For instance, the latest "APEG Phishing Activity Trends Report" from the 2. Quarter 2022 alarming figures showing that hackers' methods are becoming more and more resourceful and sophisticated. That's why we're using European Cybersecurity Month October to again draw attention to this growing threat.
A majority of phishing attacks can be attributed to six different methods, below are tips and information on how to best protect yourself.
1. Deceptive Phishing
Deceptive phishing is the most common type of phishing attack. This variant refers to e-mails that are sent by supposedly known senders and prompt you to take action. A very common action is to address important files that you can download through the link, which will then take you to a (z. B.) fake sharepoint login page leads. Other actions may include verification of an account, re-entry of credentials or passwords, or a request for payment. If this information is provided, hackers can access your accounts and misuse your associated personal information.
How to protect yourself:
- Check especially the domain name for homographic attacks. This refers to the fact that many different characters look the same, z.B. if the Latin a is replaced by a Cyrillic a. It looks the same, but leads to a fake website
- Check spelling in email
- Watch out for links or redirects when loading the page
2. Spear Phishing
Spear phishing is a more sophisticated version of fraudulent email phishing and often the result of a previous data breach. Usually, some email accounts were hacked beforehand. The attacker then has an address book and the corresponding e-mail traffic and thus knows more varied details about your person. This is then used to create targeted spear phishing emails. So z. B. Often the full name, position details and other professional information used to feign a relationship. The goal of this phishing variant is the same as mentioned above: misuse of the personal information associated with your account.
Here's how to protect yourself:
- Always keep your security software up to date
- Remember to check links and think twice before clicking
- Conduct regular employee training on the topic of social engineering
3. Whaling / CEO fraud
Whaling attacks target execution of fraudulent money transfer allegedly ordered by CEO. The correct email address of the CEO is not necessarily required, as hackers often focus on just displaying the display name correctly in the sender field. So the victim, usually an employee, receives an email purporting to be from the CEO to initiate or release a fraudulent wire transfer.
How to protect yourself:
- Regular training on social engineering – including for managers
- Awareness measures & internal communication
- Multi-factor authorization processes for financial transfers
- Implementation of technical standards for the Sender Policy Framework (SPF)
4. Vishing
While phishing attacks via e-mail are the best known, vishing calls are becoming increasingly common. These calls are often made via voice-over-IP phone calls and the attackers pose as a reputable organization, z. B. Than your credit card company or bank to get information. To build trust, the attacker uses various information such as your name and the location of your bank/credit institution. The attacker tells you z. B. With that your account has been locked and that you need to give them your password and payment information to unlock it.
Here's how you can protect yourself:
- Don't give out personal information or passwords over the phone
- Be extra vigilant when receiving calls from unknown numbers
- Avoid saying the word "yes" on the phone, because an attacker could record it and use it against you
5. Smishing
The so-called smishing is also carried out over the phone. Smishing involves sending text messages or SMS asking users to click on a malicious link or provide personal information. Some of these smishing attacks target Android users. After clicking on the link, an app download will be provided. This app is malware!
Here's how you can protect yourself:
- Research numbers you do not know
- If you are unsure, inform your wireless carrier that you are receiving such messages. Some are actively developing mechanisms to filter out smishing messages
6. Pharming
Pharming is another method hackers use to try to manipulate users on the Internet – by redirecting them to fake websites. This is done by manipulating the DNS (Domain Name System) server so that the redirection is done without the user's knowledge. The attackers can use an email virus to attack the user's local DNS cache or even manipulate entire DNS servers so that any user using the affected DNS server is redirected to the wrong website. Although most DNS servers have security servers to protect against such attacks, hackers still find ways to gain access to them.
This is how you can protect yourself:
- Use anti-virus and anti-malware security software with browser monitoring
- Make sure you are using a secure web connection (https)
With this brief overview, you'll know what the most common methods look like and can therefore prepare countermeasures to avoid falling for the aforementioned phishing methods. In any case, it is important to provide ongoing phishing training and awareness to all employees and managers of a company. Please note that this list is by no means exhaustive and only a comprehensive security concept for all areas of the company can offer protection against phishing and data misuse.