In our last post, we began this new series and introduced you to the concept of phishing. In this blog, we’ll discuss phishing in a bit more detail—expanding on phishing threat vectors, and the forms the threats may take.
Phishing. It’s been around for nearly three decades, and it’s not going away anytime soon. The only thing that has changed over the years, is cybercriminals are becoming significantly craftier in their skills—claiming victim after victim as they steal the most precious Personally Identifiable Information (PII) and corporate information. And, as we move into the 2020’s, phishing has expanded from a simple “you’ve inherited $1M USD, please wire [insert amount here] so we can forward the bank draft,” to a variety of different techniques. There are essentially two main purposes of phishing: To get the victim to download malware, and to obtain private and important credentials.
Here, phishy, phishy…
Although phishing campaigns generally use email as the main threat vector to grab your PII or gain entry to your network, there are other common ways of entry, such as web, mobile, and networks. However, no matter how many different threat vectors phishing can use to steal pertinent information, the results are the same: Deception. And it’s not always a “simple” malware installed on your laptop. A successful phishing campaign can cause permanent damage to a brand, ending up with massive financial and reputation loss for the business.
If the attack is on one person, or a conglomerate, the main threat of phishing is social engineering. With this technique, there are two popular threat types used to steal information: fraudulent URLs and malicious attachments.
Setting the hook with the bait
A popular version of this phishing game is an email that appears to be a direct message from a major financial institution. In this case, the cybercriminal will spam a message to millions of people—knowing that some will take the bait. The goal: to get the user to give up a username and password.
Once the unassuming victim clicks on a legitimate-looking URL provided in the email, they are taken to a website that looks just like the institution’s landing page; however, THIS site is infected with malware. The user will enter their login credentials—and the rest? Well, it’s identity theft that has gifted the cybercriminal access to your account.
Like the majority of spam emails, the goal of most phishing emails is to get the victim to infect their own computer with malware. “Soft targeted” email is often the vessel for malicious attachments—for instance, an email may be sent to an HR employee with a .pdf of a job seeker’s resume. In actuality, the resume is an attachment that contains embedded ransomware or malware. In these instances, the infection that this phish brought can now spread from PC to other networked devices—including the cloud. It is purported that 88 percent of phishing emails contain ransomware attachments, according to Proofpoint’s “2020 State of the Phish Report.”
Other Types of Phishing
With phishing attacks, the more people the attack affects, the better. But some phishing attacks aim to get login information or infect the computers of a specific target. This act is known as “spear phishing.” In these cases, cybercriminals dedicate more time and energy into an attack because the reward is much higher. Spear phishing attacks involve more research, an infrastructure, and a targeted attack that results in the pilfering of critical information that can be utilized to breach a much larger system or account.
A front-and-center example of spear fishing is in the U.S. Public Sector. The Department of Energy has dealt with a handful of spear-fishing attacks over recent years, and has recently stated that our energy infrastructure “has become a primary target for hostile cyber actors.”
Whaling is yet another type of phishing, but is directed at the proverbial “big fish”, i.e., a CEO, company board member, or other high-ranking person. Requiring more detailed research, and a more robust amount of information, these phishing strategies take more time, but they typically have a large payoff.
Note that there are several other different types of phishing, including clone, BEC (business email compromise), vishing, and snowshoeing.
This post should have given you some good insight into phishing, and the types of threats phishing poses. Next, we’ll discuss how you can protect yourself and your organization from these attacks.