Phishing-Common Types and Tips for Prevention

By Nsanzimana Gilbert

Phishing is a social engineering technique in which the victim is contacted by a fraudulent person or entity posing as the familiar and legitimate. Phishing is intended to persuade a user to take an action that they would not normally take, it could be intended to get the user install a malicious software, give access to sensitive company information, or even reveal their credit card details.
FBI recorded Phishing as the most common type of cybercrime in 2020. Verizon’s Data Breach Investigation Report 2021 indicates that 75 percentage of organizations around the world experienced some kind of phishing.
Cybercriminals take note of what’s trending all over the world to lure users into certain actions. They impersonate every kind of entity possible ranging from government entities, businesses, health organizations, and individuals to lure victims into an attack.

Due to the current worldwide health unrest, Pandemic themed scams are becoming a daily matter and organizations must be on guard.

The Centre for Disease Control (CDC) recently warned the general public concerning cyber criminals that are sending messages and calls with intentions of luring victims into phishing attacks.

Common Types of phishing

1. Email Phishing

Email Phishing is the most common phishing type that accounts for 44 percent of all phishing attacks according to the research conducted by Checkpoint
Criminals send emails to prospective victims with persuasive messages which cause a sense of urgency or threat to the victim. This is intended to give them no room for thought and consultation.  Criminals register fake domains that look like the authentic ones to one that is not very careful. An example of a fake domain can be my-school.com instead of myschool.com or mysch00l.com.
In the third quarter of 2020, Microsoft, DHL, Google, PayPal, Netflix, Facebook, Apple, Amazon, Whatsapp and Instagram were ranked as the top brands that appeared in brand phishing attempts. In an article entitled how to spot suspicious emails, Arthur has given out hints on how to identify a phishing email.

2. Spear Phishing

While email phishing may be targeting random victims, Spear phishing is more specific about the victim. The criminal usually has some reliable information about the victim such as their name, email address, workplace, Job title and workmates. The victim uses this information to make their attack more effective by sending a personalized email that the victim may find difficult to doubt the source.

3. Vishing and Smishing

Vishing (Voice Phishing) involves a phone conversation—typically the phisher will pretend to be calling as a scam investigator for a credit card company or a bank familiar to the victim. The criminal then claims that the victim’s account has been breached and they have to share the credentials with the investigator for the account reset.
Smishing (SMS Phishing) involves sending of a usual SMS instead of an Email. Messages often come with a link to click with a persuasive text such as a coupon for a discount.

4. Angler Phishing

These use social media accounts that are purportedly for a well-known company. Criminals make the account resemble the legitimate as much as they can, with the same profile picture and any other details they can forge.
Criminals take advantage of the clients’ tendency to male inquiries, complaints via the social media platforms of certain companies. They therefore setup a legitimate-looking handle and wait for unsuspicious users to send in their queries. When the criminals receive the queries, they ask for personal information and finally they achieve their goals.

5. Whaling/CEO Fraud

Cyber criminals do their research to find out the names that the organization’s CEO or another senior member of leadership uses to communicate with the other employees. They then impersonate the CEO and send messages to affiliated companies or employees asking for a money transfer or some other important information that would not otherwise be shared.

Tips To Avoid Phishing

Phishing as discussed above, uses someone within the company as a medium to the attack. Recent phishing attacks are however very sophisticated that employees may still fails to detect them.

1. Train Employees

The most sophisticated tools in place may fail if the first line of defense (employees) are not aware of the evolving nature of phishing. It is paramount for every organization to often have training sessions for the employees to get acquainted with the basic practices of identifying phishing attempts and report them to the security teams.

2. Install Security Patch updates regularly

Software companies keep revising their products to identify and correct possible vulnerabilities. It is essential to always run updates in order to get the most recent security patches for every software on your computer.

3. Use Email Filters

Email filters can scan for additional risks such as attempted phishing. Criminals also usually hide malicious code in active contents and Email filters can help detect such.

4. Implement Multi-Factor Authentication

Phishing often intends to steal account credentials. Using MFA will protect your account from being accessed without your consent.

5. Endpoint monitoring and Protection

Remote workforce introduces a high risk of insecure endpoints. Cybercriminals target endpoints to get access to company’s data. Security teams must make it a priority to always monitor endpoints for security threats and implement possible solutions to secure them.