In our last blog post, we touched on the 5 categories of phishing. We learned about vishing, smishing, search engine phishing, spear phishing, whaling, and the scenarios that one could catch themselves in if faced with a phishing attack. In today’s post, we’ll go over seven common types of phishing and what you can do to avoid them.
1.) CEO Fraud
CEO Fraud occurs when a cybercriminal sends an email to a regular employee (usually someone in the accounting or finance department) pretending to be the CEO or another executive of the company. The goal of these emails is to fool the employees into completing unauthorized wire transfers or disclosing confidential information.
Make sure you always check the sender details, confirming identity. Unless you’re 100% certain of the sender, don’t act on anything. Take a look at this helpful chart from KnowB4 to get a better understanding of CEO fraud.
2.) Clone Phishing
Clone phishing is when a previously sent email that contains a link or attachment is maliciously copied to create a near-identical or cloned version. Scammers swap the attachment and/or link in the email with a malicious one. The cybercriminal often uses the excuse that they’re resending the original message because of some type of issue with the link or attachment, hoping that the victim will try clicking on the “fixed” attachment or link.
To prevent a clone phishing attack, always check the sender’s email and confirm it’s legitimate. Hover over any link to verify the landing page before clicking on it. If something looks off, follow up with the organization it appears to be coming from in a separate email or phone call.
3.) Domain Spoofing
Domain spoofing occurs when a cybercriminal spoofs an organization’s domain. These criminals are known to purchase domains that sound similar to popular, trustworthy domains like google-info.com and manager-apple.com. The goal of this kind of phishing is for cybercriminals to make their emails look like they’re coming from a legitimate domain by forging an email header or making a fake webpage that looks identical to the real domain’s site design using a similar URL.
While domain spoofing can be hard to recognize, keep an eye out for anything that looks sketchy. If something looks off, verify the organization’s actual email or webpage and report any suspicious domains to anti-phishing organizations.
4.) Pop-up Phishing
This kind of phishing occurs when a pop-up window appears when surfing the web. In most cases, cybercriminals will infect legitimate websites with malicious code that causes these pop-ups to appear when people visit them. A good example would be if you visited your bank’s website and a pop-up appears telling you to input your account number and card information.
Generally, you shouldn’t trust pop-up messages on websites and should use pop-up blockers on your browser extensions.
5.) HTTPS Phishing
Did you know that over half of phishing websites are served via HTTPS? Did you know that the “s” in HTTPS stands for “secure”? Well, in this day and age we can’t be sure that our data is safe and “secure” anymore when visiting a site that starts with HTTPS. Phishers have been adopting HTTPS more often on their sites. When you get a phishing email or text, the malicious site(s) they lead to seem as trustworthy as ever.
Unfortunately, we can’t trust websites solely based on whether it has a lock icon or “https” in the address bar. Remember to think twice before clicking a link and always consider the source.
6.) Website Spoofing
Similar to domain spoofing, website spoofing is the act of creating a duplicate version of a trusted website that appears to be the original. This kind of scam is commonly used by imitating banking corporations and obtaining victims’ banking and financial information. Make sure you always double-check the address bar, verify the company’s legitimate web and email address, and always keep your browser updated to better safeguard against these kinds of insecurities. Look at this visual from Box Phish of a spoofed Google sign-in box and the legitimate Google sign-in box. They are almost identical and nearly impossible to tell apart. It’s scary, but something everyone needs to be aware of and look out for.
7.) Man-in-the-Middle
A man-in-the-middle attack (MiM) is when a cybercriminal secretly relays and alters the communication between two parties they believe are directly communicating with each other. Hackers will impersonate themselves on both sides to access sensitive information like transactions or other confidential data. A common target is financial websites between the login and authentication.
One way to avoid MiM attacks is to avoid using free public Wi-Fi. Hackers can easily gain access to unsecured devices through the same free network you place yourself on. It is also always a good idea to use VPNs to help ensure secure connections.
When you realize how many different ways hackers can and will try and trick you, it can be intimidating. Remember to always take cybersecurity seriously; it’s no joke and it CAN happen to you. No matter how invincible you think you are, you are NOT. Use a password manager, use 2FA (two-factor authorization), verify suspicious communications through official channels, and use websites that are secure and encrypted. Make sure you are staying up-to-date and educated on cybersecurity and most importantly…PRACTICE IT!
Here at Elevated Technologies, we constantly work to defend your network and devices against malicious threats and abnormal user behavior. To prevent a data breach and to better protect your company, contact us today.
For a free cybersecurity assessment click here.