At this year’s RSA Conference, Tripwire conducted a study where it required 200 security professionals to consider in on the state of phishing attempts.
More than half (58 percent) of respondents said their organizations had experienced an increase in phishing attacks in the past yr. Despite that increase, most companies didn’t feel prepared to protect themselves against phishing scams. Indeed, a slim majority (52 percent) said they were “not confident” in their executives’ ability to successfully spot a phishing scam.
The increase of phishing attempts in both frequency and sophistication, as mentioned by Verizon in its 2016 Data Breach Investigations Report, poses a significant menace to all systems. It’s important that all companies recognize how to spot some of the most common phishing scams if they are to protect their corporate data.
With that in mind, I will use a guide developed by CloudPages to discuss six common phishing attacks: deceptive phishing, spear phishing, CEO fraud, farming, Dropbox phishing, and Google Docs phishing. I will then provide some useful points on how organizations can protect themselves against these phishing scams.
1. DECEPTIVE PHISHING
The most common type of phishing scam, deceptive phishing refers to any attack by which fraudsters impersonate a legitimate company and attempt to steal people’s personal information or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing the attackers’ bidding.
For example, PayPal scammers might send out an attack email that instructs them to click on a link in order to rectify a discrepancy with their account. In actuality, the link goes to a fake PayPal login page that takes in a user’s login credentials and delivers them to the aggressors.
The winner of a deceptive phish hinges on how closely the attack email resembles a legitimate company’s official correspondence. As a consequence, users should inspect all URLs carefully to determine if they redirect to an unknown site. They should too face out for generic salutations, grammar errors, and spelling errors scattered throughout the email.
2. SPEAR PHISHING
Not all phishing scams lack personalization – some use it quite heavily.
For illustration, in spear phishing scams, fraudsters customize their attack emails with the target’s name, location, company, work telephone number and other information in an attack to trick the receiver into thinking that they possess a connection with the transmitter.
The destination is the same as deceptive phishing: lure the victim into clicking on a malicious URL or email attachment, so that they will pass over their personal information.
Spear-phishing is especially commonplace on social media websites like LinkedIn, where attackers can use multiple sources of information to craft a targeted attack email.
To protect against this type of scam, organizations should conduct ongoing employee security awareness training that, among other things, discourages users from publishing sensitive personal or corporate information on social media. Societies should also invest in solutions that are capable of analyzing inbound emails for known malicious links/email attachments.
3. CEO FRAUD
Spear phishers can target anyone in an organization, even top executives. That’s the logic behind a “whaling” attack, where fraudsters try to harpoon an executive and steal their login credentials.
In the event their attack proves successful, fraudsters can take to conduct CEO fraud, the second stage of a business email compromise (BEC) scam where attackers impersonate an executive and abuse that individual’s email to authorize fraudulent wire transfers to a financial institution of their option.
Whaling attacks work because executives often don’t take part in security awareness training to their employees. To counter that threat, as considerably as the risk of CEO fraud, all company personnel – including executives – should undergo ongoing security awareness training.
Establishments should also consider improving their financial policies, so that no one can authorize a financial transaction via electronic mail.
4. PHARMING
As users become more savvy to traditional phishing scams, some fraudsters are abandoning the idea of “baiting” their victims entirely. Rather, they are resorting to phoning – a method of attack which stems from domain name system (DNS) cache poisoning.
The Internet’s naming system uses DNS servers to convert alphabetical website names, such as “www.microsoft.com,” to numerical IP addresses used for locating computer services and devices.
Under a DNS cache poisoning attack, a former target a DNS server and changes the IP address associated with an alphabetical website name. That means an attacker can redirect users to a malicious website of their choice, even if the victims entered in the correct site name.
To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected websites. Societies should also go through anti-virus software on all corporate devices and implement virus database updates, along with security upgrades issued by a trusted Internet Service Provider (ISP), on a regular base.
5. DROPBOX PHISHING
While some phishers no longer bait their victims, others have specialized their attack emails according to an individual company or service.
Take Dropbox, for example. Millions of people use Dropbox every day to back up, access and share their files. It’s no marvel, thus, that attackers would try to take advantage on the platform’s popularity by targeting users with phishing emails.
One attack campaign, for instance, attempted to entice users into putting down their login credentials on a fake Dropbox sign-in page hosted on Dropbox itself.
To protect against Dropbox phishing attacks, users should consider implementing two-step verification (2SV) on their invoices.
6. GOOGLE DOCS PHISHING
Fraudsters could choose to target Google Drive similar to the way they might prey upon Dropbox users.
Specifically, as Google Drive supports documents, spreadsheets, presentations, photos and even entire websites, fishers can abuse the service to produce a WWW page that mimics the Google account log-in screen and harvests user credentials.
A group of attackers did just that back in July of 2015. To add insult to injury, not only did Google unknowingly host that fake login page, but a Google SSL certificate also protected the page with a secure link.
Once again, users should consider implementing 2SV to protect themselves against this type of threat. They can enable the security feature via either SMS messaging or the Google Authenticator app.
SEE MORE: SECURITY SCAMS THAT TARGET YOU DURING THE HOLIDAYS
CONCLUSION
Using the template above, organizations will be able to more quickly make out some of the most usual cases of phishing attempts. But that doesn’t mean they will be capable to recognize each and every phish. On the contrary, fishing is always evolving to take on new patterns and techniques.With that in mind, it’s imperative that organizations conduct security awareness training on an ongoing basis so that their employees and executives stay on upper side of emerging phishing attacks.
Source Link: https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/
For more Ebooston: https://ebooston.blogspot.com/
6 Common Phishing Attacks and How to Protect Against Them
Reviewed by Unknown
on
December 13, 2017
Rating:
No comments: