Did you know that companies like Facebook and Google have suffered losses of up to $100 million due to phishing attacks?
The bad news is that this type of cyber attack which is often referred to as “business email compromise” is still a big threat to every company.
Let's understand more deeply what phishing is and its dangers to your business. In this article, you'll also learn about the different types of phishing attacks and some powerful tips to prevent them.
{jistoc} $title={Table of Contents}
What is Phishing?
Phishing is a type of cybercrime that uses email, telephone, or text messages to trick victims into providing sensitive data in the form of login information or credit card details.
In this attack, the perpetrator will disguise himself as a legal institution, and send a message containing a URL/website that has been designed in such a way that it looks very professional.
Basically, phishing is also included in the category of social engineering attacks. So, this type of attack is not carried out by exploiting system or network security gaps, but by exploiting the psychological aspects of the victim.
That is why phishing perpetrators will interact and communicate directly with victims, then take advantage of their lack of understanding or awareness of the dangers of providing sensitive information.
In general, phishing contains the following:
- Attention-grabbing offers or statements
Some phishing will include tempting offers such as information that you won a certain prize. Or, the perpetrator can also write a statement that can get your attention, such as news that your bank account has been compromised by hackers.
- URLs or attachments
Then, attackers will manipulate your actions to click on URLs or attachments. For example, you may be directed to visit a specific website to claim a prize or fix a problem with your bank account.
- Sender addresses and suspicious sites
Hackers will use the sender's name and website address that is almost similar to the official company. However, if you look closely, you will find spelling or writing errors in both (for example: paypai.com this example, the attackers replace the letter l with i which look similar).
- Utilizing a sense of urgency
The abuser will also encourage you to take action immediately. An example is by informing that the prizes offered are limited and can only be obtained within a certain period of time.
Types of Phishing Attack
The following are some types of phishing attack:
1. Spear Phishing
In spear phishing, hackers target a specific individual. Therefore, perpetrators usually rely on personal touch by mentioning the victim's name, position at work, company name, email address, and even specific information about his role/duties in the company.
It could be said that the attackers had already studied the victim's profile through various sources, including social media (especially LinkedIn).
The victims, who do not realize that they are being targeted by phishing, then assume that the messages come from co-workers or people who have connections with them. So, they are then compelled to click on the URL or attachment sent by the perpetrator.
2. Whaling
Unlike spear phishing, whaling targets more specific victims, namely executives or board members. That is why this type of phishing is also known as CEO fraud because it targets big fish or important people in the company.
Whaling attack techniques are also more sophisticated than other types of phishing. Attackers will not only prepare emails with more perfect personalization, but also create a special website to carry out this attack.
The danger is that both the email and the website contain complete information and have been adapted to the tone and language of the company, thus making whaling often difficult to detect.
3. Vishing
As the name suggests, vishing or voice phishing is a type of attack that is launched over the phone and utilizes Voice over Internet Protocol (VoIP) technology.
Most attackers will impersonate a bank or law enforcement agency wanting to let you know that your account is in trouble.
The perpetrator then asks you to provide your credit card details, personal data, as well as your account details (including username and password).
In some cases, attackers also ask you to transfer your money to an account they claim to be more secure (which actually belongs to the perpetrator).
4. Smishing
Smishing or SMS phishing is a form of phishing attack that uses text message media or SMS (Short Message Services). Like phishing emails, messages sent in smishing also contain links that direct you to a website, or recommend that you install certain applications that have been embedded with malware.
Sometimes, attackers also trick you into calling fake customer support numbers. The perpetrator will then claim to be customer service and ask you to provide your personal data.
5. Angler Phishing
Along with the increasing popularity of various social media platforms, attackers are also starting to develop new methods to launch phishing attacks through these channels. The trick is to create fake social media accounts in the name of a company.
Later, attackers will pretend to respond to customer complaints by asking them to send personal information, or direct them to a site that has been designed to resemble the official website.
Then if you write your account information in the fake web login area, all your data will be automatically sent to the hackers.
How to Prevent Phishing
After discussing the definition and types of phishing attacks, now let's understand some surefire tips to prevent them.
1. Always Up to Date With Phishing Developments
Like other cybercriminal threats, phishing attacks are also constantly being developed by hackers. Therefore, make sure that all departments in your company must continuously update their knowledge about phishing, attack techniques, and their characteristics.
One of the best ways is to hold regular training sessions on the dangers of phishing threats and preventive measures. Not only that, but also instill awareness that maintaining cyber security is your company's top priority.
2. Two-factor authentication (2FA) is a must
One powerful method of preventing phishing is to enforce two-factor authentication. In this way, attackers will find it difficult to access your account because they are required to complete additional authentication mechanisms, for example, answering secret questions, entering verification codes from other devices, to scanning fingerprints.
3. Take advantage of Anti-Spam and Anti-Phishing Tools
Since one of the main channels used to launch phishing attacks is email, you can also take advantage of the spam filter feature of your email service. The good news is that it can detect malware, block malicious URLs, analyze email content and formats, and many other functions to prevent phishing from entering your inbox.
Apart from that, you can also install anti-phishing add ons/extensions on your browser. Amazingly, the tool can automatically block malicious websites, keep your data and privacy safe, and guarantee that you can avoid phishing threats.
4. Strengthen Server/Network with Layered Security
Then, equip your entire communication and data transfer process with strong encryption, such as via HTTP secure (HTTPS), Transport layer security (TLS), Secure Shell (SSH), or Virtual private network (VPN). In addition, also strengthen the security layer by activating the firewall, anti-virus, and various other security programs.
5. Be Careful in Using Social Media
Avoid publishing sensitive data through social media. Then, if an account in the name of a company asks you to submit personal information, double-check whether the account is really an official company contact or an account for a phisher.
Of course, don't hesitate to confirm the truth of the message to the company by contacting the official contact that you can see on the brand's business website.
Conclusion
Phishing is a type of cyber attack that is often carried out by hackers. Approximately 90% of data breaches are caused by phishing, according to CISCO's 2021 Cybersecurity Threat Trends report. The most common type of phishing attack is spear phishing, which accounts for 65% of all phishing attacks.
Not only using email media, but phishing attacks can also take place via text messages and telephones. Perpetrators will impersonate legal institutions and try to obtain sensitive data or infect your system/network with malware.
The best way to prevent phishing attacks is to have a deep understanding of all types and attack techniques.
Not only that, but you also need to equip your system and network with multiple levels of security, starting from implementing two-factor authentication, utilizing spam filters, installing anti-phishing add ons/extensions, to activating various security software.
Post a Comment