Phishing attacks are not something that has come up recently. Such attacks have been around since the mid 90s, however, overtime, they have become more sophisticated.
To make things worse, did you know that 32% of confirmed data breaches involved phishing? (Verizon 2019 Data Breach Investigations Report) And 57% of the organizations report having experienced mobile phishing attacks! (Wandera’s 2020 Mobile Threat Landscape Report).
Before moving on to the latest trends in phishing, let us define it.
What is Phishing?
Phishing is one of the easiest and most common types of cyber attacks used by criminals and among the easiest to fall for as well. It is often used to steal user data such as login credentials, credit card numbers, and other personal information. The attacker, masquerading as a trusted entity, tricks a person into clicking on a link, opening a mail, or a WhatsApp message. Some links might be shortened which causes a challenge to know their legitimacy.
When the recipient clicks on the link, it may cause malware installation, hold your system hostage (ransomware attack), or reveal sensitive information caused by a vulnerability in the system.
Now that you know what phishing is, let us learn more about the latest phishing trends and ways to protect ourselves from them.
What is Spear Phishing?
Not all phishing attacks are based on ‘spray and pray’/random techniques where a long list of unknown recipients are targeted. Some cyber criminals rely on a more targeted and personal touch to attack their victims. In spear phishing, the attacker sends emails with the victim’s name, position, number, or other personal information.
The victim is tricked into clicking the URL or downloading the attachment and handing over their data. With the amount of personalization in crafting these attacks, it is no surprise that spear phishing is commonplace on various social media platforms like LinkedIn and Twitter.
How to avoid it?
To guard against spear phishing, organizations must conduct security awareness sessions and discourage their employees from putting sensitive or corporate information on social media.
In addition to that, companies must also invest in solutions that analyze inbound emails for certain known malicious links and email attachments. This measure is capable of picking up on indicators for both known malware as well as zero-day threats.
Also, organizations can invest in phishing simulation solutions to train employees on the best practices and show them first-hand what might happen when a phishing attack is performed.
What is Whaling?
A whaling attack, also known as whaling phishing, targets high-profile employees, such as the CEO or CFO of a company to get sensitive information. The attacker manipulates the victim into authorizing high-value wire transfers to the cyber criminal, thus conducting the attack.
Do you know why it is called whaling? It is termed coined due to the size of the attacks, and the whales are thought to be picked from a company as per their position or authority.
How to avoid it?
To avoid whaling attacks, check cautiously for suspicious email addresses and names. Review all the URLs you get in your inbox and see if anything is suspicious before clicking! It will greatly reduce your chances of being targeted by attackers. Also, try to prioritize raising cybersecurity awareness level in your organization.
Also, following the current procedures for all financial transfers done within your organization. You must also check other important transactions, for instance, forwarding sensitive information to other people outside your organization.
Smishing and WhatsApp Phishing
What is Smishing and WhatsApp Phishing?
Smishing (SMS Phishing) and WhatsApp Phishing is a cyber-attack that can harm you to great extents. Smishing uses a misleading text message to trick victims into falling into the trap. The attacker makes you believe that a trusted person or organization sends the message and then convinces you to take action that gives the attacker the desired information (for instance, the bank account login credentials).
We can say that it is a text-message based version of the email-based phishing scams. But they are trickier because people are less cautious for suspicious messages on their smartphones.
How to avoid it?
To avoid Smishing and WhatsApp Phishing, avoid clicking on any links you receive from unknown numbers. Do not reply to text messages asking about your finances. If you get an SMS saying, ” Dear user, congratulations, you have won….”, don’t fall into the trap. Also, check if the SMS is sent at an unusual time and check who sent it as the attacker might disguise themselves as your bank to trick you into performing certain tasks and providing them with your personal or sensitive information.
There are many different types of Phishing that cyber criminals perform to reach your private information, the most effective method for organizations and individuals to avoid falling victims to these scams is to raise their awareness about these types of attacks on a regular basis as attackers get more advanced with their methods as time goes by,
Think before you click!
Share this article:
Since the beginning of 2020 due to COVID-19 people have been social distancing and staying indoors as much as possible. Due to that the use of the Internet, E-commerce sites, and E-government operations have increased immensely and so have the attempts at phishing attacks. His Excellency Dr. Khaled bin Abdullah Al-Sabti, Governor of the Cybersecurity Authority, spoke during the opening of the Global Cybersecurity Conference on April 7th, 2021, about the high increase in phishing sites by about 300% and the importance of being aware. Below (Figure A-1 & A-2) we can see two different examples of Smishing Attacks during ...31st May 2021
Cyber-attacks come in a variety of formats and with the advancement of technology it continues to improve. Phishing is a common type of cyber-attack used by cyber criminals, and according to Proofpoint’s threat report, 75% of organizations experienced a Phishing attack in 2020 (Proofpoint 2021 state of the Phish report). Cyber criminals found a higher success rate in achieving their goals thorough email phishing rather than any other approach. This is due to the lack of awareness and knowledge on how to identify legitimate emails from fake ones. There are many ways that could help organizations in decreasing the numbers ...31st May 2021
Social engineers have found numerous approaches to exploit victims of their personal information. With the continuous increase of new cyber threats, society should be constantly informed and educated on how to distinguish and prevent them. Due to the direct interaction with the human user, social engineering is one of the most powerful methods of network penetration. Its success rate depends highly on the targeted individual’s knowledge and awareness. If they are oblivious of their tactics, then this makes the attacker’s job easy. Unfortunately, many fall for their schemes. Social engineering depends on human interactions and the flaws of humans. According ...29th Apr 2021
With the hit of the global pandemic and its effect on the world, cyber criminals took this to their advantage and capitalized on it. From the beginning of 2020, people’s lives changed drastically but especially employees and students. Online schooling and working from home are now the new norm and people needed to make this new adjustment while experiencing new threats and tactics from cyber criminals. Before the pandemic, cyber-attacks were a continuous issue for many but with more educational information on how to catch on to their tricks led to lower percentages of successful scams. But now, these criminals ...31st Mar 2021
Introduction: In the early days, Cybersecurity (then called IT Security or information security) used to be merely a username and password. If you ask to someone, they would say I have a username and password so I am safe. It wasn’t much of the internet at that time. Eventually, people have learned that password isn’t sufficient to protect their digital assets. So Antivirus (AV) software flourished and we saw a plethora of internet security solutions that revolve around AVs used to catch the known malicious code which was enough of a validation for the vendors. Again, fast forward a couple ...21st Jan 2021