6 Phishing Attack ExamplesPosted By: Helen Tuesday 19th March 2019 Tags: ceo phishing, Cyber Security, deceptive phishing, dropbox phishing, it security, phishing, spear phishing
Let’s start with defining ‘phishing’. This constitutes a fraudulent act whereby a person sends an email whilst posing as a reputable company. The reasons behind phishing emails are to encourage the end user to reveal personal information. Armed with passwords and credit card numbers, the ‘phisher’ can go on to use details in any way they please. And it’s so straightforward to do. Scary, right?
Unfortunately, things get worse….
There are different types of phishing going on each and every day and we are going to discuss some of the more well-known efforts. There may be some you can resonate with. If so, please do let us know. We are always interested in hearing others experiences and how they have managed such situations. If you are lucky and have never been hit, maybe you should speak to our IT security specialists before it’s too late?
We’ll begin with the most common, ‘Deceptive Phishing’;
As discussed above, this is the most familiar method of phishing involving the impersonation of legitimate companies by fraudsters.
But how do they do it?
Emails not only look the part they are cleverly worded and use persuasive language to create a sense of urgency. A popular tactic for example is to send out an email stating PayPal have noticed there is something wrong with the account. The user is requested to click on a link which then requests a username and password. Once entered, the fraudster has been give direct access to just what they need. Easy as pie!
How can you avoid being a victim of Deceptive Phishing?
Successful attacks tend to be down to the quality of the email. Does it look exactly like the legitimate company in question? Before clicking on the link as requested, take a moment to double check it. Does iit look like it is taking you away to a reputable source such as PayPal or could it possibly be something unknown to you? It also pays to pick up on many grammatical errors, how you have been addressed and spelling errors. Having checked all of these and you remain uncertain, we recommend calling the company directly. Always protect yourself.
How about a little ‘Spear Phishing’?
Whilst this may sound like an ancient fishing method, it unfortunately does not result in a delicious fish supper! This is a deliberate attempt at targeting individuals in the hope that bank details will be revealed.
And they go about this how?
Personalisation goes a long way. We all love to hear and see our names (it’s a psychological thing) and this is where the fraudsters begin. Including your name, the company you work for and even your position helps an email look all the more authentic. Similarly to the deceptive style of phishing, you are being guided towards a malicious URL or email attachment. Having clicked, scammers are waiting in hope of personal detail entry.
Can we dodge being speared?
Avoidance through awareness is key. Training team members on what to look for and what NOT to click on remains important. LinkedIn is a wonderful platform for fraudsters to gain lots of personal and company information. It’s therefore important to inform team members not to publish any sensitive personal or corporate information on social media. It also pays to invest in security solutions with the capability of analysing inbound emails for anything malicious.
CEO Fraud you say…. Is this for real?
Regrettably, yes. As above, spear phishing goes after absolutely anybody within a company. This can include those at the top of the chain. Known as a whaling attack, scammers are trying to ‘harpoon’ an executive in order to steal logins. Should this work, the second part of the plan is executed and known as CEO fraud.
Surely they don’t get away with this?
Posing as a company executive, emails are sent requesting authorisation or fund transfers. Because this is coming from the top, staff members may not question this. Worrying!
Avoidance tactics please?
Education, education and dare we say it, more education Every single team member from apprentices to top level executives should undergo security awareness training.
So far we have discussed three varying methods of phishing, all with similar undertones and the same end goal – to gain credentials and take your money. Surely there can’t be any more?
Pharming is the way forwards!
No, we haven’t spelled ‘farming’ incorrectly. So this one is a little more technical in ability. Fraudsters use something called DNS (domain name system) cache poisoning. Simply, website names are converted to numerical IP addresses using a DNS server. An IP address is used to locate computer services and devices.
How do they manage to poison you?
This is a crafty move. A pharmer has the ability to change the IP address connected to a specific website name. From here they can redirect website users to wherever they desire, even if the correct website name has been entered.
Don’t be ‘pharmed’!
The most important thing you can do to avoid a pharming attack is to double check URLs when entering personal details. These should always be secure, displaying as HTTPS. This means they are protected. Anti-virus software is also a must and should be used across any corporate devices. It’s intrinsic to keep these updated.
Dropbox Phishing is on the Rise!
The Dropbox fraudsters are certainly attempting to cash in on login credentials! This methods is quite a specialised attack, using emails targeted to specific companies and services. So how do they get you?
Similarly to those already mentioned throughout this post, emails are designed to look like they are being sent directly from the Dropbox team. Upon hitting a selected inbox, the recipient is requested to click through to a link in order to ‘secure’ their account. They may even be requested to download a shared document; not good.
Remaining Dropbox Vigilant
The best way to avoid such attacks via Dropbox is by using something called two factor authentication. Simplified, this is a second layer of security designed to strengthen Dropbox and other online accounts. Once applied, two factor authentication will send a code to your smartphone for entry, each and every time you login. Without this code, access is denied.
From Dropbox to Google Docs Phishing
Familiar with Google Docs? Use them regularly throughout the day? Please beware of any messages requesting you to view documents across this platform. A good rule of thumb suggests, if you’re not expecting anything, don’t open it.
What’s their Secret?
Fraudsters in this instance are looking to gain direct access to your spreadsheets and documents with personal details. Gmail, Google Play and Android Applications can also be manipulated with important credentials stolen. This particularly clever instance of phishing involves the creation of an almost identical Google Docs login page. Clever, no? Once directed here, if you were to login as usual, the scammer has everything required to carry out fraud successfully.
Similarly to Dropbox security efforts, two factor authentication is the recommended method. It’s worth getting used to using this in order to secure yourself from threats both now and further down the line.
Knowledge is Power
It’s safe and secure to say (do you see what we did there), that having a decent knowledge of the above six phishing methods will help protect you. Knowledge is most certainly power and if you are aware of what could potentially land in your inbox, that’s half the battle. Through an understanding and implementing the methods stated in this post, security becomes tighter. Regular training is required surrounding the content of this subject, especially as phishing continues to evolve. Just something to consider.
How can LaneSystems Help?
Our team of highly experienced and knowledgeable engineers will perform a FREE internal security audit. By assessing various elements of existing cyber security, this gives us the knowledge of exactly what’s required in keeping your data safe. It’s our job to advise accordingly based upon your existing circumstances. We won’t recommend anything that’s not required and look at building a solid partnership when moving forwards.