What are types of phishing that your company may face?
Phishing is the most commonly used method by hackers to steal corporate data. It is relatively easy and cost-effective to execute, and furthermore, it is characterized by high effectiveness. According to CERT Poland data, phishing accounted for as much as 77% of incidents observed in 2021. Cybercriminals like to transform and refine the methods they use to deceive recipients even more effectively. That's why they don't operate in a single way, but employ various types of phishing. What exactly do these types entail and why do they pose a threat to a company? Find out.
This is the most popular and oldest type of phishing. Cybercriminals cleverly prepare an email message, impersonating a trustworthy source, such as a bank or a courier company. They then send this message to hundreds of recipients. All it takes is one employee who, after opening the email, clicks on a suspicious link or downloads an attachment containing malicious software, to lead to a data leak for the entire company. And this is just the beginning of many problems, which in severe cases can even result in bankruptcy.
This kind of phishing can be likened to fishing. The hacker casts a line in the form of an email and waits in the hope of catching something. Sometimes they won't catch anything, sometimes it's small fish, and sometimes - truly substantial catches in the form of large companies and corporations.
As the name suggests, in this case, the cybercriminal doesn't cast a line trying to catch anything. Instead, they use a spear, targeting a specific victim.
They select an individual, organization, or group within an organization (such as IT administrators of a company) and focus their efforts on them. They conduct careful research, gathering useful information about the chosen victim's life (including professional). Based on this, they can prepare a personalized, and therefore much more credible, message than in the case of email phishing. Recipients often find it authentic, so they are easily deceived into sharing confidential data.
When employing whaling phishing, hackers ignore smaller or larger fish, opting to hunt for a whale - a high-level decision maker such as a company director. This is a complex and challenging attack to carry out, but it brings substantial benefits to the attacker. After all, the person at the helm of the organization usually has access to all the data the organization operates with, including confidential information that few others know.
When using whaling phishing, the criminal likes to impersonate an employee of the targeted company. For instance, they may pose as a manager and request authentication data or initiate a fund transfer. They skillfully replicate the company's email footer to deceive high-level executives.
In this method of deception, the criminal intercepts a genuine email message destined for the recipient, containing a link or attachment. Subsequently, using the obtained email as a template, they create a fake message. They add a malicious attachment or link to the manipulated content, then send it from an address closely resembling the original. The recipient has few reasons for suspicion, as the form and content of the email appear as they should.
In this form of phishing, cybercriminals pay real advertisers to create online ads. If such an ad piques the recipient's interest, they click on the attached link. This leads them to a malicious website.
This results in the computer being infected with malicious software, such as banking trojans or ransomware. If an employee clicks on the ad using their work laptop, hackers gain easy access to the company's data.
Voice phishing (vishing)
Vishing, or voice phishing, is used to extract valuable corporate data through phone calls. The fraudster calls the victim, impersonating a trustworthy institution, often a bank employee. They inform the victim that there has been an attempted breach on the company's account, necessitating an immediate security verification; or that the bank needs to perform a service quality audit, requiring a swift test transfer.
The caller instills trust with their politeness and competence. Under time pressure and fearing the threat, the recipient often fails to analyze the situation and verify the authenticity of the call. Instead, they obediently provide the access data requested by the "bank employee."
This type of attack closely resembles phishing emails, with the difference that it occurs through SMS messages. Impersonating a familiar sender, the hacker sends messages encouraging recipients to click on a link or download an attachment. For instance, they might pretend to be a courier company, requesting a small additional payment for a package, or pose as a bank asking for account verification.
Search Engine Phishing (SEO Poisoning)
With this type of phishing, cybercriminals create a replica of an original webpage, often that of a bank. They aim to secure a high ranking in search engine results. The victim searches for their bank's webpage, clicks on the top result, and logs into their account. Unfortunately, this is not the genuine site but one manipulated by the hackers. In this relatively simple manner, they acquire access data.
How to ensure a company's cybersecurity? Conduct a free cybersecurity audit to uncover vulnerabilities. Additionally, regularly visit our blog, as well as our fan page or LinkedIn profile, where we share useful information about cyber protection.
Until next time!