Phishing has become so widespread and sophisticated that a recent study found that 93% of modern breaches involve a phishing attack. Worryingly, fewer businesses are now deploying security monitoring tools (35% vs 40% in 2020 ) or undertaking any form of user monitoring (32% vs 38%). That means they might simply not be aware when they become victims of a phishing attack. Here’s why they should care and how businesses can protect themselves.
What is phishing?
Phishing is a type of cybersecurity attack. Attackers send messages pretending to be a trusted person or entity like Facebook. Phishing messages manipulate a user and can lead them to install a malicious file, click a malicious link, or share sensitive information like passwords and PINs. Phishing is the most common type of social engineering, meaning attempts to manipulate or trick users online. Social engineering is often combined with malware, network attacks, or injecting code into the system to control it.
The different ways of phishing
The intent of phishing is always the same, the attacks vary depending on the target and the platform used. Here are the most common phishing attacks:
This type of phishing has been around since the 90s and is still very popular. As spam filters have improved, so have these phishing emails. Here are seven signs an email might be phishing:
- The email address is unfamiliar
- The text creates a sense of urgency (Act now! Only today!)
- The greeting is very generic or is missing completely
- There are spelling and grammar mistakes
- It contains suspicious hyperlinks when you hover your mouse over the text
- There are attachments (especially if they’re in .exe, .fscr or .zip form)
This type of phishing targets a specific individual, usually to get access to specific data or papers. The target receives a personal email that asks them to download a form. In reality, the download installs malware on their computer and often lets the hacker control the computer.
As the name suggests, this form of phishing is aimed at a CEO, CFO, or any executive. Typically, a whaling email states that the company is facing legal consequences. The recipient needs to click on a link in the email to get more information. They are then asked to enter critical data about the company, such as tax ID and bank account numbers.
Here, the hackers use text messaging to execute the attack. A common smishing technique is to send a text to a mobile phone that contains a clickable link or a return phone number.
A typical example of a smishing attack is an SMS message that looks like it came from your bank. It tells you your account has been compromised and that you need to respond immediately. The attacker asks you to verify your bank account number and other essential details. Once the hackers receive the information, they can gain control of your bank account.
In some cases, attackers will contact you directly via a voice call, hence the “v” rather than the “ph” in the name.
A typical vishing attack is an attacker pretending to call from a trusted provider like Google or Apple. The scammer typically tells you there has been fraudulent activity on your account and asks you to confirm your bank account details, numbers, and address. Sometimes, the attacker will give you some information about yourself to look more credible. They might also ask for an email address to which they can send a software update and ask you to install it on your computer to protect your account. The software installed is actually a way to plant malware on the victim’s computer.
Search engine phishing
Also known as SEO poisoning or SEO Trojans, search engine phishing is where hackers work to become the top hit on a search using a search engine. When users click the website link, the search engine directs them to the hacker’s website. Hackers can steal your information when you interact with the site or enter your data. The prime candidates for search engine phishing are banks, money transfers, social media, and shopping sites.
Social media phishing
Over 70% of users aged 18 to 25 prefer social login, and attackers know this. They have created sophisticated sites to get their victims' data. On Instagram and Facebook, a hacker usually creates a fake login page. These sham pages are crafted to look as much like the real site as possible to fool you. When you provide your Instagram user ID and password, the attacker captures these credentials. You will usually be redirected to the real Instagram login page for authentication, but the damage has already been done. With your Instagram credentials, the attacker has full access to your account.
If you are like up to 70% of people and use those same credentials to log on to other social media sites, the hacker will also have access to those accounts.
Now, the hacker can spy on you. They can also now pose as a legitimate user and request personal information from their friends and followers.
Hackers can even take complete ownership of your social media account. The hacker can change your personal information, preferences, and password, locking you out of your own account.
The latest phishing trend
Browser- in-the browser attacks are on the rise. A phishing toolset launched this year enables hackers to build the most convincing browser-in-the-browser fake login screen. They can then capture usernames, passwords or 2-factor authentication key codes from Chrome users, the 65% market-leading browser. Only minimal editing is required. Never before has such a convincing phishing attack tool been so readily available.
Even more worryingly, they’re impossible to tell apart from a legitimate login window.
Does MFA protect your account against phishing?
As more companies abandon password-only logins and opt for Multi-Factor- Authentication (MFA), it’s not surprising that hackers are now working hard on phishing techniques that specifically target MFA. They now often use so-called phish kits that aim to bypass MFA. As for 2FA authenticator apps, most people don’t realise many of them can be phished.
What’s the most effective way to prevent phishing?
Cryptography has developed a phenomenon called Zero Knowledge Proofs (ZKPs).
The idea behind it is simple: you prove possession of the credential. That entitles you to access the account or platform without simply handing over credentials. The proof is non-transferable, so if you accidentally offer it to a phisher, they can’t make further use of it to pretend to be you. That’s how MIRACL works.
MIRACL login provides strong protection against all forms of phishing or indeed almost any form of remote attack. It provides multi-factor authentication in one single step, and MIRACL's 99.9% login success rate exceeds that of social login.
ZKPS have never been more valuable. Make sure your authentication system is armed with one. Get in touch with us to find out how to make your business safer or you can sign up for our newsletter here.