What is phishing?
Using an email or link to an online site, a criminal attempts to entice a person into providing sensitive or confidential information which can be used or monetized by the phisher.
A targeted phishing attack focused on a specific person or group of people.
A phishing attack in which the 'phisher' uses a genuine, previously delivered email to create an identical (or almost identical) email containing similar content, attachment, recipient, and sender email address. A fraudulent link or attachment replaces the original one.
A form of spear phishing focused on senior corporate executives or high-profile individuals, such as those in government. Email content may request the recipient perform a task, such as providing employee records or sending a wire transfer, or contain malicious links.
The phish: Step by step (Download infographic)
Mass phishing attack
— Untargeted, large group of victims
Targeted phishing attack
— Specific group or high profile victim
— Phisher selects a brand name for mass email
— Uses newly created domain or hacked website for webpages that resemble the brand name website
— Develops an email with legitimate-looking content
— Spoofs the email address of someone at a target organization
— Phisher sends email with brand logos/name and links to fake webpages
— Places links to fake web pages in banner ads, on social media, and in text messages
— Phisher sends emails to specific target victim or group
Click Fake Links
— Victims click fake links and enter personal information into fake web page
Respond to email request
— Victim replies to email with request information
Expand / Monetize
Develop additional attacks
— Phisher uses stolen credentials for next phase of attack.
— Collects additional email addresses from hacked accounts
— Phisher sells stolen credentials
— Steals money using credentials from bank, PayPal, or fake wire transfer
Did you know...
Phishing doesn’t always involve an email distribution. Criminals are creating fake website advertising banners or text advertisements that link back to a malicious URL. The unsuspecting victim clicks the link and enters credentials on the fake site. The sensitive information is then captured and saved by the cybercriminal.
Reeling in the big catch with Business Email Compromise
A form of spear phishing, business email compromise (BEC) attacks have been increasing in number over the last few years. The FBI estimates a 1300% increase in BECs over the last two years, with losses estimated at more than $3 billion. There are two types of BEC attacks:
STEP 1: Infiltrate with a fake email requesting a password reactivation for a corporate Office 365 account.
STEP 2: Armed with the employee password, read corporate emails to get key business details, such as customers, vendors, decision makers, and financial data.
STEP 3: Launch a spear-phishing attack to accounts payables, requesting a vendor payment with the money going to an account set up by the criminal.
EMAIL SPOOFING ATTACK
STEP 1: Fake an email address by creating a similar looking email account.
STEP 2: Send email to a business department, such as accounting or human resources, requesting the transfer of funds or information.
STEP 3: Employee responds, having only looked at the sender's name and not the email address which has been spoofed.
How Email Spoofing or "Internationalized Domain Name" (IDN) Homograph Attacks Work
The hacker registers an email domain that reads like the target company's, sometimes replacing, dropping, or adding a single character, such as a zero "0" for the letter "o". Using real corporate executive names, the attacker used creates an emaila ddress on this similar looking domain. Thus, all email fields appear valid, with the sender's name and email address seeming to match, but on closer inspection, they belong to a domain that just resembles the recipient's company own.
Phishing sites don't last a zero-day
Cyren experts examined phishing sites tracked and flagged by Cyren's global security cloud and discovered that after 40 hours, over half of the phishing sites analyzed no longer exist, making it difficult for many cybersecurity solutions to detect and block them.
After 40 hours, over half of phishing sites no longer exist, making it difficult for many cybersecurity solutions to detect and block them.
Did you know...
Phishing uses social engineering to create an email that looks like it came from someone the victim knows. The email requests that recipient do something like provide financial information or the password to a corporate login.
Improve your phishing protection level
Use password manager that creates different and unique passwords for every site.
Require staff to use two different components for login, such as a PIN or password and something he possesses (a phone).
Use email security gateway with real-time phishing intelligence that draws from large data sources and analytics and provides continuous protection from emerging threats.
Consider training your staff on how to spot phishing attempts with a simulated phishing attack.
#1 Get executive management on board.
#2 Develop online training or work with an anti-phishing training company.
#3 Schedule regular simulated phishing attacks to ensure no complacency.
#4 Include the cost and implications of a successful phishing attack in your training.
Shopping, financial, and internet services most popular phishing targets
Apple, Chase, and PayPal were the top three most frequently spoofed websites, accounting for more than half of the total phishing URLs. Banks, internet services, Google, and Microsoft rounded out the top ten
|Brand||% phishing URLs|
|Bank of America||6.0%|