The methods used by cybercriminals are becoming more and more advanced and are causing more damage to victims every year. One well-known and increasingly popular method used by attackers is phishing. This cybercrime scam is also constantly evolving and now uses particularly sophisticated tactics. In this article, we explain what is commonly understood by phishing and what the various methods are.
What is phishing?
Phishing is a method designed to trick you into revealing passwords, credit card numbers, and other sensitive information by having the scammers pose as a trusted person or institution. Those who have already been affected by an attack fell for email phishing most often (56%). This was followed by phishing websites (36%), phone phishing (22%) and fake SMS (10%).
Phishing is therefore the most popular scam used by cybercriminals. In the first quarter of 2020 alone, the threat of phishing attacks increased by 21% compared to the fourth quarter of 2019, and for good reason, because a successful phishing attack can open up additional gateways. This makes phishing one of the biggest risks you should protect yourself and your employees from.
But phishing can be carried out in various ways and has long since ceased to be limited to the common e-mail phishing.
Cybercriminals “phish” for your sensitive data with these 10 phishing methods
From clone phishing to smishing to whaling, there are numerous phishing methods that attackers use to get your valuable data in different ways. Below, we have summarized the most common tactics you should protect yourself against:
1. CEO Fraud
CEO fraud occurs when a cybercriminal sends an email to an employee – often to someone who works in the accounting or finance department – pretending to be the company’s CEO or another executive. The goal of these emails is to transfer funds to a fake account.
2. Clone Phishing
A clone phishing attack takes advantage of legitimate messages that the victim has already received to create a malicious version of them. This is then sent from an email address that looks legitimate. All links and attachments from the original email are replaced with malicious ones. The cyber criminals use the excuse that there were problems with the links or attachments in the previous mail – trying to trick the users into clicking on them.
3. Domain Phishing
In this method, the domain (website) of a company or organization is faked. In order to bring users to this domain, emails are sent – either with the sender of the domain, or via fake addresses of trusted contacts. The content of the email can contain a credible text with a link or just a link. This is either clickable or inactive, so the recipient has to copy it to the web address bar. In this case, it is hard even for security filters to detect the phishing attempt. Once on the website, the visitor is now tricked into revealing personal information. Common examples of domain spoofing are privacy requests, sweepstakes, security checks, etc.
4. Evil Twin
Evil Twin phishing pretends to be a legitimate WiFi access point, which allows the attacker to collect personal or business information without the user’s knowledge. This type of attack is also known as Starbucks scam because it often takes place in coffee shops. In Evil Twin phishing, a cybercriminal creates a WiFi hotspot that looks like the real one – it even uses the specified service identifier (SSID), which is identical to the real network. When the user connects, the attacker can eavesdrop on their network traffic and view sensitive data.
Smishing is the short form of “SMS phishing”. In smishing, a text message is sent to the recipient’s smartphone that appears to come from trusted sources and contains malicious URLs that users are supposed to click on. Often, alleged coupon codes for discount promotions, free tickets to events or other benefits are promised. The goal is to obtain confidential information that cyber criminals can use to steal your online identity.
6. Spear Phishing
Spear phishing emails target specific individuals within an organization. Using social engineering tactics, they tailor and personalize the emails to their intended victims. For example, email subject lines may contain interesting topics that tempt the recipient to open the message and click on links or attachments. The goal is to steal data or infect the recipient’s computer with malware. This allows Spear phishing attackers to gain access to the recipient’s network and accounts.
The term stands for “voice phishing”, in which a criminal calls your phone to get you to hand over personal data in order to gain access to your accounts. Usually, you are not called directly in the initial contact, but are encouraged to call back. A computer dials you and immediately hangs up. When you call back, you have the perpetrator on the line, who likes to pretend to be a trustworthy person (e.g., an employee of your bank, the tax office, etc.). The attacker stirs up emotions in his victim so that he will hand over sensitive data – such as credit card numbers or passwords.
In this case, the attack is directed against high-ranking executives such as CEOs, CFOs and COOs. The goal is to obtain sensitive information and corporate data. First, the cybercriminals generate perfectly tailored emails with information from search engines and social media. They use the correct salutation with title, name, job title and details that make the message appear trustworthy. The further procedure corresponds to spear phishing, but the selection of high-ranking addressees along with their authority results in an extremely high dimension of damage.
9. Watering Hole Phishing
This type of phishing attack specifically targets businesses. To do so, the perpetrators locate the websites that your company or employees visit most often. The cybercriminals infect these websites in such a way that when you visit them, malware is automatically uploaded to your computer. This malware, in turn, provides the attackers with access to your network, servers, and sensitive information, such as personal and financial data.
This refers to the targeted manipulation of DNS requests to web browsers. Thus, fraudulent emails are sent from authentic sources and ask you, for example, to perform a password change on your account. The tricky part is that the link you are supposed to click on uses the same web address as the original one, but you are redirected to a fake website. This happens either by infecting your computer, or by manipulating a DNS server so that the correct web address entered by the user is converted into a fake IP address. Thus, the victim ends up on a fake website and unthinkingly discloses his or her data.