You know the old adage, “there are plenty of fish in the sea,” generally used to assuage someone after a heartbreak. In the cybersecurity world, phish has a far different connotation. Though, as we have experienced, there are still plenty of phish out there, and they use different approaches to tug on your line. Phishing is a form of Social Engineering designed to take advantage of the “human element” within a security framework. Let’s look at a few types of phishing you should know:
Arguably the most well-known form of phishing, an Email phishing threat actor attempts to obtain sensitive information through an email that appears to be from a legitimate source. These do not have to be one-to-one attacks, which makes them some of the easiest to carry out. These attacks can also be multifaceted. Where the threat actor sends an email about an upcoming emergency and then sends the “payload” for you to act on.
Vishing – Voice phishing
Vishing is probably one of the oldest Social Engineering attacks. A threat actor utilizes a phone call to attempt and convince the victim to take an action that is not in their best interest. Many famous hacks have started through Vishing, and it isn’t going away anytime soon.
Smishing has the same objective, to obtain sensitive information, but by utilizing Short Messaging Services (text messages). As the Federal Trade Commission points out, smishing will often use banking offers, prizes, or other payment information as the “hook.”
Spear Phishing is phishing’s more sophisticated sibling. Spear Phishers use information from various sources like corporate directories or social media to craft personalized phishing attacks. Spear phishers took advantage of the 2020 drastic increase in remote work to increase spear phishing campaigns. With the wealth of information companies make available on their websites and social media, building a spear phishing message using legitimate names is easier than ever.
As more businesses leverage social media for customer service, attackers responded by creating Angler Phishing. Angler Phishers use fake social media accounts, closely mimicking customer service accounts from legitimate businesses, to lure dissatisfied customers into sharing account information.
In a connected world, free wi-fi is an attractive offer. In Evil Twin phishing Threat Actors have you guessing between “CoffeShopGuest” and “CoffeeShop_Guest” with their evil twin network making your device and anything connected to it vulnerable
Another part of a connected world we don’t always consider a vulnerability is our search results. But, as we’ve shared before, Threat Actors are optimizing content to legitimately appear at the top of search results. Like other phishing methods, these look alike pages are designed to get individuals to share personal or sensitive information. Gootkit is one of the most popular attack platforms for performing these attacks. As Red Canary shared, Gootkit is persistent and can act to siphon large amounts of enterprise data.
It’s not you, it’s them
The examples above are just some of the methods Threat Actors use to cause a breach. To gain access to information, Threat Actors count on busy individuals not carefully studying interactions. According to the Cybersecurity and Infrastructure Security Agency (CISA), 8 out of 10 organizations had at least one individual who fell victim to a phishing attempt by CISA assessment teams.
Individuals can’t always count on enterprise security to catch every potential threat actor’s attempts. CISA also shared that network border protection services failed to block 70 percent of malicious attachments. The best way to combat Threat Actors is to have a strong security posture across the organization and educate individuals about the vectors Threat Actors can use to gain broader access.