Phishing

Written By Lindsay Dumas

Despite the prevalence of phishing and the amount of information available on the cyberattack, during an assessment related to phishing that CISA (Cybersecurity and Infrastructure Security Agency) performed within a test company, 84% of individuals clicked on a fictitious malicious link or replied to an email and provided a threat actor with sensitive information, within the first 10 minutes of receiving a phishing email. 

Phishing is when an unsuspecting target is deceived into providing personal information that can be used by a threat actor for financial gain or to gain access to a bigger target. The most common phishing attack vectors are text messages and emails which often appear to be from trusted and reputable companies and include messages that don’t raise suspicion from the receiver. The end goal of such attacks can range from stealing personal financial information, to gaining access to sensitive company information.

An example of a common phishing attack that many have experienced are text messages claiming to be from UPS or FedEx with messages similar to: “There have been delays to your UPS package. Track the package through the link below.” The message will include a link that downloads malware to the device or will take the victim to a malicious website. Phishing is an ever-evolving attack with several different attack vectors, including: 

  • Voice (Vishing): Phishing using a phone call to gain personal information or access from an individual.

  • SMS (Smishing): Phishing using text messages with the intent to trick the individual to gain access to information such as credit card numbers, bank account information, or to deploy malware.

  • Email: Phishing through email. A threat actor will often use a display name or email address appearing to be from a well-known company and will create an email that deceives the user into clicking a link, downloading specific malware, or responding to the email with information that helps the threat actor fulfill their agenda. In 2022, over 48% of sent emails emails were spam.

  • Bulk Phishing: In this attack, a threat actor will send a large number of untargeted phishing emails, texts, or automated phone calls in hopes that at least a few individuals will “bite” and provide the requested information.

  • Spear Phishing: This form of attack is targeted to a specific individual or organization. In this attack, a threat actor will specifically target one person, usually a high-value target or organization.

  • Social Media: Phishing attacks that are executed through social media accounts in an effort to gain login credentials, credit card information, or personal information that can aid a threat actor further in their attack towards a bigger goal. These can often be carried out through a user logging into their account on a fake login page or by a user clicking on a malicious link and granting the threat actor access to their profile information. 

  • Angler Phishing: This is a social media phishing attack but with a threat actor creating a false persona, pretending to be an employee of the company. The threat actor finds individuals who have posted about grievances with the company and contacts those individuals in order to obtain sensitive information.

With the variety of phishing attacks evolving quickly, it is important to stay informed on the type of “red flags” to pay attention to, be CAREFUL in a situation if the person you are engaging with:

Causes a feeling of panic  

Asks for money or personal information

Rushes your response

Emotionally manipulates you

Focuses on personal questions

Uses texts and will not meet in person or virutally

Leaves you with a funny gut feeling

If you are left experiencing any of the feelings described above in an interaction, consider proceeding with extreme caution or discontinue any communication. Other preventative measures include:

  • Ensure your spam filter is active on your email. Report any emails that you’ve received from institutions you didn’t sign up to receive as spam.

  • Never respond to an email, text message, or phone call with personal information without verifying the source first.

  • If you think a call or email may not be legitimate, use a search engine (Google, Yahoo, Bing) to identify the institution's contact phone number and call the company directly. NEVER use an email address or phone number provided within an email.

  • If you are engaging in a relationship with someone you’ve met online, make sure to speak with them over the phone, spend time talking over a video call, or meet in person for the first time in public.

  • Do not click on links provided in an email or text message to visit a website. Instead, if you are wanting to visit the site/offer: use a search engine to find the legitimate website.

  • Never share your screen with an individual while logging onto an account and never share your login credentials or a two factor authentication code.

  • Minimize the amount of personal information you post publicly on social media. 

Lindsay Dumas
Previous

Social Engineering
Next

SIM SWAP