Cybercrime is big business right now. Hacking and malware attacks have proven to be very lucrative for organized criminals, and the effect it can have on companies that fall victim can be devastating. Therefore, it should come as no surprise that investments in tougher security solutions are a bigger priority than ever.
However, even the most prepared businesses can have weaknesses, and often, the most vulnerable part of an IT system is the people that use it. This is something criminals have worked out too, as can be seen in the increasing amount of social engineering tactics being used to bypass security defenses. After all, why waste time trying to pick a lock when you can just convince someone to open the door for you?
Therefore, educating users about what they need to do to stay safe is essential - and one focus must be warning them about phishing attacks. These involve getting people to reveal confidential details, such as usernames, passwords or bank details. Such attacks often take the form of email messages purporting to be from someone the recipient recognizes that entice them to click a malicious link, which will either infect their computer with malware or trick them into entering details into what they believe to be a legitimate website.
However, there are several types of phishing attacks that scammers try, which may have different telltale signs. Here are five common tactics you need to be aware of.
A standard phishing attack tends to cast a very wide net, with fraudsters sending out thousands of identical messages hoping to get a bite. But while these impersonal efforts can have a very low response rate, relying instead on volume for their success, spear-phishing is much more targeted.
These messages will be tailored directly to their intended recipient, will likely include their name and other details in order to convince victims the message is genuine, and appear to come from companies or individuals they already have a relationship with. As many people are more inclined to trust messages that appear to be directed specifically at them, they may be less suspicious than they would be of an email that begins 'dear customer'.
In keeping with the nautical theme, whaling is a specific type of spear-phishing that involves going after the biggest targets - typically a CEO or other board-level executive. These are highly tempting to fraudsters because, if successful, it can give them access to far more information than a lower-level employee would have.
Naturally, these accounts therefore come with greater security safeguards and aren't as freely shared, so scammers often go to great lengths to appear real. This means knowing who the victim communicates with and the kind of discussions they have. Successful examples may include detailed references to customer complaints, legal issues, or even problems in the executive suite. As such, they can be very difficult to spot, so senior executives need to be especially wary.
Another variant on spear-phishing is cloning, which occurs when a fraudster uses an existing, legitimate message sent to a user as the basis for their own email. They then copy almost every aspect of this, but replace a legitimate attachment or link with their own infected version.
For example, a scammer may spoof a co-worker's email account to send a cloned message, describing it as an 'updated version' or something similar to trick the recipient. These messages have added authenticity to users because they appear identical to something they have already seen and know to be real.
4. Business email compromise
Business email compromise, or BEC attacks, are similar to spear-phishing in that they disguise themselves as emails from people the recipient is familiar with, but the key factor is that they purport to be from high-level managers demanding information, or instructing employees to initiate money transfers.
These can be very effective, as when most people get a message from their CEO's email account asking them to do something, they're likely to feel more pressure to obey. Some of the world's biggest tech companies have fallen victim to this - one targeting Snapchat in 2016, for instance, tricked an employee into sending the entire company's payroll data to someone pretending to be CEO Evan Spiegel.
5. Mobile threats
The above tactics all typically take advantage of familiar email communications, but as more and more business activities shift to mobile, this is opening up a whole new platform for phishers to exploit. There are a range of threats tailored to mobiles, such as SMS phishing, where a scammer sends a user a text message containing a malicious link, or creating fake apps that users download, mistaking them for genuine programs.
There are also emerging techniques such as URL padding to be aware of, which involves including text that appears to be a legitimate website address inside a larger, bogus URL. This is particularly effective on mobile because of the limited space to display a full URL and the fact people have become used to the different format. For example, they may see a link that begins 'm.facebook' and assume it leads to the social network's mobile site, but actually the real destination is hidden at the end of a long link.