Phishing – Some Things Change, Some Never Will
Phishing. Pronounced the same as “fishing” and works in pretty much the same way. Some kind of bait is used to lure the target closer until it bites. Most likely you’ve seen graphics that portray an analogy between “phishing” and “fishing” with a credit card and a fishing hook. Just as people who fish customize their bait and hook to the kind of fish they’re after, so do people who phish.
Phishing has been around since the 1990s when a person decided to cause harm by stealing passwords and taking over online accounts. Phishing has evolved over the years and changed as technology has advanced. What’s stayed the same is that cyber criminals continue to use social engineering to get people to do something that they wouldn’t otherwise do.
What Hasn’t Changed About Phishing – Social Engineering
According to Positive Technologies’ Cybersecurity Threatscape: Q2 2021 report, a good 90% of cyber attacks involve social engineering. The goal of phishing is to bypass technical layers of security. This is like getting someone to unlock a door to your network instead of having to pick the lock.
Unless they don’t know any better, a computer user isn’t going to welcome in a cyber criminal, so the bad guys use manipulation and psychology to make the action look legitimate. Different types of phishing campaigns utilize different types of manipulation.
Phishing attempts play on the familiar. That’s why the UPS delivery notice scam worked and continues to work. It’s why scams to update your bank account information works. These are probable situations, that is until people see enough of them that they realize they’re part of a scam.
Spear-phishing and whaling attempts play on a person’s desire to yield to authority by impersonating someone to whom they would submit, like a supervisor or someone in leadership like the CEO.
What’s Changed About Phishing – Novelty and Delivery
Sometimes phishing attempts rely on the familiar, but sometimes it’s the opposite and novelty is the bait. Cyber criminals are always on the lookout for a hot topic that lots of people are interested in. For example, the COVID-19 pandemic gave cyber criminals a new social engineering angle, playing on people’s concerns for their health and safety. In fact, phishing incidences doubled from 2019 to 2020.
While email has always been a primary delivery channel for phishing, scammers are using other means to get people to click on a link, download an attachment or visit a compromised website. It’s common now to get text and voice phishing messages in addition to emails.
Targeted phishing attacks have become more stealthy as criminals use tactics like look-alike domains to trick the eye into thinking that a message is legitimate. What’s even more tricky is how cyber criminals can take over an email account and interject malicious links into existing email threads, in addition to monitoring the email account for information that can be used for spear phishing or whaling.
How to Protect Against Phishing Attacks
Effective cybersecurity strategy is implemented with layers and the same is true to defend against the threat of phishing.
Cybersecurity Awareness Training – Provide ongoing training so that employees can learn to recognize and respond to potential phishing attacks.
Advanced Cybersecurity Tools – Make sure that you’re using an effective spam filter that will flag all external emails, and quarantine suspected phishing messages. Utilize threat detection and response technology to spot and stop an attack if it happens.
Take Control of Domain Variations – Make it hard for cyber criminals to impersonate your email addresses by purchasing probable domain variations. See Time to Control Your Domain Neighborhood.
DEFEND Against Cyber Attacks
Here at XPERTECHS, we provide security through our XperCARE framework of managed IT services. While every organization is a target for cyber crime, we understand that different businesses and industries have different levels of risk exposure. Whether you need to comply with regulations for privacy and confidentiality, provide accountability for security to your customers, or just want to be confident that your cyber defense is adequate – we can help.
Contact us to schedule a free security consultation.