Phishing is a cyberattack that coerces the user or threatens them to reveal sensitive personal information. The information gets used against the victims in various ways, from creating a false identity for performing crimes under their names or using their entitled benefits. Usernames, passwords, mother’s maiden name, place of birth, and credit card information are the most common types of information collected through phishing attacks.
Email phishing to steal personal data
Email phishing is the most well-known type of phishing attack where the employees of a specific organization get targeted directly. They get imposter emails from some service provider like a bank or office software they use, threatening them that the service is facing some problem.
The employees get a warning message about their compromised account, and many employees get such emails to increase its authenticity. The emails often want the victims to perform any of these actions.
- Click on duplicate links that lead to a login page and provide a username and password
- Download an attachment that inserts malware into the company server or
- Provide some sensitive credentials like the answer to a security question
The answer to the security question gets used to steal credit card details or finance-related information. Compromising the company server leads to data breaching, and username and password collection are used to login into different software and access various databases.
The Elara Caring healthcare provider data breach is a well-known example of email phishing. Two employees fell prey to such emails and disclosed their username and password details to the hackers by clicking on a link and entering details on a fake login page.
The cyber attackers got access to all details of nearly 100,000 patients. The hackers had access to their financial information, bank account number, and social security number for one whole week until the company made their data protection foolproof.
Phishing attacks targeting specific employees (Spear Phishing)
Spear phishing targets specific employees at the top level asking them to authorize a particular invoice or a financial transaction. The fake business website or a login page looking precisely similar to the original one loots the money when the employee authorizes a payment. They steal all the essential credentials when the employees accidentally disclose them, believing they are using a legitimate business website.
A personal secretary of a particular company received an email from the CEO asking him to purchase costly Amazon gift cards. The employee did it by paying from the company account and mailed all the details to the required people’s email ID.
They later found out thousands of dollars from the company account had been looted through the methods. The hackers used the gift coupon codes to purchase various items, from laptops to costly televisions. The email IDs got deleted in no time, and the CEO did not know about the email impersonating him.
Phishing attacks through SMS (Smishing attacks)
Smishing attacks occur through your mobile and often target victims in the form of an SMS claiming to come from your bank or other service providers. The most typical example of smishing attacks are text messages like this: “Unusual activity detected in your Gmail Account. Confirm by logging in to protect your credentials now. https://tr.im/i43gm”. If you click on the link, it will probably ask you to log in with your Facebook or Gmail account.
Once you enter the details or log in, all the credentials stored in your email get hacked and stolen. Important bank details, medical records, school admission, and loan forms received in the email get compromised. The victims often understand there is a breach only when an amount gets deducted from their account or someone gets a loan using their identity. Never click on links coming from unauthorized numbers with these messages.
1. From: Bank Name
Bank account locked due to suspected security threats. Click to unlock. http://xxxx.
No bank will ever send such messages and never click on such links. Always log in using the official bank website or call customer care to check if you have any doubt.
2. From: Apple support
Your mobile number gets used in several places at the same time.
The phone security might be compromised. Click to contact us at https://zneltjer. There is no chance for such things to happen and never click on such links even if it states it is from Samsung or Apple support. Such messages often occur when people purchase a new mobile creating unwanted fear.
3. From: XXX
You won a price of $1000 for purchasing from XXX. Click https://erjeoure to claim the prize amount.
Never trust such links or even phone calls and ignore the prize offers as most of them are entirely fishy. Trust only lucky draws from authentic sites and never trust anonymous SMS. Malware can enter into your phone when you click on such SMS easily.
Phishing attacks targeting CEOs and CFOs (Whaling)
Whaling is similar to spear-phishing in every aspect, but the hackers target only high-level executives who possess the ultimate control. The term “Whaling” indicates targeting the top brains or the big fish in the company to get more information.
Getting access to their username or password or sensitive data allows hackers to enter the company server directly. They can steal much more than hacking a data entry employee’s account or second-level executive’s account by targeting the big fish.
The co-founder of an Australian hedge fund company became a victim of such a whaling attack in 2020. He accidentally clicked on a Zoom meeting link thinking it was for his company meeting due to perfect impersonation. The hackers planted malware that entered the company server, which automatically downloaded when he clicked on the link.
The company took immediate measures to contain losses, and strong firewalls got activated. But, the malware still transferred around $8.7 million to the hacker account through auto bots authorizing fake invoices. The auto bots used the electronic signature to approve pre-programmed invoices quickly.
There are various other types of phishing, like voice phishing, clone phishing, and twin phishing. Concentrate on secure business website development with all the security measures in place. Train the employees and research the latest phishing scams to stay alert and self-protect from them. Always think twice before clicking on suspicious links or SMS and try to provide maximum security for your office and your digital home devices.