In our initial blog, Phishing 101, we covered the basics of phishing, including what phishing is and how to prevent it. Today, we will cover the different types of phishing attacks that your organization could be vulnerable to.
Deceptive phishing is the most common type of phishing scam. These scams occur when a recognized source emails you in order to compromise information. Typically, these emails request that you:
- Verify account information
- Re-enter information, such as logins or passwords
- Request that you change your password
- Make a payment
Once this information is input, hackers can access your accounts and then utilize the sensitive information in order to steal payment card information, sell your personal information or otherwise utilize your sensitive information for gain.
The Campaign Chair for Hilary Clinton had his personal Gmail account compromised through this type of phishing attack. This phishing attack involved an email that appeared to be sent from Google requesting that the Chair changes his account password. This email linked to a malicious site where he input is log in and password information, which was then key logged by hackers.
Spear phishing is a more sophisticated version of deceptive phishing, which uses your information in order to trick you into thinking you have a relationship with the sender. Information that is utilized includes full name, position information, or other semi-private information.
However, the result of these phishing attacks is the same: click on a URL or email attachment in order to input sensitive information that hackers then use to access your accounts.
CEO Fraud/ Whaling
Hackers attempt to gain executive and director information in order to access their email accounts. At times, this type of phishing attack can be easier as executives typically don’t attend the same security training that employees are subject to.
Once hackers achieve success, they utilize the email address in order to impersonate the executive. From there, they request personal/trade information or authorize transactions that result in money being pilfered. If attackers are unable to access the executive’s email accounts, similar email accounts can be used in order to impersonate the individual. For example, email@example.com instead of firstname.lastname@example.org.
In February of 2016, Snapchat revealed that their organization was breached due to a scam in which the CEO was impersonated by a hacker. The hacker then asked for employee payroll information, which was disclosed to the external source.
While email and web browsers are the most common manners to execute phishing attacks, phone phishing calls are becoming increasingly common. In the same manner, individuals pretend to be a reputable organization, your credit card company or the bank in order to gain information.
These attacks occur in a variety of different manners but are built upon trust. These individuals approach you with your information, such as your name and where your account is located. From there, these individuals can pilfer information in a variety of different ways: they may ask you sensitive questions, such as your password, or inform you that your account has been locked and you must provide your payment information in order for it to be unlocked.
Creating awareness about the different types of attacks to anticipate can assist organizations in preparing for the future. In addition, implementing an educational program that highlights these types of attacks and how individuals should manage them can be a boon for organizations looking to bolster their security.
Is your organization looking to build a security and compliance program customized to your unique needs? Contact the professionals at A-LIGN at info@a-lign or 888-702-5446 to find out how we can help.