Phishing attacks began as Nigerian prince scams in the mid-1990s, today they have morphed into well-researched and targeted campaigns that are highly effective and difficult to stop.
Although they all have the same end goal in mind, phishing scams can be harder to recognize because they can take on many forms.
In the previous blog on phishing, we discussed how to limit basic phishing attacks from affecting you or your small business. In this blog, we will go into further details about these different phishing scams and how they may appear.
Spear phishing scams send emails to specific employees and companies while pretending to be a trusted sender. Usually, these scams will lead to infections with malware or convince staff members to give up money.
While a regular phishing campaign will go after many employees across several companies, a spear-phishing scam will generally target one organization. Hackers will take the time to research the names and roles of everyone within that company and create trick emails that would seem legitimate to the entire staff.
With spear-phishing, there are basic patterns that you and your team can identify as red flags when dealing with spear-phishing emails. The most common red flag is if the sender has an incorrect email address or one that is slightly similar but different.
Make sure that your team knows these emails will almost always include some call to action or sense of urgency. The email will usually say “ASAP” or have a strict deadline.
There are some cases where email addresses are spoofed, and it may be difficult to notice the difference. Your IT team should help inspect some of the emails and make sure they pass authentication checks.
Whaling phishing scams occur when hackers use phishing techniques to go after a high-profile employee, like a CEO. Hackers understand that high-level staff members are generally savvier when it comes to recognizing phishing scams, so they must up their approach. Like spear phishing, whaling attacks will include some sort of urgent request.
The biggest example you or your executive staff should look out for is whaling attackers will often target people with the most access to information. They will usually approach them as another high-ranking employee themselves!
For example, your team might get a mass email that they have been scheduled to appear before a US District Court. That email may include a link to a “subpoena” that will most likely be infected with malware if opened.
Smishing and Vishing
Smishing is a type of phishing attack conducted using SMS messages on cell phones. Like whaling and spear-phishing scams, hackers will text the staff member instructions that are perceived as urgent. They will also include a link to try to persuade employees to install an app or security software, that will end up being malware if opened.
Vishing, or voice phishing, is a type of attack that is also conducted by phone, but usually targets staff members who use Voice over IP services like Zoom, Microsoft Teams, or Skype. As always, the goal is to get sensitive information.
If your team happens to call this number and get a voicemail, it will include instructions to give away information to the automated service. It is common for people to fall for this because automated phone systems have become a normal part of life.
Search Engine Phishing
Search engine phishing, also known as SEO poisoning, is a type of phishing attack where hackers work to become the top hit on Google or Yahoo. This type of phishing eliminates the need for an email. Instead, hackers will create a website offering cheap products or services.
When safely searching the web, your staff should be mindful of sites that feature “amazing discounts” or “free giveaways”. For the potentially unhappy employees, there may be lucrative “employment opportunities” for companies that do not exist.
Lastly, there is a likely chance that they could click on a website that has a fake emergency warning. These warnings can trick your staff into thinking their computer is infected with some sort of virus, and will often include a link to download malware disguised as antivirus software.
With the many creative ways hackers try to get employees to give away valuable information, you must make sure your team is equipped with the best tools and strategies to recognize phishing attacks. Your IT team should also have the proper antivirus and web filters in place.
Spear phishing campaigns can be slowed down by placing specific filters, so your staff knows that emails are coming in from an outside source or an inside one.
Whaling attacks are only effective if executive staff tends to be in a rush and forgets the standard policy. When dealing with smishing and vishing attacks, your team should double-check all incoming calls or texts before responding.
Lastly, you and your team should always verify the validity of a link before clicking on it. With some antivirus packages, there are browser extensions that can indicate which websites are safe or unsafe.