4 Best Ways to Stop Phishing with Security Awareness
October 22, 2020
Phishing is a cybercrime that uses various digital and telecommunications modes to lure victims into revealing personal or sensitive information. Cybercriminals contact their targets by email, text messages (SMS & chats), call, or other means to approach them, where these targets could be ignorant individuals, groups, or large organizations. Phishing by itself may not seem very damaging at first glance, but it is all just a ruse to trick you. Based on the type of phishing (social engineering) attack, the cybercriminal can either deploy malware to the target system/network, or extract information such as personally identifiable information, banking, credit card details, passwords, etc., which could be used for either identity theft or financial gains. With the right security awareness training, business owners and CISOs can avoid them easily.
What Is Phishing and How Can It Be Solved with Security Awareness Training?
The word "Phishing" sounds like and suggests "fishing" where bait is placed onto the hook to lure prey; similarly, phishing attacks lure the target to click on a link, open an attachment, provide their information, etc.
Phishing activities have been on a continuous rise since 2019, with 71% being motivated by financial gains. Security experts have reported that out of all the breaches involving phishing, 29% of them involved the use of stolen credentials. Similarly, it has also been reported that 33% of breaches involve the use of some or the other types of social engineering attacks. It is common to assume that these attacks don’t have much to gain from individuals, and the money gained might not be worth the effort, but contrary to these assumptions, the United States FBI’s Internet Crime Complaint Center has recorded an approximate loss of $57 million to phishing attacks.
Security awareness training helps employees to identify cyberattacks and prevent them from making usual yet, unintentional mistakes.
6 Common Phishing Scams That Can Be Stopped with Security Awareness Training
- Email Phishing: Email is one of the prominent modes of malware delivery, with a report suggesting that 94% of malware is propagated through emails. Cybercriminals are posing as legitimate organizations (i.e., your bank, e-commerce website, NGO's, etc.), to send malware as an attachment with a misleading file name (reward, coupon, invoice, free app, etc.) or a link to a malicious site, which, upon downloading and running the file, could lead to the installation of malware on your device. The installed malware could either encrypt all your data (ransomware) and then the cybercriminals could ask you to pay ransom to unlock or decrypt it; or it could exfiltrate all your sensitive data (personal data, financial data, username & passwords, etc.), which could provide them with financial benefits.
- Spear Phishing: When cybercriminals take the effort to personalize their phishing emails through reconnaissance, it is called spear phishing. To look less suspicious and increase the probability of you taking the bait, cybercriminals get more information about you from easily accessible sources such as social media. As the probability of you opening an email from known sources is higher, finding trivial but personal information about you such as the institutes, websites, or sources you follow, the company you work for, your bank or financial institutes that you invest in, etc., could help them create a personalized phishing bait. Spear phishing is surging in use, with 65% of cases using spear-phishing as the primary vector for malware deployment.
- Voice Phishing: This type of phishing attack uses phone calls (hence, voice phishing or Vishing), where the caller falsely impersonates a legitimate organization and primarily intends to extract personal and sensitive information such as bank account number, username, password, OTP (one-time-password), pin, etc. Using advanced methods such as AI (artificial intelligence), cybercriminals carry out the attack more effectively. For example, by recording and analyzing the voice pattern of someone you know or are familiar with, calls could be recreated with unlimited responses to request and order an immediate transfer of the huge sum of money.
- SMiShing: SMS phishing or SMiShing, involves the use of text messages to deceive people into divulging their sensitive and financially damaging information. It is said to be one of the oldest and commonly known scams, where the threat actor targets ignorant users.
- Social Media Phishing: This type of attack uses social media sites to build trust between the cybercriminal and the target. Some studies suggest that social media helps establish a greater degree of trust between people. The cybercriminal uses this to perform a social engineering attack, where the fake profile is created, the target is befriended, and personal and sensitive information is extracted. The cybercriminal could also spread malware as suggested apps or executable files. Creating a fake profile is said to be an easy task, and this could be supported by the fact that in the year 2014, Facebook found 14% of the profiles on its platform to be fake.
