6 Tricks Phishers Use to Trick Your Employees And How to Remain Safe
Join the DZone community and get the full member experience.Join For Free
It doesn’t matter how small or big your organization is, you can potentially be the victim of the next phishing attack. Serious financial implications and a dent in reputation and customer base are just a few consequences any organization can face. Phishing attacks can cost your company confidential data through emails, malware, VoIP, text, and other communication channels available.
Statistics prove that phishing is real, and organizations are falling prey to it. Verizon’s 2019 Data Breach Investigations Report shows that almost one-third of the data breaches in 2018 were cases of phishing. Email is the carrier of 90% of infectious software and malware. Every month almost 1.5 million spoof websites are created by phishers.
Phishing attempts are rising, and phishers are implementing new techniques to target various business entities, regardless of their size.
Being future-ready is very important for any business across the globe. Tackling known dangers is easier than preparing for a surprise attack. Here is my list of six tricks that phishers use to compromise your data and security.
You may also like: Evolution of Phishing: Spear Phishing and Whaling Scams Explained.
1. Deceptive/Cloned Phishing
This is also known as traditional phishing and is the most common type of phishing that cybercriminals use to dupe employees. The phisher impersonates another person to acquire critical information or login credentials. The impersonator pretends to be a known person or a representative from a credible organization.
There are two ways this phishing is carried out:
- The phisher claims to be an official of a reliable and renowned company in an email to the victim, asking for critical information.
- An email is sent to the prospective victim with a link to a malicious site. The phisher manipulates the link and waits for the victim to open it. If the victim falls into the trap of typing in certain information, the phisher can take advantage of it.
2. Malware-Based Phishing Technique
This technique encompasses downloading and running infectious software on the victim’s computer. Malware can be sent through an email, downloaded from a website, or manipulated in susceptible networks.
This phishing technique aims at getting the victim to download email attachments, which then:
- Infects data files and causes them to be corrupted.
- Releases ransomware.
- Steals a contact list to launch more sophisticated phishing campaigns.
- Enables a malicious application, such as a keylogger.
Small business owners are at a greater risk because of their dependence on free and freemium software and a lack of staff training.
A good solution is to define a process around email attachments and then bar the installation of any program without the involvement of IT personnel.
3. Spear Phishing
Phishing attacks that target individuals have come to be known as “spear phishing.” Unlike traditional techniques, applied to random individuals, this attack is well planned to be executed on selective groups and specific organizations.
Email outreach services, such as Hunter.io and, although a boon for marketers, have made it possible for cyber-criminals to identify top executives’ email addresses easily.
For instance, phishers will identify a target and gather all information about the victim through various reliable sources. They will use hoax addresses to send emails that could credibly look like a manager or co-worker sent them. The email could request an immediate bank transfer for a large amount of money. Or maybe ask for critical details to access financial data.
The surprising part of this technique is the authenticity of the sender seems to be real. The planning of this attack is such that typically the attack is executed when the victim is expecting the email from the impersonated source.
This technique is quite similar to spear phishing, however, a step ahead of it. Spear phishers can target any employee in the hierarchy, but whaling phishers only target high-level executives.
Senior management impersonation is used in whaling attacks to acquire critical data or financial transactions.
Hackers use the following techniques to accomplish a whaling attack:
- Extract information from social media platforms, as well as public company information available.
- Deploy rootkits, malicious software, or viruses to intrude the network.
- Email spoofs from higher authorities of the organization.
An email from a chairman or a CEO is better suited to get any job done quickly and without any questions asked or eyebrows raised.
To avoid your organization’s top bosses from falling for this advanced phishing technique, your training and awareness programs need to be super strong.
5. Vishing Phishing Technique
This trick is an amalgamation of voice with phishing. Vishers spoof fake caller IDs using Voice Over Internet Protocol (VOIP) instead of regular phone numbers. They use social engineering to instill fear, urgency, and manipulation to fool people into giving up vital information about the organization they work for.
Vishing is generally carried out in conjunction with other malware attacks, as has been observed in the new vishing attack targeted at Korean bank clients. The Fakebank malware app can detect calls being made to banks’ customer support, redirect them to scammers, and expose the caller to vishing attacks.
Many other organizations have reported vishing attacks where generic messages such as: "Your account has been compromised. Please call this number to reset your password."
Phishers employ tools to redirect traffic to fake websites, which may seem like a real website to the victims. This technique is referred to as Pharming. Usually, pharming phishers attack online banking and e-commerce websites as easy victims.
Pharming occurs when:
- Phishers detect glitches in domain name server (DNS) software.
- Host files are rearranged on targeted systems.
- Systems/Networks lack security administration.
In recent times, routers and host files have become the new favorites for Pharming infestations.
However, if steps are taken beforehand, router threats can be thwarted by selecting reliable DNS instead of the automatically suggested one, as hackers are more likely to choose a DNS under the admin’s control vis-à-vis a legitimate one.
The most suitable solution is to stop phishing attempts before they start, as prevention is always better than cure. Therefore, to protect and safeguard your critical data from getting phished, you must have information on the gaps in your organizational security structure. Real-time visibility of attacks that your organization might face, is the way forward.
Tools such as help, as the software, applies multiple levels of filtering to each DNS request, foiling pharming attempts in the process.
Every business needs a platform that automatically detects and escalates attacks that need the attention of the security team.
There are several solutions to fight back phishing attacks if your employees are alert and aware. Install protective software, but train your employees not to fall into traps jeopardizing the safety of the organization and its customers.
Opinions expressed by DZone contributors are their own.