Most users have heard of phishing attacks, but email security blocks many of the older ways attackers would send malicious email messages to hapless victims Because email security specifically scans email messages for common phishing methods, …
Most users have heard of phishing attacks, but email security blocks many of the older ways attackers would send malicious email messages to hapless victims. Because email security specifically scans email messages for common phishing methods, attackers need new ways to bypass these protections. Because of cybersecurity defenses, attackers created several new phishing methods to bypass common email security. It’s important that administrators and individuals are aware of these new strategies.
Whaling Phishing
Spear phishing targets specific people within an organization. The target could be a human resource manager or an administrator with a high-privileged account. A spear-phishing attack targets any high-privileged user, but a whaling attack goes for a bigger “fish.” In a whale-phishing attack, the target is an executive, co-founder, or owner of the organization.
Usually, a whale-phishing attack targets a C-level executive. The reason for these targets is that they have high-level access to many corporate resources. An executive has access to bank accounts, sensitive data, legal documents, intellectual property, and communications that no other users within the organization have access to. For example, a human resource manager has access to employee information so they can do payroll, but they don’t have access to the bank account used for payroll. However, a human resource executive probably has access to the financial information used for paying employees.
A successful whaling campaign often works with social engineering. An attacker uses phishing emails to trick executives into sending money or sending sensitive information. The social engineering aspect might be used by an attacker to create a sense of urgency, distract the targeted user, or trick the targeted user into thinking that the email message is from a legitimate employee.
Barrel Phishing
In many financial transactions, several email messages are necessary to confirm information. A barrel phishing attack uses this type of communication scenario to trick users into performing an action, which is usually a trick to get users to download malware or open a malicious attachment.
The difference between barrel phishing and spear phishing is that spear phishing is only one email, but barrel phishing involves an initial email message with no payload. The first message is harmless, but it’s used to establish trust with the targeted victim. After the user responds to the first message, the attacker knows that the targeted victim is unaware of the attack.
The second message contains the payload. Usually, the message asks a user to open a file attachment. The file attachment could be an executable file that installs malware directly, or the file could contain a malicious macro that downloads malware after it runs. Malicious macros often download ransomware, rootkits, and other malware that can be used for a myriad of reasons.
For example, the first message might harmlessly ask the targeted user if they are available. After the targeted victim responds, the attacker sends another message asking if the targeted victim could take a look at the attached file to verify information. The targeted victim opens the file, runs a malicious macro, and then malware is installed.
Smishing Phishing
If you’ve ever received strange text messages on your phone with a shortlink to a page telling you that you’ve won a prize, but you first must enter a credit card number for the shipping payment, then you’ve seen a smishing attack. Smishing takes phishing attacks to text messages. It works similarly to the email form, but most smartphones do not have the extensive security features to block malicious messages.
In a smishing attack, the attacker pretends to be a legitimate vendor. For example, you might get a text message thanking you for your payment, and then a link is displayed telling you that you won a prize. You’re promised an expensive gift in exchange for a small shipment payment. The attacker can then steal your credit card number and charge a payment to the card.
Vishing Phishing
Voice-changing software makes anyone’s voice sound like a different person. You can change accents, gender, and age using voice changers. In a vishing attack, you receive a call from someone you think is a legitimate representative of a company. It’s a form of social engineering, but the attacker might want information that can be used later instead of tricking users into making a fraudulent payment.
Cloning Phishing
One of the newest forms of phishing is a cloning strategy. Canned emails are common with any organization. For example, you might receive an email from Amazon after you purchased a product, or you get a confirmation email from your utility company after you paid the bill. Attackers also have access to these emails, and they use them as templates for their own phishing attacks.
In a cloning attack, the attacker uses the exact message (text and images) to trick users into divulging sensitive information. Some messages might trick users to click a link to an attacker-controlled website. For example, you might get a standard message from the telephone company that you paid the bill to your cell phone account. An attacker will send you the exact message and include links to their own website.
Protecting Yourself from Phishing
Education is the best defense against phishing. Users should be able to identify a malicious message, and then they should know to report it. Any individual should be able to identify a phishing email so that they are no longer an easy target.
A few ways to identify phishing include:
- A sense of urgency to make a financial transaction or send data
- Links to suspicious pages that ask for users to authenticate
- Promises to send prizes in exchange for payments
- Requests to send money or authenticate to avoid losing an account.
Conclusion
Organizations and individuals should be aware of the latest phishing attacks. They can be the start of a serious data breach for organizations, and individuals can be victims of identity theft or fraudulent financial transactions. In both cases, the goal is to steal money or sensitive data from the attacker’s targeted victims. The more users are educated on the many ways attackers can steal data, the better prepared they are for defending against phishing attacks.