This year has shown that phishing attacks are just as rampant as ever, with many threat operators taking advantage of the chaos caused by the COVID-19 crisis to target individuals and enterprises alike. Defined as electronic communications that attempt to fool or persuade recipients into taking certain actions or sharing private information, phishing attacks can arrive via various channels, from voice recording files and SMS messages to emails with harmful links and attachments.
While phishing is not a new problem faced by cybersecurity experts, it is an ever-evolving attack method that hackers and other threat operators are constantly adapting and honing to increase the success of their criminal campaigns. While email providers equip accounts with filters to identify phishing attempts early and ensure they never reach user inboxes – or at the very least come with a warning – these filtering systems must be constantly updated to meet the latest strategies employed by hackers.
Operators running phishing scams work hard to enhance and improve their techniques, creating content capable of bypassing secure systems and mail filters. With this in mind, the best way to defend against phishing attacks is to look to the targets they are aimed at, and educate them on how to spot such tricks to avoid the damaging consequences that can potentially occur.
Spear phishing is a type of phishing attack that is specifically aimed at a particular individual or enterprise. Examples might include an email sent to a company pretending to be one of its suppliers or a message to a staff member impersonating their employer’s accounts department.
Unlike standard phishing tactics, which throw out a wide net via hundreds of thousands of emails in the hopes of randomly catching victims, spear phishing selects a target and undertakes research before attacking. Information that is publicly available will typically be collected first, with a wealth of data available from social media accounts, online CVs and company websites, among other instances of a person or firm’s digital footprint. This easily accessible information will then be combined with any other personal or private data the hacker has been able to acquire from previous phishing schemes.
The more information gathered, the better the hacker can impersonate an entity trusted by their chosen target. To add to their authenticity, spear phishing emails often employ spoofed email addresses so that messages appear to originate from a real address used by a trusted source.
Whaling is a term used to categorise an even more focused version of spear phishing, which targets high-level executives within an enterprise or organisation. The content of these often email-based attacks is cleverly crafted to encourage those with upper management roles to activate malicious links or mistakenly transfer funds to criminals, believing them to be authentic clients or suppliers. Legal issues, customer complaints and other matters requiring executive authorisation are used as templates in attacks. Executives often make valuable targets for cybercriminals, as if fooled, they can offer hackers greater access to enterprise systems when credentials are stolen.
For further advice and an opportunity to experience a secure workspace, contact our specialist team at Galaxkey.