A Phishing attack is a type of social engineering attack that
malicious attackers often use to steal sensitive data such as login
credentials, credit card information, etc. Phishing is one of the biggest Cyber
threats organizations face in the Cyber world. 80% of organizations fell for
phishing attacks in 2021 according to Proofpoint’s 2021 state of the phish
report. There are multiple ways threat actors carry out some of these phishing
attacks. Let us look at the different phishing attacks out there.
Types of Phishing
Email Phishing: This type of
phishing attack is sent via emails asking you to perform some sort of action
with some sense of urgency. This type of attack will normally require you to click
on a link that redirects you to a fake website that might request some sort of
login credentials. These fake websites are normally cloned versions of
legitimate websites that are used to trick users into entering their login
credentials.
Spear Phishing:
This is a phishing attack that is targeted more at a single entity. Before
attackers perform this type of attack, they normally have some sort of basic
information about the victim. This kind of information could be their name,
place of employment, Job title, email address, or specific information about
their Job title. These types of phishing attacks are much more convincing since
the attacker has some information about the victim.
Some Phishing Techniques
The sender is requesting your
credentials
One of the most obvious signs of a phishing scam is when the email
you receive requests for your login credentials or financial information.
Unfortunately, this is a trick malicious actors use to gain access to your
sensitive information and steal your identity. If you receive an email that
asks you to enter login information, username, password, or credit card
information, it is more than likely to be a phishing attempt. There are a few
different ways that people try to get you to enter your credentials, including
"customer service" emails from banks, utilities, or other companies
you have an account with; emails from companies that you have an order with and
are asking for your log-in information; or emails from companies with which you
do not have any kind of account.
The email asks you to click on a
link
Another common phishing attack technique is to entice you to click
on a link in the email. Threat actors will often craft their emails, so they
appear to be from a trusted source, such as your bank or credit card company.
These emails may direct you to click on a link, usually to update your account
information, and promise that doing so will help you avoid any problems. But that link may take
you to a phishing website that will steal your information or, sometimes, have
full control of your device via a zero-click attack when you visit their
malicious website by clicking on the link sent to you. The same is true for
emails from companies with which you have an account. If an email from your
bank or credit card company directs you to click on a link, the best thing to
do is contact them through their legitimate phone number or website to ensure
that the email is authentic.
The email’s language is awkward or
poorly written
Another tell-tale sign that an email is a phishing scam is if it
is awkwardly or poorly written. If you receive an email from a company,
especially one you do business with, they will probably address you by your
name. However, phishing emails rarely address you by name, or they will use a
general salutation, such as "Dear User," "Dear Customer,"
or even "Hello." Phishing emails are often written in an overly
formal or corporate style, which is typically a clear sign that something is
amiss. Likewise, the tone of the email may sound off, or the language may be
riddled with spelling or grammatical mistakes.
You are unfamiliar with the sender
Another red flag is if you do not recognize the sender of the
email. If you receive an email from a company with which you do not do business,
scrutinize it before taking any action; if the company has a wrong address or
contact name, or if the email is from a person you do not know, it is likely a
phishing scam. If you have an account with a company, but the name of the
person emailing differs from the one listed on your account, it may be a
phishing attack.
You were not expecting the email,
or it was not requested but responded to beforehand
Finally, a sure-fire sign that an email is a phishing attempt is
if you were not expecting it, or it was not requested but responded to
beforehand. Companies will not send you an email out of the blue and expect you
to know what they want. If you are expecting an email from a company, but you
do not receive it, you should not send them an email asking when to expect it.
You should always be careful when receiving unexpected emails from companies;
if there is something you need to do or update, they will probably contact you
through another means, such as a phone call or postal mail.
Conclusion
Phishing attacks are nothing new, in that they have been around for decades. However, it is only recently that the frequency and effectiveness of phishing attacks have skyrocketed. Now, more than ever before, businesses (and consumers) need to be on high alert when receiving emails from people or companies they do not know. But how can you tell whether an email is a phishing scam? If you think an email might be a phishing attack — for example, if it asks you to give up personal information or click on a link — then it probably is. Phishing scams almost always have obvious warning signs you can see with a bit of careful consideration. The good news is that the more aware you are of these signs of phishing emails, the less likely you are to fall victim to one of these malicious attacks.
Author: Enock Augustt | Penetration Tester | Member, IIPGH
For comments, contact email: it@inveteckglobal.com or Mobile: +233
(25) 686-7366
Source: www.iipgh.org