WE'D LOVE YOUR FEEDBACK

Please help us improve our website by providing your feedback

Phishing - It's No Longer About Malware (or Even Email)

Sourced by: SANS Institute

Over the past several years phishing has continued to evolve. While many of the emotional lures used to get people to click and fall victim remain the same (covered in more detail below), we have seen changes in both cyber attacker modalities and goals. Here are some of the most common phishing trends we are seeing.


Modalities

Traditionally phishing was done through email. However, we have seen a dramatic shift where messaging technologies are also being used, to include Apple iMessage, WhatsApp, and standard SMS functionality. Texting has become increasing popular, as many phones lack any type of filtering capability, which means the scams and attacks are far more likely to get through. Also, since text messages tend to be much shorter with little context, it’s much harder to confirm what is legitimate versus what is an attack. As such, when training your workforce emphasize that phishing attacks happen not just over email, but via any messaging technology.


Goals

The goal with phishing attacks traditionally was for people to install malware on their computer and infect their systems for the cyber attacker. However, malware infections are becoming easier and easier for security teams to detect, so that behavior has radically changed. In today’s world we are seeing three different goals of phishing attacks:


  1. Passwords: One of the top goals we're seeing is to get people to click on a link that takes them to a website that harvests their passwords. Once an individual’s credentials are stolen, cyber attackers can cause a great deal of damage while operating undetected.
  2. Phone: An increasing number of phishing attacks do not have a link but phone number as their point of attack. The cyber attacker’s goal is to get the victim to call a phone number. Once the victim is on the phone, cyber attackers will use stories and emotion to pressure people into taking actions, such as giving up their passwords, purchasing gift cards, or transferring money from their bank accounts to accounts controlled by the attacker. Attackers have learned that while these attacks can take a great deal more work, seeing as they are not automated, they can be far more successful and profitable, as they can fool people out of their checking, savings, or retirement accounts, stealing their entire life savings.
  3. Scams: Many phishing emails have no link or attachment. Instead, the messages are often very short and impersonate someone that the victim knows or trusts, such as their boss, a co-worker or a company with which they work or shop. BEC attacks are a common example (covered in more detail below)

 

Read more


Please help us improve our website by providing your feedback