Phishing Scams

Chris Swagler | December 22nd, 2022

 

SpearTip recently partnered up with Women in Cybersecurity (WiCyS) to present a webinar discussing the importance of phishing training within companies, primarily how the awareness of phishing scams is the best defense against this most common threat tactic.

The presentation begins with a discussion of social engineering in the modern IT environment. Social engineering describes a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. Social engineering can be performed through various ways, including analog methods, such as conversations conducted in person or over the telephone, and digital methods, like e-mail or instant messaging. Phishing scams are a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation, in which the perpetrator masquerades as a legitimate business or reputable person. One of the common forms of phishing, including e-mail phishing with 3.4 billion emails delivered every day and accounts for more than 90% of data breaches.

Other common forms of phishing scams include spear phishing, whaling, smishing, vishing, and angler phishing. Threat actors use the human factor as part of their phishing scams. Threat actors deploy psychology against end users’ brains, creating trust through personalization, and eliciting an emotional response to gain access to valuable data. Once threat actors have access to users’ information or systems, they can exploit them or their businesses. Threat actors’ end goal is always money and end users are the easiest targets. Within the presentation, the importance of how anti-phishing toolsets provide proactive and reactive protection against incoming emails and URLs to prevent end users from opening malicious content is discussed in detail. Anti-phishing toolsets scan emails and URLs, quarantine malicious communication without blocking legitimate emails, and block malicious URLs and file attachments. The toolset has e-mail traffic allow lists that prevent spoofing and help identify threat actors’ attack patterns.

However, almost 19% (or 646 million) of phishing emails bypass some security applications. The lapse in filtering occurs because businesses value the speed of communication and phishing emails don’t always contain malicious URLs, attachments, or links software. Additionally, threat actors are constantly changing their strategies and producing new plays and anti-phishing tools are generally reactive, rather than proactive. Sarah talks about phishing training as mitigation and the 5 things to look for in the tone of communication.

5 Areas To Be Aware of In Phishing Scams

Urgency – Threat Actors want something right now: the longer you think, the more you may question the senders’ legitimacy

Plausibility – Modern phishing attempts are based on real-life, often mundane scenarios

Familiarity – Claiming to be from an authority figure, Using personal details

Confidentiality – An action required needs to be done by users alone; getting others involved risks the scam failing

Quality – Contains obvious and egregious spelling or grammatical errors

With phishing scams and social engineering attacks accounting for the overwhelming majority of how threat actors initiate successful cyberattacks, it’s imperative for businesses and individuals to be thoroughly aware of how phishing scams are designed. These tips will help users enhance cyber awareness and security posture.

Assume Malice and Exercise Caution with Attachments – While attachments are enticing, often containing interesting information, they also hide malicious applications: treat them similarly to links.

Don’t Automatically Trust a Sender’s Display Name: Verify – Threat actors often conduct research before launching a phishing campaign, using trusted “personas” to appear more convincing to recipients.

Scan Links WITHOUT Clicking – Before clicking any suspicious link, hover your mouse over the text to determine where it will actually direct you.

Check for Spelling and Grammar Errors – Most senders, especially businesses with well-established reputations, are careful with spelling and grammar whereas threat actors are not.

Do Not Match a Sender’s Sense of Urgency – Any message requiring users to “act now” or fill out some form “immediately” is trying to take advantage of users.

Assess the Sender’s Motive: Why Do They Want Personal Information? – Large companies with which people do business as well as employees will not ask for sensitive, personal information through text or email.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Categories

Connect With Us

Featured Articles

Cuttlefish Malware
Cuttlefish Malware: A New Threat to Routers and Traffic Monitoring
24 May 2024
Security Awareness Training
Security Awareness Training Crucial Role
22 May 2024
Phishing Campaign Assessments
Phishing Campaign Assessments Can Be Effective For Companies
20 May 2024
Incident Response Planning
Incident Response Planning: Why It's Important
17 May 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Frequently Asked Questions

What are some common techniques used by cybercriminals to carry out phishing attacks?

Phishing attacks are often carried out through deceptive emails, messages, or phone calls that impersonate a legitimate source, tricking the recipient into sharing sensitive information such as passwords or credit card details. These attacks can also involve creating fake websites or social media profiles that appear legitimate but are designed to steal personal information.

How can individuals and businesses protect themselves from falling victim to phishing scams?

There are several steps that individuals and businesses can take to protect themselves from phishing scams, including being cautious when clicking on links or opening attachments in emails from unknown sources, verifying the legitimacy of emails or messages before responding, and regularly updating passwords and security software.

What are the potential consequences of falling victim to a phishing scam, both for individuals and businesses?

The consequences of falling victim to a phishing scam can be severe, ranging from financial losses to identity theft and damage to personal or corporate reputations. In addition to financial losses, phishing attacks can also result in the loss of sensitive data, intellectual property, or trade secrets, which can have long-term impacts on individuals or businesses.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.