Phishing is one of the most prevalent and dangerous forms of cyberattack that is used by cybercriminals currently. Understanding what phishing is, and knowing how best to combat this type of cyberattack, is crucial to the success of a business’ overall cybersecurity standards.
This blog will take a further look into what phishing is, the different types, what kind of impact it can have on your business, and how best to combat it.
Understanding Phishing
Phishing is a type of cyberattack where attackers pose as legitimate entities to deceive individuals into revealing sensitive information such as usernames, passwords, and financial details. These attacks are typically executed through email, social media, phone calls, and fake websites. The primary goal of phishing is to steal personal and financial information or to install malicious software on the victim’s computer.
The importance of understanding what phishing actually is, and how it can affect your business, is crucial for employees to combat the attempts. Cybersecurity is ever evolving, and phishing is no different. Let’s take a look into the different types that are prevalent and used often by cybercriminals.
Types of Phishing Attacks
One of the reasons phishing attacks are so complex, is that there are many different forms. This makes it much more difficult for users to not only keep track of the types of attack that is used by cybercriminals, but also know how best to react. Let’s take a further look into the different types.
Email Phishing
Email phishing is the most prevalent and arguably the most dangerous form of cyberattack. It leverages the widespread use of email for both personal and business communication, making it a favoured method for cybercriminals.
Email phishing typically involves sending a fraudulent email that appears to come from a reputable source, such as a well-known company, a trusted individual, or a government agency. These emails are crafted to look convincing, often replicating the logos, language, and formatting of legitimate emails.
The primary objectives are to:
- Steal Personal Information: Attackers often request personal details, such as login credentials, driver’s license numbers, or credit card information.
- Distribute Malware: Phishing emails may contain attachments or links that, when clicked, install malware on the victim’s device.
- Manipulate Financial Transactions: Some emails aim to trick the recipient into transferring money to the attacker’s account.
Some common tactics used by cybercriminals to perform Email attacks include:
- Fake invoices and bills
- Account verification scams
- Security alerts
- Prize and lottery scams
- Fake business IT Support
One of the most well-known, and damaging email phishing attack was that of the Sony Pictures hack. In 2014, Sony Pictures fell victim to a sophisticated email cyberattack. Employees received emails that appeared to be from Apple, requesting them to verify their Apple IDs. The attackers gained access to the company’s network, leading to the leak of confidential data, including unreleased films and employee information.
Spear Phishing
Spear phishing is a highly targeted form of cyberattack where cybercriminals focus on specific individuals or businesses. Unlike generic attacks, which cast a wide net hoping to catch any victim, spear phishing is designed to deceive particular targets. This precision makes spear phishing one of the most dangerous types of cyberattacks, often leading to significant financial and reputational damage.
These often incorporate personal information gathered from various sources such as social media profiles, company websites, and public records. This information is used to create convincing and personalised messages that increase the likelihood of the victim falling for the scam.
The primary steps involved in spear phishing attacks include:
- Research: Attackers gather detailed information about the target, including their job role, contacts, interests, and any publicly available personal data.
- Crafting the Email: Using the gathered information, the attacker creates a highly personalised email. This email may appear to come from a trusted colleague, a known business partner, or a legitimate service provider.
- Deception: The email typically contains a compelling message that prompts the victim to take a specific action, such as clicking a link, downloading an attachment, or providing sensitive information.
- Execution: Once the victim takes the bait, the attacker gains access to sensitive information, which can be used for various malicious purposes, including identity theft, financial fraud, or corporate espionage.
Some general strategies used by cybercriminals to perform Spear Phishing involve:
- Impersonation of trusted contacts
- Customised content
- Use of urgency and fear
- Exploiting current events
One of the largest profile examples of spear phishing was actually against a major cybersecurity company, RSA Cybersecurity. In 2011, they fell victim to a cyberattack which, allegedly, was Chinese state sponsored. It involved the use of a spear phishing email campaign as the first entry point, where they enticed the employees to click on a malicious attachment.
The attackers then gradually escalated their privileges, moved laterally across the network, and gained unauthorised access to RSA’s SecurID tokens, which were widely used by businesses for two-factor authentication.
Whale Phishing (Whaling)
Whale phishing, also known as whaling, or CEO fraud, is a highly targeted and sophisticated type of spear phishing attack, but aims at high-profile individuals within a business, such as executives, senior management, and other key decision-makers. Due to the high value of the information and access these individuals possess, whaling attacks can have destructive effects for businesses.
Whaling attacks involve meticulous research and social engineering to craft highly convincing messages that appear to come from trusted sources or address specific concerns relevant to the target.
The primary goals of whaling attacks include:
- Financial Gain: Manipulating the target into authorising large financial transactions to fraudulent accounts.
- Data Theft: Gaining access to sensitive information, such as intellectual property, strategic plans, or personal data.
- Corporate Espionage: Stealing proprietary information or trade secrets to gain a competitive advantage.
The steps involved in executing a whaling attack typically include:
- Reconnaissance of the target
- Crafting the message using the gathered data
- Deception and manipulation within the message
- Execution
A high-profile case of whale phishing, or whaling, was with Crelan, a bank from Belgium, in 2016. Crelan was targeted by a whaling attack in 2016, resulting in a loss of over $75 million. Attackers impersonated the bank’s CEO and sent emails to senior executives, requesting urgent financial transfers. The highly personalised nature of the emails and the attackers’ knowledge of internal processes contributed to the success of the scam.
Looking to Protect your Business from Phishing Cyberattacks?
Contact the team at Adept IT Solutions today!
As we have discovered through this blog post, phishing cyberattacks can have extremely serious consequences for businesses. The loss of sensitive data, personal information, and financial theft is something that can ultimately cripple a business.
Adept IT Solutions can assist your business, enhancing your cybersecurity and overall levels of protection throughout the organisation. As a leading Managed IT Services provider in the Newcastle, Lake Macquarie, Central Coast and Sydney areas, Adept IT Solutions has the knowledge and dependability required for such an important investment in your business.
With an extensive list of services, you can rest assured knowing that Adept IT Solutions can assist with all your IT support needs. Contact us today at 1300 423 378 (ADEPT) or email us at info@adept-it.com.au.
