Here are the most common Phishing Threats doing the rounds right now. Do you know them all?
This is the most common form of phishing. Criminals impersonate a legitimate company such as Amazon, Netflix, eBay, a Bank etc. and try to steal your logon details (credentials). They do this by sending you a genuine looking email that prompts the recipient to click a link to ‘Log in’. The link takes you to a fake web site designed to look like the company the criminals are impersonating. Some look very authentic. When you try to log in, they have been successful. They have your logon details for the ‘real’ web site they were impersonating.
These attacks are a bit like deceptive phishing, but they go one step further. They appear to come from someone you know, they address you by name, and the email too looks very genuine. In fact, one reason they do look genuine is that often the sender has been hacked, and it is from their account that the emails are being sent. But the method is the same as Deceptive Phishing. They want you took to hand over your credentials by luring you to click on a link that appears to be genuine. These spear phishing attacks are hard to spot. It is very important to be very diligent about checking link addresses before clicking on them and checking perhaps verbally if the sender in fact did send the email if it appears even remotely unusual or out of character. It is also very important for companies to regularly train and provider refresher training on how to identify spear phishing emails, and how to report if a link has been clicked. Also, avoid posting information online that identifies key people in your organisation, and makes public sensitive information.
Whaling are even more sophisticated and targeted phishing attack, targeting senior executives in businesses. These attacks attempt to steal login credentials from executives that are then used to impersonate that individual for the purpose of stealing money and IP. A common variant is to request the account department to make a payment to a fictitious supplier. Often the words ‘urgent’, ‘important’, ‘immediately’ etc are used to expedite the deception and theft, so that it is all too late when the executive realises, they have been hacked. Hackers often cover their tracks by setting up email rules to redirect replies and emails with keywords in subjects so that their deception can go on for as long as possible.
It is always nice to receive a card from a close friend or family member. But that warm cuddly feeling you get when clicking on an e-card makes them a popular and lucrative target for the criminals, especially around key dates such as Valentines, Christmas and so on. Our desire to be close to friends can be used as a weapon against us.
This type of phishing attack tries to gain access to an individual’s cloud storage account such as Dropbox, OneDrive, SharePoint, Google Drive etc. The attack comes in the form of an email that when clicked, sends the user to a fake web site looking like Dropbox etc. As soon as you enter your credentials, the hacker has access to your files and any sensitive information that you are storing in your cloud account.
How to protect yourself
What are two simple ways you can protect yourself against these common and regularly successful attacks?
1. If your service provider (email, cloud storage etc.) supports Multi Factor Authentication or 2-Factor Authentication, enable it, now. This is a superbly simple defence, by ensuring that any attempt to log into your account requires a one-time password in the form of a text message or an authentication app code. It doesn’t make you impervious but provides a very thorough level of additional security which is easy for you to use. Remember to change your password if you think it has been compromised! Don’t just rely on 2FA
2. Never use the same password for more than one service. It is all too easy for the sake of convenience to use the same password or a variant for different services, email, shopping, photos etc. Use a password manager to create and store unique and strong passwords so that you don’t have to remember them. This strategy narrows the possibility of a hacker using the same stolen credentials to access other services with your email address and password.