What type of phishing is over the phone?
Phishing attacks continue to play a dominant role in the digital threat landscape. In its 2021 Data Breach Investigations Report (DBIR), Verizon Enterprise found phishing to be one of the most prevalent action varieties for the data breaches it analyzed. Its researchers specifically observed phishing in more than a third (36%)
of breaches. That’s up from 22% a year earlier. Digital fraudsters show no signs of slowing down their phishing activity for the rest of the year, either. Help Net Security revealed that the volume of phishing attacks increased 22% compared to H1 2020. Of those campaigns, approximately half of them leveraged Office 365 as a lure and targeted accounts used for
Single Sign On (SSO) at 51% and 45%, respectively. The rise of phishing attacks poses a significant threat to organizations everywhere. It’s important that all companies know how to spot some of the most common phishing scams if they are to protect their corporate information. It’s also crucial that they are
familiar with some of the most common types of techniques that malicious actors use to pull off these scams. Towards that end, let’s discuss six of the most common types of phishing attacks and highlight some tips that organizations can use to defend themselves. Deceptive phishing is the most common type of phishing scam. In this ploy, fraudsters impersonate a legitimate company to steal people’s personal data
or login credentials. Those emails use threats and a sense of urgency to scare users into doing what the attackers want. Vade Secure highlighted some of most common techniques used in deceptive phishing attacks. These are as follows: We’ve seen deceptive phishing campaigns make headlines in recent years. Back in July 2021, for instance, Microsoft Security Intelligence warned of an attack operation that used spoofing
techniques to disguise their sender email addresses so that they contained target usernames and domains. They also displayed names to use legitimate services. Ultimately, the operation’s emails used a SharePoint lure to trick recipients into navigating to an Office 365 phishing page. On the heels of the U.S. Senate passing its $1 trillion infrastructure
bill a month later, Inky spotted another phishing campaign with malicious actors impersonating the U.S. Department of Transportation (USDOT). The attackers invited recipients to submit a bid for a USDOT-sponsored project by clicking an embedded button. The button redirected recipients to a website impersonating the
Transportation Department that attempted to trick visitors into handing over their Microsoft credentials. The success of a deceptive phish hinges on to what extent an attack email resembles official correspondence from a spoofed company. Acknowledging that fact, users should inspect all URLs carefully to see if they redirect to an unknown and/or suspicious website. They should also look out for
generic salutations, grammar mistakes, and spelling errors. Not all phishing scams embrace “spray and pray” techniques. Some ruses rely more on a personal touch. They do so because they wouldn’t be successful otherwise. That’s the logic behind spear phishing schemes. In this type of ploy, fraudsters customize their attack emails with the target’s name, position, company, work phone number, and other information to trick the recipient into believing that they have a connection with the sender. Yet the goal is the same as deceptive phishing: get the victim into clicking on a malicious URL or email attachment so that they’ll hand over their personal data. Given the amount of information needed to craft a convincing attack attempt, it’s no surprise that spear-phishing is commonplace on social media sites like LinkedIn where attackers can use multiple data sources to craft a targeted attack email. Techniques Used in Spear PhishingProvided below are some of the most common techniques used in spear phishing attacks:
Examples of Spear Phishing AttacksAt the end of May, Microsoft Threat Intelligence Center (MTIC) detected some attack emails that appeared to have originated from the U.S. Agency for International Development (USAID). The address arrived with an authentic sender email address that matched the standard Constant Contact Service. Using election fraud as a lure, the spear phishing emails tricked victims into clicking on a link that eventually redirected them to infrastructure controlled by NOBELIUM. That infrastructure then downloaded a malicious ISO file onto the victim’s machine. It was several months later when The Hacker News reported on a spam campaign conducted by the APT-C-36 threat actor. Using attack emails disguised as official correspondence from Columbian government agencies, the threat actor tricked recipients into opening weaponized PDFs or Word documents. Those files contained shortened links that redirected recipients to a website hosting remote access trojan BitRAT. How to Defend Against Spear PhishingTo protect against this type of scam, organizations should conduct ongoing employee security awareness training that, among other things, discourages users from publishing sensitive personal or corporate information on social media. Companies should also invest in solutions that analyze inbound emails for known malicious links/email attachments. This solution should be capable of picking up on indicators for both known malware and zero-day threats. 3. WhalingSpear phishers can target anyone in an organization, even executives. That’s the logic behind a “whaling” attack. In these scams, fraudsters try to harpoon an exec and steal their login details. In the event their attack proves successful, fraudsters can choose to conduct CEO fraud. As the second phase of a business email compromise (BEC) scam, CEO fraud is when attackers abuse the compromised email account of a CEO or other high-ranking executive to authorize fraudulent wire transfers to a financial institution of their choice. Alternatively, they can leverage that same email account to conduct W-2 phishing in which they request W-2 information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web. Techniques Used in WhalingWhaling attacks commonly make use of the same techniques as spear phishing campaigns. Here are a few additional tactics that malicious actors could use:
