What is Phishing?
Understanding the Common Types of Phishing
Definition of Phishing
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker[1] or to deploy malicious software on the victim’s infrastructure like ransomware.
The Problem with Phishing
As of 2020, phishing is by far the most common attack performed by cybercriminals, the FBI‘s Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.[3]
Critical Types of Phishing
There are many types of phishing, but these are the nine most common that we see regularly.
This type of attack tricks the user into giving up their credentials by representing a near-copy of a legitimate web page.
Capable of updating or downloading JavaScript, these malicious apps and extensions downloaded script to control the complete browser canvas.
A form of phishing that utilizes mobile devices as an attack vector. Initiated as a text message disguised as a text from a bank or trusted brand.
The goal of social engineering is to motivate a user to complete a form or install something to access information or money.
Spear phishing targets a smaller group or a specific department in an organization. It isn’t easy to detect as it appears to come from a sender closely aligned with the recipient.
Supply chain attacks are when a cybercriminal infiltrates an organization through an outside partner or vendor with access to internal systems.
BEC attacks often request for funds to be sent, or wire transferred to pay an invoice or for a service. The targets are employees with access to bank information, like accounts payable or finance.
The exact functionality of Man-in-the-Middle attacks is collecting and selling data from victim organizations.
A form of phishing that utilizes mobile devices as an attack vector. Initiated as a text message disguised as a text from a bank or trusted brand.
Credential phishing, also known as credential theft and credential stealing, is a common phishing attack where threat actors trick users into giving up their login details through fake websites that resemble legitimate ones, often using well-known brands. Even with training, users can still fall victim to these attacks, as the phishing techniques have become more sophisticated. An example of credential phishing is when users may be presented with a fake login page that mimics their normal two-factor authentication experience, leading them to give up their authentication codes and login credentials.
Enterprises have tried to minimize these attacks by training employees to identify and avoid fake sign-in pages, but errors still happen. To protect against phishing, experts suggest using AI (Artificial Intelligence) and machine learning to detect and respond to anomalous behavior quickly.
Malicious browser extensions can be highly sophisticated, often designed with legitimate functionality to bypass security checks on Chrome extensions. They can download JavaScript on the fly, and once installed, malicious scripts can be downloaded from the web, making it hard to distinguish between legitimate and malicious JavaScript. Cybercriminals have found a workaround for organizations that rely heavily on 2FA (2 Factor Authentication) by installing browser extensions that have access to the complete canvas of the browser, hijacking the session and capturing whatever is being rendered on the computer screen.
Once a user logs in legitimately, cybercriminals can start exfiltrating data from the browser, leaving organizations vulnerable. With the increase of phishing attempts that can bypass 2FA or multi-factor authentication, using extensions that make life easier like logging into email faster or using a PDF Converter is risky. Organizations must recognize the threat that malicious browser extensions pose and take steps to prevent these types of attacks from compromising their security.
Smishing is a type of phishing attack that uses SMS messaging and phishing (smishing) to target mobile devices. These attacks often take the form of text messages that appear to be from trusted sources, such as banks or retailers, and contain links to phishing sites that aim to steal login credentials or other sensitive information. Smishing attacks are particularly effective because people tend to trust messages received on their mobile devices, and often respond to them quickly and without much thought.
As mobile devices become more widely used for work communication, the threat of smishing attacks is likely to increase. In addition, the lack of effective phishing protections on iOS and Android devices makes them vulnerable to these types of attacks. With SlashNext, however, malicious SMS messages can be accurately identified and quarantined, providing protection against smishing attacks. The SlashNext mobile apps offer heavy-duty protection against smishing attacks while consuming minimal memory and battery resources.
Social Engineering is a technique used by cybercriminals to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. This could be achieved through a combination of phishing techniques or even impersonating someone in person to gain access to a system or building. The goal for social engineering scams is to psychologically manipulate targets into disclosing sensitive information or taking inappropriate actions without realizing they have done something wrong until the fraud is exposed.
One of the most famous examples of social engineering was the Twitter breach involving Bitcoin transfer scams. Celebrity accounts were compromised, and the hackers used the trust built with hundreds of thousands of followers to perform Bitcoin scams. SlashNext’s Threat Lab sees dozens of similar cryptocurrency scams each day that use celebrity photos and names to conduct Bitcoin phishing. Cybercriminals prefer stealing cryptocurrency because it can be used for nefarious purposes on the Dark Web, leaving no trail behind. With such scams on the rise, it is important to be aware of the dangers of social engineering and the need for effective cybersecurity measures to protect oneself and one’s assets.
Phishing is a type of cyberattack, which most people are familiar with as mass emails, that try to trick someone into taking an action, such as clicking on a link or downloading an attachment. Once the recipient takes the bait, malware is installed on their computer system or network, which compromises its security. These types of threats are becoming more sophisticated as attackers design emails and websites to look like established and trusted brands. This is where spear phishing comes in.
