Frauds based on social engineering continue to pose a problem for businesses and there are no signs of this changing any time soon. Phishing emails and calls (the latter is also known as vishing) are common yet effective tactics that skilled hackers use to obtain sensitive information from victims. While they are based on the exact same principles as always, these attacks remain a serious threat for all kinds of targets.
Whereas phishing email and vishing attacks are serious problems for both individuals and organizations, today we are going to focus on the challenge they pose for businesses. Criminals find great benefit in stealing commercial and financial data through these methods. That’s why businesses have a huge need in reinforcing their security procedures to avoid losses.
Examples of Phishing Email Attacks
On the My IT Guy blog, we have talked about phishing attacks in their many forms, including fraud emails. But how they look like?
When a malicious agent decides to carry out an email-based phishing attack on an organization, he or she does so by gathering personal information on one or more individuals within the organization. The most important piece of information is, of course, their email addresses.
These fraudulent email messages will try to convince the receivers that the malicious agent is someone they can trust, like a bank officer or a colleague. Also, the copy aims to create urgency. Some of the ways to accomplish this are:
- Telling the target that his/her account has been compromised and he/she needs to change the password
- Telling the target that a predetermined service is about to go down if he/she doesn’t update the billing information, requesting to submit this sensitive data
- Telling the target that there are issues to solve regarding tax returns and to do so, he/she needs to submit sensitive information
- Telling the target that his/her package is about to go missing and he/she needs to update the shipping address
As we can see, all these scenarios have the capacity to create a sense of urgency. They address sensitive matters for all of us, as compromised accounts and missing packages. Most users will feel the urge to reply or do something about this situation, especially if the criminal has used legit information to craft the deceptive message.
And here is where spear-phishing attacks come in as well. This term refers to phishing email attacks that use additional resources to increase effectiveness. A good example of this is the malicious agent using a legit corporate email address to communicate with the target. When we see a domain that we trust, we are extremely more likely to fall into the trap.
Examples of Phishing Call Attacks
Phishing calls or vishing attacks are based on the same principle as phishing emails but by contacting the target over the phone. Yes, this may go out a little bit outside the online aspect of social engineering attacks but it’s worth mention as this type of offense only increases in frequency and success by using information that is partially available on the Internet (think of social media).
The visher, as the malicious party conducting the attack is also known, will contact the target with an argument to induce panic. Most of the time and if the criminal has the resources, the call will come from a legit phone number, which increases our chances of answering that call.
Just like with phishing emails, the visher will tell the target that there is a serious problem and it needs immediate action in order to be solved.
A common example is to tell the person that one of his or her accounts (in most cases, a bank account) has been compromised and an immediate password change is needed. In the process, the malicious agent asks the target all kinds of sensitive data.
Another common vishing attack consists in telling the target that he or she has won a prize but, in order to redeem and receive it, the visher needs to know shipping and billing address. Victims, lured by the possibility of a prize, often fall directly into this trap.
How to Prevent Attacks on Your Business
These types of attacks aren’t going anywhere. On the contrary, they are becoming more popular as people continue to fall as victims. So, the natural consequence is to continue to see them. They have stood the test of time, proving us naive.
Now, organizations have the major need of protecting themselves from these attacks. Not only the sensitive information of the individuals that are part of the organization is at stake but also business data that represent a liability in the malicious agent’s hands.
When it comes to phishing emails, businesses need to begin with security measures that are capable of counteracting these attacks. AI-based blockers are being implemented to email servers in order to block these malicious messages on time, avoiding any possibility of an individual falling as a victim. These blockers analyze all the data provided by the message and can tag them as spam with great precision.
Now, the other yet even more defining side of prevention is education for the personnel. Individuals within an organization need to have the knowledge that will allow them to become aware of these attacks. By understanding how they operate and becoming familiar with their features, individuals within an organization will have the skillset to spot an incoming attack. IT professionals can provide resources and in-depth training that will allow others in the organization to behave securely both online and offline, covering themselves from these attacks.
At My IT Guy, our team of experienced IT professionals can help your organization to be protected. Cybersecurity moves fast and your business needs to keep the pace. If you have any questions, please, let us know.