- Website Forgery: This type of attack is said to be one of the most effective strategies against individual users. As its name suggests, cybercriminals create fake websites or modify the malicious website's address bar to look exactly like the original site. In some cases, the attackers used pre-existing flaws in a trusted website's scripts to hijack that particular webpage; these types of attacks are known as cross-site scripting. Using these sites, the cybercriminal gains personal and financial information of the user, which the individual users provide by filling subscriber form or payment card/net banking details.
How to Avoid Phishing Scams?
Individual users could prevent phishing attacks through awareness, adopting and implementing some degree of caution when performing digital activities (such as providing personal or financial data), and using cybersecurity tools. The most prominent methods that people could adopt to avoid phishing attacks could be listed as:
- Anti-Phishing Tools: Using anti-phishing tools and software provides many benefits and different features such as spam filtering, scanning attachments, detecting phishing emails, blocking suspicious identity, etc., to detect and prevent phishing emails from reaching you.
-
Email Handling: Irrespective of whether
you have an anti-phishing solution installed on your
device, every user should analyze and confirm whether an
email is legit. This could be done using the following
points.
- Check if the sender is a known person, i.e., whether the mail is solicited or unsolicited.
- Check if the domain name (@xyz.com) belongs to the organizations it represents
- Check if the domain name (@xyz.com) belongs to the organizations it represents
- Think of the content if legit, i.e., if it's too good to be true, then it might be spam
- Do not open short links, hyperlinked text, or buttons directly; moving the cursor over the link gives you the actual URL; also, check for the domain name and its spelling in the link.
- Do not open any attachment unless you scan it; also, do not open any attachment with unknown extension or with .exe extension; no person or organization sends executable files in the mail.
-
Vishing and SMiShing Safety Precautions: There exist multiple points that you
could look out for
while dealing with suspicious messages and phone calls.
- Use trusted applications that validate mobile numbers and act as spam filters for telecommunications.
- Do not share any personal information through messages or on-call; there exist proper procedures to submit such details.
- Do not share a username, passwords, or authentications pins with anyone on call or message, even if the person claims to be from your bank; receiving money does not require any authentication password implying that OTP's are only to be used by you and no one else.
- If you suspect that the call is a type of robocall, then try to ask additional and atypical questions.
-
Online Phishing: Whether it be social
media or malicious websites, there are some things that
you absolutely must not do, or at least tread carefully
while doing. Malicious sites contain multiple hints that
suggest it is not legitimate.
- Do not share any personal or financial information on social media platforms, even if you know the other party personally, causing non-encrypted connections to be vulnerable.
- Always operate on secured websites; you can tell whether a webpage is secure or not by looking at the SSL certification, i.e., the lock symbol in the address bar, which implies that the data transfer between the site and your system is secure and encrypted.
- Similarly, also check whether the links have HTTP or https, as https (Hypertext Transfer Protocol Secure) links are more secure than HTTP links.
The immediate mitigations against any successful phishing attacks require consulting a security expert or your government body dealing with cybercrime, along with security training and awareness programs, as only knowing about Phishing theoretically may not be sufficient for you to be able to differentiate between a benign and malicious email when faced with an actual phishing email. Thus, it is important to have practical experience in dealing with phishing attacks.
FAQs
A. There are multiple types of phishing attacks like email phishing, spear phishing, whaling, angler phishing, smishing, and vishing.
Read more: https://blog.eccouncil.org/5-Phishing-scams-that-keep-cybersecurity-professionals-up-at-night/
The prevention of Phishing for a non-technical person is improved with anti-phishing education and awareness provided by many reputable organizations such as Aware.
A. EC-Council makes their anti-phishing solution, Aware, free for 30 days to help protect teleworkers and businesses.