Phishing attacks, seeking confidential information, are becoming ever more commonplace and sophisticated. Unfortunately, there is also a persistent myth that only technologically unsavvy individuals are susceptible. This couldn’t be further from the truth, especially when you understand just how sophisticated phishing attacks can be.
For example, the people undertaking these activities (threat actors) have become more adept at spoofing email addresses to look legitimate. In many cases the emails themselves are designed to imitate government or banking organisations, often ‘borrowing’ logos and information from the websites they are imitating – embedding hidden links behind on-screen links. These the malicious websites they convince victims to visit are almost indistinguishable from the real thing.
Some common phishing tactics being employed today are:
Smishing
This type of phishing convinces targets to give up personal information via text message or SMS. SMSs use a non-descript phone number instead of an email address so are harder to detect. The message might contain malicious links to websites or apps, automatically deploy malware, or implore a user to phone an actual operator affiliated with the threat actors.
Malvertising
These are legitimate-looking digital ads that contain malicious scripts. They can appear in untrusted software as well as websites. If they are clicked, they will download malware or redirect the user to a malicious site.
Vishing
This is when a real-life operator or automated voice system is used to carry out a phishing attack. Targets can be contacted via a phone call, VoIP, or even a video call.
Spear phishing
Targeting employees within an organisation rather than the general public.
Whaling
Specifically, targeting senior executives pretending to be a colleague.
Phishing is particularly dangerous to financial and insurance institutions because of the massive amount of personal data they hold coupled with the sheer volume of external electronic communications. There have been numerous high-profile cases of Business Email Compromise (BEC), when an attacker successfully infiltrates, takes over, or redirects traffic from an organisation’s email server.
Warren Gunn, CTO