Spear phishing is a targeted type of phishing attack. SlashNext Threat Labs saw a surge in spear-phishing attacks that targeted companies involved in COVID-19 vaccine and therapeutic development during the pandemic. In a 60-day period, over 800 spear-phishing domains belonging to the same threat actors were launched during the pandemic. These attacks were designed to appear trustworthy, and they targeted specific individuals, such as employees of companies that were working on COVID-19 vaccines or therapeutics. The goal was to steal sensitive account credentials. In this case, the attacks pointed to Office 365 login pages.
Supply chain attacks occur when cybercriminals gain unauthorized access to an organization’s internal systems and data through an outside partner or vendor who has access to sensitive information. As suppliers and service providers have more access to confidential data, this type of supply chain attack is becoming more prevalent. With the use of cloud and social tools, including automation, trusted domain hosting, and behavioral targeting, cybercriminals can move with greater speed and effectiveness.
According to CSO magazine, all technology vendors, including security companies, are susceptible to supply chain attacks. Nation-state actors are exploiting vulnerabilities, such as lapsed security patches and targeted spear phishing attacks, to take advantage of the human element. As seen in the SolarWinds, FireEye, and Mimecast breaches, these cybercriminals have the skills and resources to breach even the most security-conscious organizations.
Business email compromise is a phishing scam that targets companies for financial gain by spoofing or compromising email accounts of executives or finance personnel to request fraudulent wire transfers. These attacks lead to millions of dollars in losses for companies every year. Business Email Compromise, or BEC, attacks are mostly delivered through email, but cybercriminals are also having success with this type of scam through SMS text messaging. There are five categories of BEC scams, including fake invoices, CEO fraud, account takeover, attorney impersonation, and data exfiltration.
Cybercriminals are now using generative AI to produce a wide range of outputs, including text, images, music, and more, to increase the speed and variation of their attacks. They can use this technology to create SMS messages, fake social media profiles, and well-written personal emails en-masse with infinite variations, making this method of cyberattacks dangerous to victimized organizations.
To counteract these AI attacks, SlashNext HumanAI™ uses AI cybersecurity technology that adds augmented AI and behavioral contextualization to computer vision and natural language processing (NLP) to detect BEC in email and mobile with unprecedented predictability. The technology can predict millions of new variants of the threats that might enter an organization, closing the security gap and vulnerabilities created by this dangerous trend.
Man-in-the-Middle attacks aim to collect and sell data, and malicious browser extensions have become a popular method for cybercriminals to bypass organizations that heavily rely on Two Factor Authentication (2FA). Once a browser extension is installed, it can access the entire browser canvas, hijack the session, and capture whatever is being rendered on the computer screen. As browser plugins have full access to most browser resources and information being entered and rendered within the browser, injecting malicious code inside browsers disguised as benign-looking browser extensions has given cybercriminals unlimited access to all the data within the browser.
These browser extensions can bypass SSL encryption, and to bypass 2FA, they usually wait for the authentication phase to be completed before snooping on the authenticated session and stealing data. Despite the birth of 2FA as a response to ineffective security defense solutions, Man-in-the-Middle attacks can now bypass even multi-factor authentication. As a result, there are increasing numbers of phishing attempts that aim to take advantage of this vulnerability.
Business Text Compromise (BTC) is a type of fraud that targets executives or finance teams with the aim of defrauding companies. Similar to Business Email Compromise (BEC), BTC attacks are carried out via SMS or text messages and request information, funds to be sent, or wire transfer. The cybercriminals impersonate trusted vendors or company executives and target new employees or those who have access to bank information like accounts payable or finance.
It’s important to note that Business Text Compromise, or BTC, is gaining popularity among cybercriminals due to the success rate of scams carried out via text messages. Some of the BEC scams are also present in BTC, such as CEO or CFO fraud, account takeover, vendor impersonation, and IRS impersonation. In CEO or CFO fraud, a cybercriminal poses as a CEO or executive and asks employees to complete a money transfer or send gift cards. In account takeover, the employee’s account is hacked and used to request payments using email contacts and sent from the legitimate email address, with payments sent to cybercriminal bank accounts instead of the actual vendor. In vendor impersonation, cybercriminals impersonate vendors and request fund transfers for payments to an account owned by cybercriminals. In IRS impersonation, cybercriminals impersonate a lawyer asking for fraudulent requests to gather confidential information.
It’s Time to Get Started with SlashNext
Learn how to leverage the industry’s best zero-hour phishing protection and IR solutions in your environment.
6701 Koll Center Parkway, Suite 250
Pleasanton CA 94566
800.930.8643
info@slashnext.com
© All Rights Reserved, SlashNext, Inc.
Social Engineering Scams