Phishing attacks are not what they used to be. Back in the old days, spammers and scammers used to send mass email campaigns leading people to a false website. Now the techniques have been evolved. Nowadays targeted attack tactics are more popular. Phishing has become far more sophisticated than a suspicious mail or a message tempting a random individual to click on a link or provide their personal details. Usually, phishing focuses on targeting an individual.
Following lists consists of a few examples on how a phishing website approaches an individual:
- Mark your goal – What do you want to gain? Money, Information, PII, CC numbers.
- Choose your target – Locate the correct VP, Director or C-Levels. Selecting your target depends on what you want to achieve.
- Perform a Background check – Plays golf, Married, 2 kids, Favorite car, anniversary coming up soon and liked Flower.com on FB.
- Launch your attack – Send a congratulation email from flowers.com including a link for a free anniversary gift.
The idea is to gain the victim’s trust by using information that they can feel secure with. Scammers take that and add a free gift with a malicious link and they succeed in a spear phishing attack. The link could download a piece of malware for monetary or spying purposes or could trick the victim into giving out their CC number or other sensitive information.
Securing against phishing attacks requires businesses to keep up with the ever evolving threat of phishing.
Here are three key phishing techniques that compromise companies to obtain several individuals’ details:
- DNS-based phishing gives and takes your host files or domain names that lead your customers to a false web page to enter their personal or payment details.
- Content-injection phishing is associated with the criminal content, such as code or images, being added to your or your partners’ websites to acquire personal information from your staff and customers such as login details. This type of phishing often targets individuals that use the same password across different websites.
- Man-in-the-middle phishing involves criminals placing themselves between your company’s website and your customer. This allows them to take hold of all the information your customer enters, such as personal information and credit card details.
Four ways that companies can defend against phishing attacks include:
- Use an SSL Certificate to secure all traffic that goes to and fro from your website. This protects the information being sent between your web server and your customers’ browser from eavesdropping. Ordering an SSL certificate can be very simple with the right preparation. You’ll generally need to create a CSR and prepare your WHOIS record and company validation documents.
- Certificate authorities now issue scalable certificates. Depending on what the user’s web browser and the web server support, certificates can be used at low encryption rates (40-bit encryption), normal encryption rates (128-bit encryption), or even higher encryption rates (usually up to 256-bit encryption).
- Keep regular updates on cyber security issues to ensure that you are protected at all times. You and your providers should install all the latest patches and updates to protect against vulnerabilities and security issues. This includes website hosting, blogs, shopping cart software and content management software.
- Provide regular security training to your staff so that they are aware of and can identify phishing scams, social engineering threats, and malware.
- Always use a Securely Hosted Payment Page. This is the best practice for reducing risk to your customers’ card data. Use a payment gateway provider that has an updated PCI DSS and ISO 27001 certifications from independent auditors. This ensures that your customers’ payment details are protected at all times.
How to protect your organization:
- Employ clear guidelines – You have to be hesitant even if you know the sender. If you don’t know the sender, either check with your IT department or delete the email.
- Educate employees to use the web securely.
- Invest in security controls for cases where your employees make a mistake…. they will.
- Analyze your internal development processes to make sure your internal applications are not easily exploitable whether containing employee data or financial statements.
It’s very important to instruct your employees about the tactics of phishers. Proper training should be provided to employees on security awareness as part of their orientation. Inform them to be cautious of emails with attachments from people they don’t know. Let them know that no trustworthy website would ask for their password over e-mail. Additionally, people need to be watchful which browsers they utilize. Read all URLs from right to left. The last address is the true domain.
– Poonam Yadav
