According to the Anti-Phishing Work Group, 1.2 million individual phishing attacks took place in 2016 – a 65% increase from the year before. These attacks have been mentioned across all industries and the most recent Verizon Wireless Data Breach Report states that 95% of phishing attacks that led to a breach were followed by some sort of software installation- usually malware.

Phishing is no longer just about getting high-value medical records or financial information. Bad actors are looking for any information they can exploit from sales and client lists to simply using your network as a stepping stone into your vendor or partner’s networks. With these attacks on the rise, here are three types of phishing attacks and how you can avoid them:

Types of Phishing Attacks

  1. Lookalike Attacks – Bad actors use these attacks by mimicking actual websites and emails. These can look extremely real and are often constructed within your brand's guidelines in order to trick you into believing that you are giving your information to a trusted source. However, when you get to one of these spoofed pages and enter your login information or your personal data in order to win something, you are giving your information to these bad actors to either exploit some system you have access to or sell to the highest bidder.
  2. Email Attachments – We all receive hundreds of emails a day from co-workers, friends, family and vendors looking to engage with us in some way. Many of these emails have an attachment and it is very hard for your email application to determine which of these attachments are real and which carry malware. According to the VZWDBR, 66% of malware was delivered through email last year. Through social engineering, bad actors can get information on you that only a friend would have. They use this information to trick you into downloading the file to your computer, thereby also downloading the malware that they will use to exploit you.
  3. Spear/Whale Phishing – Speaking of social engineering, spear phishing and whale phishing are where attackers are finding their biggest targets. Spear phishing refers to extremely targeted attacks to people on your network. Whale phishing refers to targeted attacks of highly privileged members on your network. Either way, the attacker is looking to find enough information on you to make you believe they are a friend and are trustworthy in order to get you to accept their malware by either a click, a download or by entering your information.

 

(Want to see a phishing attack in action? Download our on-demand webinar here and see basic phishing and privilege escalation against Windows with Core Impact) 

 

How to Avoid Phishing Attacks

  1. Be Vigilant. When you receive an email from your bank or from another company that you use, think about why they are emailing you and what they are asking for. Does your bank need you to sign into a new service? Why does your IT department want you to download this odd sounding file? And any time you are sent a link, make sure to hover over the link with your mouse, this will show you what website you are actually going to so that you can verify it isn’t a lookalike domain.
  2. Are there mistakes? While you’re taking a closer look at these emails and websites, make sure that everything is up to par. Commonly, there will be misspelled words or incorrect domain names. Would your bank misspell things going out to all of their customers? Probably not. Would they have a new .us address when they used to be .com? Also- probably not. Keep an eye out for anything that looks off.
  3. Follow up by Phone. Email is undoubtedly one of the easiest forms of communication, that’s why we send so many of them every day. However, when it comes to verifying an email your best bet is to pick up the phone. If you get an email from your bank alerting you to mysterious charges then call them to verify. Don’t trust a new website or a link in the body of an email to take you to the correct place. If you get an email from a co-worker that seems off then give them a call and make sure that it was them who sent it.

These are easy ways to avoid an attack and they all come down to proper awareness and training on what not to do in order to avoid an attack.

Are you training your team? You should be. Phishing attacks increased by 65% last year and will increase again for 2017. The only way to truly fight is to make sure your team is ready.

For more information on how to train your team to detect phishing scams, register for our webinar on May 31st at 11 A.M. EST.