In the first article, we went over the basics of phishing, and discussed the three most commonly-seen types of phishing attacks. Here, we'll continue cataloging types of phishing along with a few suggestions on how to avoid them.
Whaling - as you can probably guess - is simply phishing that's targeting a very high profile target. The basic techniques are the same as in any other kind of phishing, but attackers will often go to great lengths trying to gain the trust of their target. This is when phishing can most resemble "The Sting" style high-stakes confidence jobs.
This one is a bit specialized, but can be devastating when the attacker pulls it off. Basically, the attacker gains access to another employee's email (much as in CEO impersonation) but rather than send false requests, they send a cloned copy of a previous email which had an attachment. Except they substitute a compromised attachment with virus or other payload. It's just another way to make trojan-style email attacks seem legitimate.
These can be tough to detect, so it's important employees remain aware. Why would someone send a duplicate of a previous message? That should ring a warning bell. Follow up with the supposed sender and find out if it's legitimate before opening the attachment.
The rise in usage of public cloud storage services - such as Dropbox or Google Documents - has created an opportunity for attackers to try to leverage them. Attackers create fake websites designed to mimic the logon screen for these popular storage services, then target users with messages inviting them to login. While these attacks are rare, they can be extremely convincing if they're used in conjunction with a hijacked email account.
Fortunately, they still can't perfectly mimic the URL of the site they're imitating, so always look closely at the web address before logging in.
Finally, don't forget that fishing can happen over the phone as well. There are numerous techniques attackers might use to try to trick people into verbally giving up important information over the phone. These are most commonly impersonating financial institutions, usually trying to get a target's PIN. Tech support based scams are also common, with attackers impersonating Microsoft or Apple employees.
Generally speaking, any situation where you receive a call telling you to call another number should be viewed with great suspicion. Legitimate businesses almost never do this. Likewise, demand credentials or other proof if you're cold called by someone claiming to work at a financial institution or tech support center.
In the third part to this series, we'll be taking a step back to look at employee training: how to recognize phishing and other "social engineering" attacks, and what sort of procedures you should have in place to deal with them.
See you then! In the meantime, if you want more advice on shoring up your security or want to try out your defenses with a simulated penetration test, just contact Hummingbird.