also incorporate a manner for employees to report these attacks. Creating a culture of awareness is one of the best methods in preventing sensitive information from being compromised.
If one individual in your organization receives a phishing attack, but notifies the IT department in order to inform them that an attack is occurring, the attack can be stopped in its tracks before the entire organization is compromised.
- Check the details
Typically, there are a few details that can indicate that an email may not be coming from a legitimate source. These tells include poor spelling and grammar, abnormal sender, and unfamiliar URLs.
- Abnormal requests
Requests for information that the sender should already have should be a red flag. For example, an organization emailing you to login to your account could be a key logging attack that will steal your password.
In a similar vein, account reverifications that require the input of information that you are not anticipating should be observed with caution. Activating two-factor authentication on all accounts can help identify when an email is authentic or a phishing attack.
- Implement policies that prevent attacks
General security policies that can help protect your organization as a whole include
- Only entering information on HTTPS-protected sites
- Utilizing anti-virus software to detect attacks
- Regularly updating and patching systems that could be corrupted
Implementing a strong culture of security, as well as policies that assist in preventing attacks is important in minimizing danger.
Erring on the side of caution is the best method to prevent phishing attacks, and if at any point you are uncertain of the authenticity of a call or email from an individual, contact the organization responsible or your own security professionals in order to assess the authenticity. Regular penetration tests, which can utilize social engineering situations similar to phishing, can help build your security program by identifying areas of weakness.
Is your organization ready to receive a penetration test? Contact the experience penetration testers at A-LIGN at firstname.lastname@example.org or 888-702-5446.