How Hackers are Phishing for Your Credentials & How to Prevent Attacks
Sep 04, 2019
You are probably no stranger to social engineering and phishing attacks. This common cyber attack has been in the news frequently over the last five years, targeting businesses of all sizes. Hackers have increasingly been testing out different phishing techniques that target a group of users to capture credentials, personally identifiable information (PII), and financial information. On the surface, these attacks can seem totally harmless to an individual. So what are some phishing examples and how can you prevent phishing in your organization?
Evolution of Phishing
Back in the day, you would commonly see phishing attempts occur through AOL – the top internet service provider in the 90s. Hackers would create fake AOL accounts and impersonate AOL employees to message users and trick them into verifying their accounts. After a user “verified” their account, the hacker would have access to the information needed to steal credentials and billing information.
But ever since the 2000s, when email became the preferred method of communication in organizations, hackers moved on from AOL. Instead, email phishing has become the selected approach for spamming and targeting individual users. Between 2004 and 2005, over 1.2 million users in the United States were victims of phishing with a total estimated cost of $929 million – with businesses losing about $2 billion a year to phishing attacks. So, how are phishing attempts affecting businesses in 2019?
Brian Krebs, a popular security researcher, stated that 2018 would be the year that targeted phishing went mainstream, and he was right. Last year, software-as-a-service such as Office 365, Dropbox, and G Suite were the top phishing target of hackers, targeting employees of these organizations. It’s reported that half a billion dollars is lost every year to phishing in the U.S. From 2016 to 2017 there was an increase of 237% of SaaS-targeted attacks. Knowing the extreme cost that phishing can have on businesses in 2019, it’s important to understand how hackers might be phishing for your information and what you can do about it.
Phishing Examples: Ways Hackers Steal Your Information
Each technique a hacker uses is conducted differently based on the group of users the phisher is targeting and the end goal of the phisher. Phishing techniques are always evolving, using psychology to manipulate the user into clicking on a link and releasing valuable information. The following are common phishing examples and attacks that you should prepare your employees for:
- Phishing emails where a message is sent to a user with a link to a malicious website that is meant to look like a trustworthy site such as your bank or Dropbox. In this email, while mimicking sites you know and use, they simply ask you for sensitive information. Individuals can easily mistake these harmful emails for the real deal and offer up this info on a silver platter.
- Business email compromise attacks, where an email sent from a spoofed email address such as your “boss” or a “coworker,” is asking you to buy gift cards or verify sensitive information. Often users do not see anything suspicious in a spoofed email, as it is well-disguised to look like it came from a familiar email address.
- Phishing through the phone is another common phishing example, where hackers pose as vendors or an IT department to retrieve sensitive information from you. Many people have experienced this common form of phishing.
- Man-in-the-middle phishing attacks is where the hacker intercepts sensitive information from you and a third-party. In this type of phishing example, hackers can use email, social media, websites, and WiFi networks to gain access to your information.
- Another common phishing example is phishing emails with attachments containing malicious code. When opened by the user the code in these emails provides the hacker access to your organization’s database.
- Although email the most common medium to conduct phishing attacks, they aren’t the only medium. Messaging apps such as Slack, Skype, and Facebook messenger are used by phishers to send malicious links and steal information too.
How to Prevent Phishing Attacks
Employee education will always be the most effective way to prevent human error from occurring and leaving your organization vulnerable to social engineering and phishing attacks. Communicating the following best practices will help prepare your organization for a potential phishing attempt:
- Review the information and check the details in an email such as misspellings in the email content or email address, poor grammar, unfamiliar URLs, or abnormal requests.
- Verify the security of a website. secure websites contain an “https” and a green lock in the web address bar, as well as a security certificate. This isn’t to say a secured site is more credible, but it does indicate that the browser is connecting to a server that’s presented a certificate for the domain name you’re trying to reach. And, the certificate was issued by a certificate authority the browser trusts whereby an encrypted connection has been made.
- Report abnormal requests for sensitive information to your IT department in order to communicate across the entire organization.
- Never open attachments or download files without verifying the sender and checking in with your IT department if you weren’t expecting the email.
- Ensure email accounts utilize multi-factor authentication (MFA) for added protection.
- Where able, have your System Administrators block email login attempts from foreign countries.
Ensuring you are proactive in instilling policies and procedures around email best practices will be key in minimizing email compromise. Other cybersecurity practices include updating firewalls, browsers, and antivirus software on a frequent basis, as well as implementing anti-phishing tools for an added layer of security.
Organizations can choose to put these measures in place themselves or outsource some or all of their cyber security to a managed security service provider (MSSR). Secuvant can provide your organization Managed Detection and Response (MDR) services that enhance your cybersecurity and monitors for cyber threats, helping to prevent, detect, and respond to them before it affects your business. For more information on our MDR services or how we can help your organization implement a cybersecurity program, reach out to us at firstname.lastname@example.org or 855-732-8826.