Email Phishing Awareness
• Introduction
• Basic Phishing – Phishing Attacks on a Large Scale
• How to Identify a Phishing Attempt
• Spear Phishing – Phishing Attacks Against Specific Employees
• Whaling – Phishing Attacks Against Executives
• Clone Phishing – Phishing by use of Duplication
• Vishing – Phishing Conducted Over the Phone
Introduction
Organizations of all kinds are being victimized by email-based “phishing” attacks that trick employees into downloading malicious attachments and accidentaly leaking their credentials. However, for many attackers, stealing credentials is not the primary goal. If credentials are stolen, attackers can intercept main lines of communication and perform personalized and convincing “spear phishing” attacks, which are highly targeted and often result in wire fraud and identity theft. It is important to identify the differences in these attacks, and how to approach each of them safely. As always, please report all suspected phishing attempts to support@level2designs.com.
Basic Phishing
If an attacker gains access to your email account, they gain access to a plethora of information that they can then use against your organization. While your email account may not directly provide an attacker with financial gain, it is important to recognize common phishing attempts to avoid compromising yourself as well as other employees. Any email which requests personal information should be considered fraudulent and reported immediately.
How to Identify a Phishing Attempt:
How to Identify a Phishing Attempt:
Attackers may use a trusted display name to get your attention, but the sending address will often be spoofed, or sent using a free email provider. If you do not recognize the sending address, be suspicious about the message’s legitimacy. Be sure to exercise caution when downloading and opening attachments. Do not enter any account credentials into any website before verifying its legitimacy. If an email pressures you into clicking a link or downloading an attachment, please refrain from doing anything until you are certain it is safe. In most cases, attackers will attempt to rush victims into making hasty decisions, before suspicion or doubt can be raised. If you’re ever unsure of a message’s legitimacy, report it to us immediately.
Spear Phishing
Once an attacker has done sufficient research on an organization, they are able to perform targeted spear phishing attacks. These attacks are personalized and are performed with a specific goal in mind. For example, they may impersonate a business partner you emailed last week, using information in previous emails to build trust and then ultimately tricking you into providing them with whatever they want. Spear Phishing techniques are harder to identify as they rely on impersonation and deceit as weapons against potential victims, instead of malicious attachments or links. Because of this, it is important to verify the identity of each person you do business with, before meeting their demands.
Whaling
Whaling attacks target senior executives who have access to valuable information or business funds. Like Spear Phishing, Whaling relies on adequate research and convincing impersonation to be effective. Whaling attacks are often disguised as any kind of confidential email which only an executive would expect to receive. Because executives are considered high value targets, attackers spend a lot of time designing Whaling attacks to make them appear as convincing as possible. Having said that, employees who hold senior management positions should scrutinize their emails very carefully. For more information, read the section “How to Identify a Phishing Attempt.”
Clone Phishing
Clone Phishing is a technique that sends a duplicate email which has been replaced with a malicious attachment or link. A cloned email may indicate that it is an updated revision of the original email, tricking the victim into believing it is legitimate. It is crucial to thoroughly examine all emails before interacting with its contents, or providing the sender with any requested information.
Vishing
Also known as Voice Phishing, Vishing consists of coercing targets into providing financial information over the phone. However, instead of impersonating an individual, most Vishing attacks involve impersonating large corporations such as Microsoft or Dell. For example, you may be redirected to a website where a popup will take control of your browser, claiming to be Microsoft Technical Support and demanding you call the number provided immediately.
Like other phishing attacks, Vishing utilizes fear tactics to pressure targets into making emotionally-charged decisions. It is important to verify the identity of anybody who is demanding your personal information over the phone. If you suspect a phone call request is fraudulent, try comparing the phone number provided with whichever company they are claiming to be.