Phishing is booming! Security checklist for the 6 most widespread methods.

Many current statistics show that phishing is being used particularly often by cybercriminals to penetrate IT systems.

The latest  APEG Phishing Activity Trends Report from Q2 2022 provides alarming figures, showing that hackers' methods are becoming increasingly resourceful and sophisticated. That's why we are using European Cybersecurity Month October to again draw attention to this growing threat.  

A large proportion of phishing attacks can be attributed to six different methods, below you will find tips and information on how you can best protect yourself.

 

 

1. Deceptive Phishing

Deceptive phishing is the most common type of phishing attacks. This variant refers to emails sent by supposedly known senders that ask you to take an action. A very common action is talking about some important files which you can download from the malicious link which then guides you to a (e.g.) fake sharepoint login page. Further actions can be to verify an account, re-entering credentials or passwords or a request for payment. If this information is provided, hackers can access your accounts and misuse your personal information connected to those (accounts).

The best way to protect yourself:

  • Especially check the domain name for homograph attacks. That means the fact that many different characters look alike, e.g., when the latin a is replaced by a cyrillic a. It looks quite the same but leads you to a malicious website.
  • Check the spelling in the email
  • Watch out for links or redirects on page load

2. Spear Phishing

Spear phishing is a more sophisticated version of fraudulent email phishing and often a result from a previous data breach / hacked mail accounts. The attacker has then an address book and the corresponding e-mail communication and therefore knows more varied details of your person. From that the buils’/targeted spear phishing emails. For example, the full name, position details and other professional information are often used to simulate a relationship. The goal of this phishing variant is the same as mentioned above: to misuse the personal information connected to your account.

The best way to protect yourself:

  • Always keep your security software or the software’s blocklist up to date
  • Don’t forget to check links and think twice before clicking
  • Conduct regular employee training on the topic of social engineering

3. Whaling / CEO Fraud

Whaling attacks target the execution of a fraudulent money transfer supposedly commissioned by the CEO. The attacker just spoofs the CEO’s name, not even his email address. So the victim, usually an employee, receives an email – supposed to be from the CEO in order to initiate or release a fraudulent transfer.

The best way to protect yourself:

  • Regular trainings about social engineering & awareness measures - also for managers
  • Awareness measures & internal communication
  • Multi-factor / two-person-authorization processes for financial transfer
  • Implementation of technical standards for the Sender Policy Framework (SPF)

4. Vishing

While phishing attacks are best known via email, vishing calls are becoming more common. These telephone calls are often made by voice over IP telephony and the attackers pretend to be a reputable organization, such as your credit card company or bank, in order to obtain information. To build trust, the attacker uses different information such as your name and the location of your bank/credit institution. The attacker will e.g. inform you that your account has been blocked and that you need to give them your password and payment information to unblock it.

The best way to protect yourself:

  • Do not give out personal data or passwords over the phone
  • Be especially careful when someone is calling from an unknown number
  • Avoid saying the word “yes” on the telephone, because an attacker could record that and use it against you

5. Smishing

So-called smishing is also carried out via the telephone. Smishing involves sending text messages or SMS asking users to click on a malicious link or provide personal information. Some of those smishing attacks target android users. After clicking the link an app download is offered. That app is malware! 

The best way to protect yourself:

  • Research numbers you do not know
  • If you are not sure, notify your mobile provider that you receive those messages. Some are actively developing mechanism to filter out smishing messeages.

6. Pharming

Pharming is another method hackers use to try to manipulate users on the internet - by redirecting them to fake websites without them even noticing. To do this, the DNS (Domain Name System) server is manipulated so that the redirect takes place without the user's knowledge. The attackers can attack the user's local DNS cache via an email virus or even poison entire DNS servers so that any user using the affected DNS server is redirected to the wrong website. Although most DNS servers have security servers to protect against such attacks, hackers always find ways to gain access to them. .

The best way to protect yourself:

  • Use antivirus and anti-malware security software with browser monitoring
  • Ensure yourself that you are using secure web connection (https)

With this brief overview, you know what the most common methods look like can therefore prepare counter measures, so you do not fall for the mentioned phishing methods. In any case, it is essential to continuously train and raise awareness for the topic of phishing in all employees and managers of a company. Please note that this list is in no way exhaustive and that only a comprehensive security concept for all areas of the company can provide protection against phishing and data breach.