Phishing has quickly become one of the most common risks on the internet with even the most tech-savvy organisations and mindful individuals falling victim to these attacks. The Anti-Phishing Working Group (APWG) says it observed a record-breaking 250% surge in phishing attacks between October 2015 and March 2016.
The Cambridge dictionary defines ‘Phishing’ as “an attempt to trick someone into giving information over the internet or by email that would allow someone else to take money from them, for example by taking money out of their bank account”. The first step of any phishing scam is social engineering. This involves subconsciously manipulating the human element of technology to gain personal information and can sometimes utilise malware to do so.
APWG says the findings are the highest it has seen since the coalition first began tracking and reporting on phishing back in 2004. According to its latest report, the number of unique phishing websites detected in Q1 totalled 289,371 with more than 123,000 of those sites being discovered in March 2016 alone.
However, phishing is just the tip of the iceberg. There is a wide range of different types of social engineering that involve different ways of manipulating or tricking people into releasing private, personal or corporate information.
Pretexting is a form of social engineering where the attacker’s main focus is on creating a good pretext or fabricated scenario. Attackers will use this opportunity to attempt to steal their targets personal information by pretending that they need a certain piece of data from their target in order to confirm their identity. This type of phishing scam requires the attacker to try and build credibility and illustrate a story with their victim that leaves little to no room for doubt.
Some more advanced forms of pretexting attacks will also try to manipulate their victim into performing actions online that enable them to exploit a digital weakness of a company or organisation. This type of scam can be used to obtain both sensitive and non-sensitive information pertaining to personal or business information.
An attacker can use this type of scenario to manipulate their target into divulging a range of information. They can use false credentials and background stories in order to sell their story and gain trust. This can be anything from impersonating a service engineer in order to obtain access into a secure building, to posing as a modelling agent or talent scout online in order to obtain sensitive images of people.
Other similar scams such as Quid pro-Quo will promise their targets certain benefits in exchange for information, this can take the form of a service. Such as a fraudster who impersonates IT service professionals calling companies and organisations to offer IT assistance. They can offer quick fixes to IT problems if they are enabled to gain access to the users system, often installing malware under the disguise of software updates. However, this type of scam can also be as simple as the enticement of a freebie or prize entry in exchange for their password in a context where they don’t realise the possible impact of the information they are willingly handing over.
Baiting is, in many ways similar to other phishing scams, but the key differentiating factor that separates it from other methods of attack, is that they use the promise of goods to entice their targets. This type of scam is more common than you think and can be as simple as the promise of a free downloadable movie file in exchange for your login details to a different website. With many platforms utilising ‘login with’ features, even the most cautious web users can be caught out.
Hackers who engage in social engineering attacks usually prey on the human psychology and curiosity in order to compromise a target’s information. With this human-centric focus in mind, it’s up to the users and employees of companies and organisations to counter these types of attacks. Here are a few tips on how users can avoid social engineering schemes:
- Don’t open emails from unknown or untrusted sources
- If you receive an email from a person or organisations you know but the message seems unusual, ensure that you contact them directly using another method in order to confirm that they sent you the email
- Don’t click on any links, open or download any attachments within any unsolicited emails
- Don’t give offers from strangers or unknown sources the benefit of the doubt – if they seem too good to be true, they usually are
- Always lock your laptop when you’re away from your desk
- If you receive an email that asks you to login to your online account through a link provided within the email, ensure that instead of clicking on the link, you open a new browser and go to the company’s website directly
- Ensure that you have an anti-virus solution in place. No software can defend against every threat, but they can help to protect against the majority and can even alert you when your device has been compromised
If you’d like to find out more on how Smoothwall’s solutions can help your company protect their online assets, get in touch with us today.