When we think about phishing attacks and threats, it’s understandable that most people think first about email scams. That’s where phishing really got its start back in the early 2000’s. But phishing has evolved to include targeted behavioral manipulation through social engineering and file-less threats that largely go undetected by standard endpoint security solutions. In fact, we recently wrote about five file-less techniques in our phishing attacks that don’t involve email blog. A quick recap…
- Malicious browser extensions. While most browser extensions are innocuous, some aren’t, and they can provide a hacker unlimited access to data within your browser such as login credentials.
- Credential stealing. Acting as a legitimate entity – such as Dropbox, Yahoo, or Microsoft – hackers can steal login credentials that can give them access to other applications and sites.
- Technical support scams. Hackers can use scare tactics to gain access to your browser to install malware for remote access and data theft.
- Rogue software. Tricking people into downloading what looks to be legitimate software only to inadvertently load malware.
- Gift and prize scams. Tricking people into entering into a prize that is only designed to steal credentials and personal data.
While these phishing threats reside outside of email, there are certainly email-based and other non-email-based phishing schemes that people need to be aware of. Let’s examine six of them.
- Basic phishing. This is the form of phishing that most are familiar with. The mass emails that try and get someone to do something – from download an attachment, to click through to a website, to complete a form. In all these cases, once a recipient does one of these things, malware is installed that compromises the security of the computer system or network. These types of threats are becoming more and more sophisticated as emails and websites are designed to look more and more like established and trusted brands.
- Spear phishing. Similar to phishing, spear phishing differs in that it usually targets a smaller group or a specific department in an organization and is more difficult to detect as it appears to come from a sender closely aligned with the recipient. We recently posted a blog that showed how some spear phishing threats today are targeting HR departments with the intent to abduct sensitive employee data which can be used to further exploit individuals. Unlike basic phishing threats which are more massive in size and easier to detect, spear phishing threats are more sophisticated.
- Whaling. Whaling attacks are spear phishing threats that specifically target, you guessed it, high-profile individuals. This could be C-level executives within an organization, or celebrities and politicians that have a lot to lose, that being reputation or money. These attack vectors can be email scams like we see in basic or spear phishing, or website spoofs and other phishing scams we’ve highlighted above.
- Smishing. A smishing threat is a form of phishing that utilizes your mobile device as an attack vector. Often the initiation is in the form of a text message disguised as a communication from a bank or other potentially trusted brand than encourages a click-through to a phishing site where credentials are targeted. As mobile devices become more prevalent for work communication, smishing threats will likely increase, as will their sophistication.
- Vishing. A vishing threats tries to steal your personal information using the telephone. One of the most popular being an automated call claiming to be from the IRS threatening arrest and asset seizure if you don’t respond with detailed information on your finances. These and other calls are becoming more prevalent as well, as the phishing landscape widens.
- Social Engineering. Describes a scheme that targets a small number of potential victims using any combination of the phishing techniques described above in a complex fraud. It could even involve an impersonator showing up in person with the goal of gaining physical access to a system or building. The purpose of Social Engineering is to psychologically manipulate targets into disclosing sensitive information or taking inappropriate actions. Many times, victims have no idea they did something wrong until the fraud is exposed.
While employee education is paramount as part of a successful cybersecurity initiative – especially for smishing and vishing attacks – definitive real-time phishing detection and protection is a must in today’s phishing threat landscape. Whether advanced phishing threats come via email or from outside the inbox, they can only be stopped with technology that is just as sophisticated as the threats themselves. Our SEER™ technology is up to the task. Check it out today!