Recent Examples of Whaling AttacksBack in May 2016, Infosecurity Magazine covered Austrian aerospace manufacturer FACC’s decision to fire its CEO. The supervisory board of the organization said that its decision was founded on the notion that the former CEO had “severely violated his duties, in particular in relation to the ‘Fake President Incident.’” That incident appeared to have been a whaling attack in which malicious actors stole €50 million from the firm. It was more than three years later when Lithuanian Evaldas Rimasauskas received a prison sentence of five years for stealing $122 million from two large U.S. companies. As reported by Naked Security in December 2019, Rimasauskas staged whaling attacks in 2013 and 2015 against two companies by sending out fake invoices while impersonating a legitimate Taiwanese company. The Manhattan court that handed down the sentence also ordered Rimasauskas to serve two years of supervised release, forfeit $49.7 million, and pay $26.5 million in restitution. How to Defend Against WhalingWhaling attacks work because executives often don’t participate in security awareness training with their employees. To counter the threats of CEO fraud and W-2 phishing, organizations should mandate that all company personnel—including executives—participate in security awareness training on an ongoing basis. Organizations should also consider injecting multi-factor authentication (MFA) channels into their financial authorization processes so that no one can authorize payments via email alone. 4. VishingUntil now, we’ve discussed phishing attacks that for the most part rely on email. But fraudsters do sometimes turn to other media to perpetrate their attacks. Take vishing, for example. This type of phishing attack dispenses with sending out an email and goes for placing a phone call instead. As noted by Comparitech, an attacker can perpetrate a vishing campaign by setting up a Voice over Internet Protocol (VoIP) server to mimic various entities in order to steal sensitive data and/or funds. Malicious actors used those tactics to step up their vishing efforts and target remote workers in 2020, found the FBI. Techniques Used in VishingHere are some common techniques used in vishing attacks:
Recent Examples of Vishing AttacksIn June 2021, Threatpost reported on a vishing campaign that sent out emails disguised as renewal notifications for an annual protection service provided by Geek Squad. The emails leveraged branding stolen from Geek Squad to instruct recipients to call a phone number. If they complied, recipients found themselves connected to a “billing department” that then attempted to steal callers’ personal information and payment card details. A couple of months later, the U.S. Attorney’s Office in the Eastern District of Kennedy announced a prison sentence of 140 months for Romanian national Adrian Mitan, 36. This action followed Mitan’s guilty plea for three separate charges. One of those charges traced back to a vishing scheme targeted Americans. How to Defend Against VishingTo protect against vishing attacks, users should avoid answering calls from unknown phone numbers, never give out personal information over the phone, and use a caller ID app. 5. SmishingVishing isn’t the only type of phishing that digital fraudsters can perpetrate using a phone. They can also conduct what’s known as smishing. This method leverages malicious text messages to trick users into clicking on a malicious link or handing over personal information. Techniques Used in SmishingWebroot identified some techniques commonly used by smishers:
Recent Examples of Smishing AttacksSecurity Boulevard warned in April 2021 that malicious actors were using smishing messages disguised as United States Postal Service (USPS) updates, FedEx shipment correspondence, and Amazon loyalty program rewards notices. Those messages redirected recipients to a landing page designed to steal their payment card information and other personal details. Several months later, BankInfoSecurity reported on a smishing campaign in which attackers impersonated state workforce agencies. Malicious actors used those disguises to dupe recipients into clicking on links related to unemployment benefits. The links brought victims to pages designed to steal their sensitive personal information. How to Defend Against SmishingUsers can help defend against smishing attacks by researching unknown phone numbers and by calling the company named in suspicious SMS messages if they have any doubts. 6. PharmingAs users become wiser to traditional phishing scams, some fraudsters are abandoning the idea of “baiting” their victims entirely. Instead, they are resorting to pharming. This method of phishing leverages cache poisoning against the domain name system (DNS), a naming system which the Internet uses to convert alphabetical website names, such as “www.microsoft.com,” to numerical IP addresses so that it can locate and thereby direct visitors to computer services and devices. In a DNS cache poisoning attack, a pharmer targets a DNS server and changes the IP address associated with an alphabetical website name. That means an attacker can redirect users to a malicious website of their choice. That’s the case even if the victim enters the correct site name. Techniques Used in PharmingIncluded below are some pharming tactics identified by Panda Security:
Recent Examples of Pharming AttacksAll the way back in 2014, Team Cymru revealed that it had uncovered a pharming attack in December 2013. The operation affected over 300,000 small business and home office routers based in Europe and Asia. Ultimately, the campaign used man-in-the-middle (MitM) attacks to overwrite victims’ DNS settings and redirect URL requests to sites under the attackers’ control. A year later, Proofpoint revealed that it had detected a pharming campaign targeting primarily Brazilian users. The operation used four distinct URLs embedded in phishing emails to prey upon owners of UTStarcom and TP-Link routers. Whenever a recipient clicked one of the URLs, the campaign sent them to a website designed to execute cross-site request forgery (CSRF) attacks on vulnerabilities in the targeted routers. Successful exploitation enabled malicious actors to perform MitM attacks. How to Defend Against PharmingTo protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also deploy anti-virus software on all corporate devices and implement virus database updates on a regular basis. Finally, they should stay on top of security upgrades issued by a trusted Internet Service Provider (ISP). ConclusionUsing the guide above, organizations can spot some of the most common types of phishing attacks. Even so, that doesn’t mean they will be able to spot every phish. Phishing is constantly evolving to adopt new forms and techniques. With that in mind, it’s imperative that organizations conduct security awareness training on an ongoing basis so that their employees and executives can stay on top of phishing’s evolution. For more information on how your company’s personnel can spot a phish, please click here. What type of phishing happens over the phone?Smishing and vishing
With both smishing and vishing, telephones replace emails as the method of communication. Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation.
Which type of phishing is vishing?Vishing – Vishing, or voice phishing, involves a malicious caller purporting to be from tech support, a government agency or other organization and trying to extract personal information, such as banking or credit card information.
What type of phishing attack happens through SMS?Smishing is an attack that uses text messaging or short message service (SMS) to execute the attack. A common smishing technique is to deliver a message to a mobile phone through SMS that contains a clickable link or a return phone number.
What are the 8 types of phishing?What are the different types of phishing attacks?. Spear phishing.. Whaling.. Smishing.. CEO fraud.. Vishing.. Pretexting.. Angler phishing.. |