PHILADELPHIA (PRWEB) May 01, 2020
What is Phishing? If if this is an unfamiliar term, it is time to get caught up and quickly. As defined by Meriam Webster, phishing is a scam by which an Internet user is duped (as by a deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly. With the new reality of working from home due to COVID-19, there has been an alarming increase in the number of attempted phishing attacks.
For some time now, phishing schemes have been hacker’s go-to method of cyber-attack, partially due to the ease in which existing emails, text messages, and other communications can be mimicked. COVID-19 has created an environment of uncertainty and an increased number of access points, which bad actors have already and will continue to exploit. Capsicum focuses on serving client needs and wants to provide a playbook on how to identify and avoid phishing attacks.
Types of Phishing Attacks:
While phishing attacks are most commonly known for being in email form, that isn’t the only way bad actors are presenting this method of cyber-attack:
1) Email Phishing
When the term phishing is referenced, it was more than likely email phishing. This style of attack is by far the most common due to its ease of creation and ability to distribute to the large numbers of people. Bad actors will send emails from what appear to be familiar domains, but will have minor changes hoping to trick the individual into thinking this is a trusted email. An example of this might be receiving an email from Susan@gmail.co instead of Susan@gmail.com. If a person is not paying attention, one might not realize that ‘m’ missing in the first email address and end up believing future communications are taking place with a familiar source.
2) Spear Phishing
Like the above-mentioned email phishing, this type of attack also occurs through email, but with an added layer of sophistication. These attacks target a specific individual, often with the bad actors having some personal information about their target. An example would be an email addressed to a recipient that appears to be from a retail store the individual recently has ordered from; however, the retail brand and logo are spoofed and the email is designed to harvest login in credentials.
This form of phishing attack targets “bigger fish,” often senior executives who have increased levels of decision-making power. While the end goal is the same as an email or spear phishing attack, these attacks are often more thought out using items such as tax forms in attempts to gather PII (Personally Identifiable Information). With access to executives and high-ranking individuals, bad actors believe they will be able to inflict maximum impact.
Though many of the attacks people are probably familiar with involve emails, this type of attack involves hackers sending text messages to their targets. Sometimes these come in the form of payment requests; other times, these come in the form of promotional offers asking a person to share sensitive/personal information or that of their contacts.
5) Angler Phishing
This type of attack leverages social media in an attempt to have a person access fake URLs, cloned websites, posts, etc. For instance, a customer of a restaurant, retailer, or banking institution airs a grievance about the company over social, a hacker using angler phishing tactics, can masquerade as a customer support agent for the company. They can then message the disgruntled customer in an attempt to deceitfully elicit the customer’s personal account information. Angler phishing is a newer method of attack being used by bad actors, but it cannot be ignored. Social media isn’t going away anytime soon, if anything it is becoming more prevalent in our everyday lives.
How to Identify and Evade Phishing Attacks:
Now that different types of phishing attacks have been covered, let’s dive into some best practices to follow in attempts to handle them:
1. Always check the sender: A good habit to get into is checking the sender each time an email, text message, or other form of communication is received. While this may seem like an unnecessary and cumbersome task, it has the potential to pay enormous dividends. As mentioned earlier, hackers will often mimic commonly used email addresses and change just one character in attempts to trick their target.
2. Hyperlinks: Checking hyperlinks prior to selecting or sharing them with others is also crucial. First ask if the received link from the sending individual was expected. Next, review the actual link to make sure there are no misspellings. Don't hesitate to reach out to the sending party and ask the purported sender if the communication or link is legitimate.
3. Sense of Urgency or Too Good to be True: Offers or requests that are too good to be true probably are. A common tactic is to create a sense of urgency by placing an expiration date on said offer in attempts to get a person to act without thinking. As an example, receiving an SMS message from an unknown third party claiming to be offering a $100 gift certificate to Starbucks for sharing the message with eighty-five other individuals. This promotion attempted to raise a sense of urgency by noting that it would expire within the hour, with the goal of gaining access to contacts and their private information.
While Capsicum has provided some tips and techniques on how to identify and avoid phishing attacks, it is important to continuously enhance ones knowledge. As hackers continue to evolve their techniques, there is a duty to evolve. Monitoring various trusted government sites such as The Cybersecurity and Infrastructure Security Agency, The Federal Trade Commission, The National Cyber Security Centre, The Australian Cyber Security Centre, and others for updates is a valuable way to self-educate in an effort to stay ahead of hackers.
Need assistance, been the victim a phishing attack, or have a question? Please contact Capsicum Group at 215.222.3101.
Capsicum was founded in 2000 within the law firm of Pepper Hamilton, LLP. Charged with providing technology consulting support to their clients, we soon realized that the need to understand, collect, and forensically analyze digital data went far beyond what Capsicum was handling: Capsicum began as general technologists, but quickly became specialists in digital forensics. Areas of expertise soon evolved and expanded into forensic investigations, cybersecurity, discovery, electronic and paper recovery, security, regulatory compliance, and incident response retainers. In 2002, Capsicum became the independent consulting company that focuses on these core services. Employing high-caliber experts and a unique understanding of data, technology, and the law, we support organizations that need technological proficiency to run their companies and when they come face-to-face with difficult tech, legal, and regulatory situations. Capsicum is headquartered in Philadelphia, PA with offices in New York, Florida, Texas, and California.
Capsicum Social Media: