Phishing can be performed over any communication medium. Some of the most common types of phishing include:
When most people think of phishing, they think of emails. Email phishing is itself separated into a few different types:
Voice phishing attacks involve calling the intended victim and attempting to persuade them to perform an action. The caller may pose as a collection agency querying an unpaid bill, or someone from "tech support" who needs access to the user's computer.
In an SMS phishing attack, the malicious party will send a text message asking the victim to click a link or reply to the message. These attacks often copy the kind of SMS message a person would receive from a courier or a government website, even down to replicating the number it was sent from.
Page hijacking attacks involve the attacker cloning a website and directing the victim to it. This could be a broad attack where they attempt to generate lots of traffic to the fake page through paid advertising, or a targeted attack where page hijacking is combined with other forms of phishing.
This attack takes advantage of poorly configured calendar defaults to place phishing links in people's online calendars. Many people are trained to look out for phishing links in their emails but may not be aware that it's possible to insert malicious links into their calendars too, giving these attacks a relatively high chance of success.
The way the messages are delivered is just one part of phishing. It's also important to be aware of how the scam works. Successful phishing emails employ several techniques to bypass email filters and fool the recipient into clicking the link or following through with the desired action.
Link manipulation is used to make links in an email look like the address of the website the attacker is impersonating. However, when the user clicks on the link, it takes them to the attacker's website. Some perpetrators go a step further and use unusual characters or long and complex addresses to fool users who may not understand the difference between a top-level domain and a sub-domain.
Attackers often use images to bypass phishing and spam filters. Email platforms and software often have filters in place to block spam and malicious emails, but these filters are not always good at processing images.
The practice of social engineering involves identifying victims and building trust. For example, if someone falls for the first stage of a phishing attack and replies to an email, the attacker will gradually ask them to hand over personal information, using plausible excuses as to why they need each bit, rather than demanding it all in one go.
Phishing attempts can vary from being relatively poorly constructed email messages full of spelling, punctuation and grammar errors to carefully crafted and highly targeted messages. Some common things to look out for include:
Businesses looking to protect themselves from targeted phishing attacks should consider taking a variety of precautions, including improvements to their security policies and training their staff to spot and avoid cyberattacks. Some useful precautions include:
Enable aggressive email filtering and content redaction at the network level if possible. Blocking known malware or tracking sites can go a long way toward reducing phishing threats. Consider displaying a warning on all emails that come from an address that's not in the user's address book.
Use a browser configured to display an alert if the user is directed to an insecure website or a known phishing website. Ensure users are not able to disable or bypass these alerts.
Use extra security features in addition to password logins. For example, biometric security can be employed for important systems. In addition, using "confidence images" as part of the login process can alert users to the possibility they're on a phishing site.
Enabling MFA for important systems can reduce the risk of phishing and other forms of cyberattacks. Consider using a hardware authenticator over SMS-based two-factor authentication, because SMS authentication can be bypassed via SIM-swap attacks.
Phishing attacks on businesses can be incredibly costly, especially if they provide a route for attackers to infect your network with ransomware. Learn how Veeam can help you protect your business's vital data with backup and recovery solutions and ransomware protection.