If you have an email address, you have probably been targeted by a phishing scam. These scams are everywhere, and they take many different forms. And while your spam filter may stop most of them in their virtual tracks, some will inevitably slip through the cracks.
So, can you recognize the various forms of phishing? Do you know what to look for and how to protect yourself? Whether you are sitting in your cubicle at work or surfing your favorite sites at home, you need to be on the lookout for phishing in all its forms. Here are some of the most common types of phishing.
Untargeted Email Phishing
An untargeted and unsolicited email containing an infected link is the original type of phishing, and still the most common. Sending bulk emails is so inexpensive that this form of cybercrime will always be around.
In a typical untargeted phishing attack, the perpetrator writes an email and sends it out to millions of random accounts. If only a tiny percentage of those recipients respond, the cybercriminal could deem the attack as successful.
While spam filters and internet service providers have been getting better at detecting these types of phishing attacks, no system is perfect. Users still need to treat unsolicited emails with caution, especially those that claim to be from a bank or financial institution, or from internal management. Contacting the organization or individual that supposedly sent the email, instead of clicking an embedded link, is the first line of defense that can protect both individuals and businesses.
Traditional phishing takes a scattershot approach, sending out millions of infected emails and hoping that a few random people take the bait. But hackers and cybercriminals have found that these random individuals are not always the most lucrative, and they have sought out ways to make their nefarious activities more profitable.
Enter spearphishing – a tightly targeted form of cybercrime that has ensnared CEOs at Fortune 500 companies, executive vice presidents and even politicians in the highest seats of power. Instead of taking a scattershot approach and hoping for the best, the writers of spearphishing emails take a highly targeted approach, using social engineering and publicly available information to lure their victims, compromise the integrity of corporate networks and steal company secrets.
A typical spearphishing scheme starts with some basic research – like ferreting out the names of the CEO and other decision makers at the targeted company. Using readily accessible information, the bad guys target emails to fit their victims, and it only takes a single hit to get a huge score.
Not all phishing attacks come via email, and attempts to protect company resources should go beyond the data network. Vishing is a real danger and one that corporations and IT managers should be aware of.
As the name implies, vishing is a form of phishing that uses voice lines instead of data networks, and it can take several forms. In a typical vishing attack, the bad guys will contact the targeted individual by phone, often posing as a trusted contact or colleague from another company.
Once the victim is on the phone, the perpetrators of the vishing attack will typically ask for private information, like bank account numbers, trade secrets and so on. In a personal vishing attack, the caller may claim to be a friend or relative, then ask for money or other forms of assistance.
One of the newest kids on the phishing block is lateral phishing, and it is particularly insidious. The nature of this online attack can make it difficult to detect, until it is too late.
Like spearphishing, lateral phishing is highly targeted, but unlike spearphishing, the attack does not end with one highly placed individual. Instead, lateral phishing is designed to spread, and the damage can take place very rapidly.
Lateral phishing aims to trick employees into not only sharing information but passing the scheme along to their colleagues. Once a particular individual has been compromised, they may be asked to pass an infected document on to others in the organization, further spreading the damage and putting the entire company network at risk.
The insider nature of lateral phishing is what makes it so dangerous. By now most employees know not to respond to unsolicited requests for information, and executives are increasingly on the lookout for standard spearphishing schemes. But lateral phishing is different; it takes advantage of the trust colleagues and coworkers have for one another, turning that trust in the organization and using it to their advantage.
Phishing attacks are everywhere, and they are always evolving. The perpetrators of these scams are always looking for ways to make their phishing attempts more successful, and they are fine tuning their attacks to evade detection and overcome existing defenses. If you do not want to get hooked, you need to take a proactive approach to protection, and that starts with knowledge.