How to defend against phishing, vishing and other malicious attacks
Tips / 11.11.2021
Our reliance on the internet today is so high that we can barely imagine living our lives without it and the technology that is associated with it.
Yet, despite this, there are individuals with malicious intent who are keen to exploit your online vulnerabilities in various types of attacks and gain access to your personal information such as logins, passwords, payment details, etc.
This can have disastrous consequences. Both for you and for the organisation which you work for. And the numbers prove this point.
Table of Contents:
For example, in 2020, 75% of organisations globally experienced a phishing attack according to Proofpoint.
If this is not a staggering enough fact, think about this: a fifth of all employees in an organisation are likely to click on a phishing email link and what’s even scarier is that 67.5% of employees will enter their credentials on a phishing website, according to Terranova Security.
This has led to so much fear and concern to such an extent that 26.66% of business owners are worried about being targeted by cyber attacks in 2021, in terms of BDO.
When social engineering attacks come into play, they can have serious consequences for an organisation. These include both internal and external downtime with customers, damage to an organisation’s reputation, as well as loss of intellectual property and remediation time or time needed to recover from such an attack.
In addition, there are significant monetary losses that can be experienced, costs associated with response and remediation, loss of revenue, compliance fines, legal fees and possibly also the loss of customers.
All these make for very strong reasons to ensure you protect yourself from phishing and other malicious attacks. But first of all, what is phishing and what types of other attacks can you be exposed to? Let’s take a closer look.
In simple terms, phishing is a type of social engineering attack which is sent via email to unsuspecting users. This email appears to come from a legitimate organisation, but is in actual fact a fraud.
Its purpose is to gain valuable personal details from the target in order to gain access to their computer, infect it, steal information that will give them access to your sources of finance and more.
Here are some of the most common phishing attacks:
Deceptive phishing: for example, this can include a fake email from a bank which asks you to click on a link or verify your account details. By doing this, the cyber fraudster will gain access to your account details and will be able to steal money from you or launch other attacks. Its main purpose is to obtain confidential information.
Spear phishing: the attacker typically targets specific individuals instead of a wider group. They previously research the victims using their social media channels and other sites in order to customise their communication and seem more believable.
Whaling: a whaling attack is usually targeted at top-level executives and CEOs. The attacker will usually profile their target in an effort to get them to reveal their login credentials. This is highly problematic because these executives often have access to a wide range of company information.
Pharming: here, the attacker sends the victim to a fraudulent website, even though it may appear to look legitimate. This is particularly troublesome because with this method, victims don’t even have to click on a malicious link in order to be taken to the fake website. The attacker can do one of two things to achieve this goal: either infect the user’s computer or the website’s DNS server in order to redirect the user to the fake website. This is the case even if the right URL is entered.
Other examples of phishing include the following:
1. Receiving a fake invoice: this type of scam depends on fear and urgency, placing pressure on the victim to submit a payment for something they’ve not ordered or even received.
2. Upgrade your email account: whether from your company’s IT department, Google or Microsoft, these types of emails require the user to take immediate action to prevent their account from expiring.
3. The scam for advance fees: we’ve all heard of foreigners who need to recover a large amount of money with your help. Although we might feel as though we can recognise these types of scams, there are still people out there who are susceptible to them.
4. Google Docs: this scam is particularly troublesome as the sender can sometimes appear to be someone you know. In the email, you will be encouraged to click on a link to view a document. The link then takes you to a login page that’s nearly identical to the Gmail login page. Once you’ve selected an account, you can give access to your Google account, which ultimately means you have let the attacker in.
5. Messages from HR: these types of emails generally contain a malicious attachment that will install malicious software on your device if you click on it. To prevent this, double-check with HR whether they have, in fact, sent you an email of this nature. If not, do not click on any links.
6. Dropbox: this is a platform for online sharing and storage and with this attack, users are typically asked to click on a link which will take you to the Dropbox lookalike login page where you’re required to enter your details.
7. Council taxes: this is a scam that tries to get users to give away their details by offering some form of compensation or refund. Ultimately, this can seem attractive to many people and they are then duped into clicking on links and entering their personal information which the scammer can now have access to.
8. Unusual activity: an unusual activity email is generally bound to cause panic and urgency, leaving users feeling that the only option they have in order to protect their account is by doing what the email says.
Phone-based phishing also known as vishing is another common type of attack where the attacker pretends to be from a legitimate institution or organisation letting you know that something is awry and that you need to take certain steps to protect yourself from loss of data. They will ask you for information to verify your account and provide personal information such as card numbers.
In other cases, positive psychology will be used to let you know that you’ve won something or that you’re getting good news, and you’ll then be asked to provide personal information in order to receive the prize.
Also known as SMS-phishing, attackers can try to get you to take actions that are harmful to you through sending you a text message on your phone.
There are several ways to do this:
- Ask you to download a malicious app: by downloading such apps on your mobile device, they can deploy ransomware or enable other attackers to remotely control your device.
- Clicking on a malicious link: you could be tricked into clicking on a malicious link, which will then redirect you to a website that is designed with the sole purpose of stealing your personal information.
You’re asked to contact tech support: here, you’re given a number to call for customer support. The person will then act as though they are legitimately from the customer support service and will try to trick you into giving out your personal information once again.
How to protect yourself:
- Use spam filters in your email
- Install antivirus software on your devices
- Change your passwords regularly
- Avoid using the same password for multiple accounts
- Use the CAPTCHA system for extra security
- Always contact the company directly by using a phone number listed on their legitimate website
- If you receive a link in an email, hover over the URL first. Secure websites use SSL certificates that start with “https” where the “s” stands for secure.
- Ask yourself if you were expecting an email from the sender or if this email is out of the blue
- Check whether the email contains links and attachments and ask yourself whether you were expecting such an email in the first place
- See if the email copied in other people that you don’t know personally or haven’t heard of before
- Check hyperlinks for spelling errors
- Check the date and time which you received the email – is it within business hours or during an odd period of the day or night?
- Check whether the email’s subject line and the body of the email do not match each other
- Check for attachments and determine whether you were expecting such an attachment in the first place
- Regarding the content, check for urgency and efforts to get you to panic as well as take urgent steps to provide personal information
- Check the email for grammar and spelling errors
- Report phishing to the right body/department
Phishing and social engineering attacks in the world are on the rise and vigilance is necessary by every employee and individual to help them avoid loss of personal data, funds and even a loss in organisational reputation.
There are many ways you can protect yourself, as you are the first instance of protecting your organisation from such attacks. By following the above-mentioned tips, you should be on your way to keep your data and that of your company safe and protected.
However, constant vigilance is required as attackers can continue to try and get your information. Therefore, be aware of every single email, SMS or call that you receive.
If in doubt, hang up, don’t click on anything suspicious and seek professional assistance from your IT department.
Share this post: