The hackers on domains and websites that we interact with trick us with different types of phishing attacks, by using impersonated domains and cloned websites.
They understand the behaviour of people and launch a sophisticated attack aimed at them.
Recognising what these attacks are can help us avoid/prevent them.
Phishing is big business. Attacks have shown record growth in recent years, and a solid security awareness program is an integral part of any defense-in-depth strategy.
Here are the 10 types of phishing attacks that hackers are using in 2020 and how you can prevent them.
Email spoofing is one of the most frequent and easiest types of phishing used to get data from users without their knowledge.
It can be done in different ways:
Here is an example.
The call to action is to click on the link and to log in to view the document. Some users might click on the link just by seeing the company’s name and the urgency of action.
Such an email crafted has higher chances of being opened and phished.
The best way to prevent these attacks is by carefully reading the sender’s email address.
Try to copy and past the characters in the email if you’re not sure about them. Being aware about the dangers and possibility is the first step in it’s prevention.
Also, tools like Sophos Phish Threat provide phishing attack simulation and training for your end users which are important to prevent future phishing attacks on your organisation.
In this type of phishing, mass emails are sent to a group of people with common interest based on their brand preferences, demographics, and choices.
These emails are clones of transactional emails like receipts, payment reminders, or gift cards intended to deceive a target potential.
Here is an example of an email targeting Citibank customers.
Phishers like to use brands as a weapon for mass attacks because brands usually have a lot of credibility among targeted victims.
Check whether you are marked in the “To” section or “cc” section of the received mail. Avoid replying to an email marked to you with an unknown set of people.
In URL phishing attacks, scammers alter the phishing page’s URL to deceive the target.
This has a higher opening rate because:
Hidden links are another bait used by phishers. They sort of camouflage the intended text over a CTA. We have all received emails with the action phrase “CLICK HERE” or “DOWNLOAD NOW” or “SUBSCRIBE.”
These are examples of hidden links, which makes it easier for scammers to launch phishing attacks.
Another way to hide phishing links is by using link-shortening tools like TinyURL to shorten the URL and make it look authentic.
Misspelled URLs are another way hackers target potential victims. They change the spelling in the URL in such a way that it is not noticeable in a quick glance. They buy that domain and send it to their targets.
In the example below, you can see that there’s a typo in the link that people can easily miss: “www.citiibank.com…” instead of “www.citibank.com…”
Homograph attacks involve the usage of combinations of similar-looking words – characters – that can be easily misread.
Here’s an example.
Our first thought might be that the offer looks genuine, but when we click on the link, instead of ‘amazon.com,’ we will be redirected to ‘arnazon.com’ – which belongs to the attacker.
Once on site, the fake page will prompt you to enter login credentials or confidential financial data.
Hover the cursor over the attached link. The full link will appear on the laptop screen. If the link is different or seems phishy, don’t click on it! In case of mobile devices, press and hold over the link, and the attached link will appear as a pop-up window with actionable options.
Pop-up messages are the easiest way to run a successful phishing campaign. Through pop-up messages, attackers steal the login credentials by redirecting them to a fake website.
This technique of phishing is also known as “In-session phishing.” In the example below, doesn’t the foreground pop-up seem legitimate enough to mislead customers?
The only prevention at present are the pop-up blockers available in the browser extension and settings on different app stores. If your data is very crucial, you should opt for a security software that blocks all these threats in one shot to prevent any kind of data security breach. Apart from this paying attention to the links holds great importance in preventing phishing.
Phishers run an ad campaign to show up first on the SERP (Search Engine Results Page).
Once there, they lure the consumers searching for a specific keyword into landing on their site and then fool them into sharing confidential information.
In the example below, the ad says “Full Version & 100% Free!”
The best way to avoid search engine attack is to avoid the ads displayed in the paid results section – look for the “ad” tag displayed next to the website link, which is usually found on the top-most results. Also, if you know the URL, then try to type it whenever possible.
Website spoofing is similar to email spoofing, though it requires the attacker to put in a lot more effort.
Phishers copythe design, content, and user interface of a legitimate website and publish it.
They also use URL shortening tools, as mentioned above in the blog, to create a similar website URL.
Here is an example of a website spoofing attack that mimics the Bank of America website:
If you know the link to the website, it is always better to manually type in the link instead of copying or clicking on a link sent by someone else.
Third party tools like SysCloud’s Phishing Protection provide the best possible security from all kinds of spoofing attacks. As a part of their service, all the suspicious websites are not only blocked but also reported to the user.
A previously-sent email from a reputed organisation containing any link or attachment is cloned or copied to creat a similar looking email.
Phishers swap the original link in the attachment with a malicious link. The targets will be deceived as they won’t be able to tell the difference between the real and malicious email and click on the link.
The victims never suspect the clone email, which is why it is dangerously deceptive.
All Executives/Senior/Chief Managers /Branch Managers/ Concurrent Auditors/Internal Auditors.
It is usually carried out with intention to hack a user’s computer, steal confidential data, conduct fraudulent activities or launching a DDoS attack. Various kinds of malware like Trojan, ransomware, worms, virus Spyware etc are used to infiltrate the defense.
Always use an updated anti-malware and antivirus option available in the market. Also, an up-to-date browser works as an extra security layer from these types of phishing attacks.
Using the guide above, organizations will be able to more quickly spot some of the most common types of phishing attacks. But that doesn’t mean they will be able to spot each and every phish. On the contrary, phishing is constantly evolving to adopt new forms and techniques.
With that in mind, it’s imperative that organizations conduct security awareness training on an ongoing basis so that their employees and executives stay on top of emerging phishing attacks.
Sophos Phish Threat is an excellent tool that we recommend can help you in this department.
For additional guidance on how you can train your personnel to avoid phishing attacks, you can contact us here.