A dissection of the major phishing attack types and the paths to guarding against them
by Scott Lewis
October 10, 2019

In today’s connected world, there is a need for collaborative software and services, but these resources could be exposing you to phishing attacks. Couple the need for collaboration with the need for immediate access to data, then add the human factor, and you have all the dynamics for a robust phishing attack. The following are different types of phishing scenarios and how they each target specific people and processes.

  • Spear phishing—A targeted attack on a group of emails that were harvested via social media or email lists that were purchased through trade shows, conferences, online newsletters or other organizations and companies—these addresses were supplied by the address-holder when they signed up for a service of some kind and provided their email address
  • Whaling—A focused email attack, typically on high-profile individuals, which could include C-suite individuals, such as chief financial officers, chief information officers or chief operating officers
  • Smishing—An attack via short message service (SMS) focused primarily on mobile devices and conducted via text messaging
  • Content injection phishing—An attack in which phishers insert malicious code or misleading information into emails or websites, encouraging people to input user credentials and password information or perform other activities, such as transfer of funds
  • Man-in-the-middle phishing—An attack in which phishers position themselves between the legitimate websites people use, such as social sites or banking sites, and is difficult to detect because it typically continues the transaction and does not create any disruptions 

Getting Started

So, how can you start a plan to protect yourself and your business? According to Gillware’s data recovery and digital forensics experts, the following are some primary steps to take. 

  • Consider compliance—In almost every industry, there are federal and state compliance measures that you have to consider. Regulations like General Data Protection Regulation (GDPR), which is already in effect, applies to any company that processes individual data of European Union citizens, even if the citizens live in the United States. 
  • Create an incident response plan—The incident response plan should outline how your company is going to respond in the event that a breach is suspected or confirmed. The program should describe the roles and responsibilities of senior executives because they will likely be the point of contact for coordination and information dissemination. Who will talk to the press (if necessary)? Who will be responsible for the collection or remediation processes and damage control? Your response plan can also outline how those remediation and confirmation steps are going to be addressed and implemented. 
  • Use blockchain and artificial intelligence—Consider ways to make yourself less of a natural target. You can do this by keeping your security devices and software up to date. With scammers using increasingly intelligent and speedy methods to gain access, using artificial intelligence (AI)to look for patterns and analyze risks is becoming more and more critical to overcome emerging threats. For instance, Bandura’s Threat Intelligence Gateways, which block known internet protocol (IP) and domain threats, is a good example of how AI can bolster your security.
  • Protect your email system—Email systems continue to be the favorite spot for phishing attacks and other viruses, such as cryptoviruses and ransomware, along with a multitude of other malware. In systems like the Microsoft Office 365 E5 plan, users can take advantage of the anti-phishing option in the security and compliance center, with instructions in the user portal on how to configure for your application. In-house systems also have many tools to choose from— companies like Symantec, Barracuda and many others offer advanced phishing detection and prevention features. Remember: No single device will protect you. Security is a layered approach with many nets to trap the emerging threats. 
  • Stop data breaches before they start—This begins with good employee policies and ongoing training for employees to identify those who may be more susceptible to phishing and security attempts. Also be proactive in keeping your systems up to date. 

Spotting a Scam

When you have updated systems, new firewalls, advanced threat detection and antivirus protection in place, but you still become a victim of a phishing scam, you’re left to wonder, “How can this be happening?” According to Protected Trust, cloud security and productivity company, here are some things you can watch for: 

  • Are you familiar with the sending address?—Take the time and read the email address. One way to help spot small subtle changes is to read the email address backward. It might sound funny, but it makes your brain stop and think about what you are reading, instead of using the human condition to understand what it expects to see. Other questions to ask: Do you know this person? Have you ever exchanged emails with them before? Are they asking you to do something that is outside of the norm or expected? If it seems fishy, then don’t hit “Reply” or “Reply All,” but type the actual body of the email in the “To” or “CC” field.
  • Are there misspellings?—Several spelling errors in the email address and the body of the email are warning signs. Turn on spell check to ensure that the message is highlighting these spelling errors.
  • Is there a high sense of urgency?—If the sender is insisting that you have to act now, this elevated sense of urgency should be a red flag. Remember: The lifespan of a phishing site is only 15 hours, so things must happen quickly. 
  • Is the scammer trying to direct you to a new URL?—If the message says, “Visit this link and input your username and password,” it’s a red flag. Instead of clicking on the link, use Google to look up the URL. You can also hover your mouse over the link, and it will show you the fully qualified address of where you would be directed if you clicked on it. On mobile devices, you can use a light touch to see the fully qualified address. The risk here is that if you press too hard, you will be directed to the phishing site. Always remember that your bank, the Internal Revenue Service and other government agencies will not contact you directly via email.
  • Does the URL feature a closed lock?—Make sure that the URL line features the image of a closed lock or begins with “https://.” Specifically, the “s” indicates this is a secured website. Also, your browser may put a circle with a red “x” or hash sign through unsecure URLs.

All of these steps are important; however, the real weakness is in human conditioning. As such, it is essential to communicate and train employees on the risks of phishing, how it happens and what they can do to be aware of the dangers. Several products allow you to test your employees with fake phishing attempts. These will help you identify who within your employee base is likely to fall prey.