Phishing attacks host every kind of malware and ransomware attack but what’s worse is that these attacks are on the rise.
Starting in 2012, ransomware took the Internet by storm, thanks to latest phishing techniques. Unsuspecting and unprepared users, both individuals and businesses, found their screens frozen, their data no longer their own, and the only chance of getting it back coming in the form of sending payment, usually with untraceable cryptocurrency, to the perpetrators of the crime.
The number of these attacks grew year after year, topping 181 million in just the first six months of 2018, a 229% increase over the same timeframe in 2017. From there, a funny thing happened. Security, user awareness, and organizational control started catching up with ransomware in the second half of 2018. By the end of December 2018, ransomware attacks had dropped 60% year over year.
Unfortunately, a decline of one form of malware tends to be cold comfort and hardly the end of the threat overall. Stymied in their attempts to use ransomware to rip users off, cybercriminals are turning back to the stratagem of phishing, one of the Internet’s oldest and most effective mechanisms of hacking. Using a protective antivirus software for your machine is a must in this case.
The Phishing Surge of 2018
Between January and December 2018, Microsoft reported a 250% increase in phishing, with more than 470 billion sketchy email messages polluting the Internet ecosystem.
It is noteworthy that phishing involves shady practices of trying to hoodwink users to visit a website where either their data is stolen or their systems are infected with some sort of malicious software. To get their hooks into would-be victims, the crooks usually leverage links or attachments in email messages, links in social media messaging, or texts in popular instant messengers.
The phenomenon of phishing is heterogeneous and spans several sub-categories based on the target and the channel of orchestrating the attack. The ones are known as spear phishing and whaling proved to be particularly dangerous and effective. Whereas a mainstream phishing campaign involves dodgy messages sent to numerous people and therefore resembles a shot in the dark to an extent, spear phishing zeroes in on a particular user.
To prep for such an attack, threat actors perform thorough research and figure out the target’s pain points, habits, and lifestyle details. This information allows the malefactors to tailor a refined message the victim can’t help opening.
Whaling, another growingly common type of phishing, focuses on top executives within a particular organization. By compromising a CEO’s email account, for instance, attackers can impersonate the victim and send booby-trapped messages to employees who will plunge headlong into following the enclosed instructions because they trust the sender.
As they did with ransomware, users were able to evolve to a point where it became a lot easier to identify phishing attempts. Unfortunately, cybercriminals are always looking for new ways to manipulate individual users and businesses, so they have been hard at work coming up with new techniques to succeed. That has led to at least seven new types of phishing attacks on the rise that are covered below:
- Links to rogue cloud storage locations: This method is being heavily used to phish employees of a company who are usually not well versed in every single software and resource their company uses. A fake cloud link will ask for a username and password. Employees usually have one overarching password for all or most of their work-related logins, and typing it in here would give hackers that coveted information.
- Phishing attachment: Even if the recipient is smart enough to refrain from clicking a link in a phishing email, the attachment can open when the email is opened.
- Credential phishing links: Fraudsters can tailor an email that looks just like a genuine message from a service provider the targeted person uses. When it asks for credentials, the die is cast.
- Fake texts: Getting a user’s phone number allows cybercriminals to send texts that appear to come from familiar sources, but actually, are luring the user to travel to a phishing website.
- User impersonation: The hacker pretends to be someone you know to gain your trust and dupe you into clicking a link or downloading a malicious file.
- Domain impersonation: An email message domain looks very similar to the one you trust, except that it has inconspicuous typos, such as a message from bankoamerica.com instead of bankofamerica.com.
- Domain spoofing: The email message is a fraudulent exact match of the legitimate domain name. The hacker obfuscates the real domain underneath.
Fighting Back Against Phishing
Exercising reasonable caution with every message you get via IM, text, or email is a rule of thumb to stay safe against phishing attacks. Anything that looks the slightest bit suspicious should be ignored and deleted. If you are unsure whether it comes from a trusted source, contact that source via another method to confirm they sent it.
To be a moving target, learn to identify the obvious giveaways of a phishing fraud. Look for spelling mistakes and other inaccuracies in the message and the sender’s email address. If you have ventured into clicking a link in a dubious email, check whether the resulting web page has a valid SSL certificate.
Moreover, beware of messages that set a deadline or otherwise coerce you to do something – the pressure is a telltale sign of phishing. Importantly, keep in mind that legit service providers won’t ask for sensitive information such as your login credentials – they already have it.
Above all else, well-known antivirus software for your machine should be researched, installed, and consistently updated to keep your system safe. Updating the software keeps its malware database aware of the most recent threats and reliably protects you against them.