The names for their various tactics may sound fun, but they can be company killers just as easily as they can target individuals.
Whether we’re talking about vishing, smishing, spear phishing, or whaling you need to know the dangers any of them pose to your attackable surface. We’re all in this together, and the more we can approach cyber best practices as a group, the safer we all will be. An affected individual today can be tomorrow’s hacked business.
The operative phrase here is “social engineering,” which is an economical way to indicate any call to action online that tricks a user into opening the virtual “door” for a criminal.
Here’s what you should know about the major forms of attack in use today:
Phishing
This is probably the most well known form of social engineering, and is a common method of attack. This hack makes regular headlines.
Phishing often, but not always relies, on a simple method. Emails are sent under false pretenses, such as an email from the IRS or a utility company, typically to multiple targets at a time. The goal of a phishing attack is typically to get a victim to reveal their logins and passwords, and possibly their payment information.
“In its simplest form, phishing is the practice of sending a link via email or text or embedding a link on a website that, when clicked, downloads malware onto the user’s device as well as any other devices that are connected to the same network,” says CyberScout founder and chairman Adam Levin.
“From there, any number of things can happen. There are viruses that send hackers your most sensitive logon information, and others that recruit your machine into a botnet used to send illegal spam through networks that can create enough computing power to disable important servers. Your privileged access at work can be grabbed to transfer funds, hijack databases loaded with sensitive customer and employee information or steal intellectual property.”
While it is possible to train employees and family members alike to spot phishing attacks, phishing emails have become more sophisticated and harder to detect over recent years. The telltale used to be easy to spot. The domain name would be different from the company or organization that it purportedly comes from (these days clever mis-spellings are deployed that are hard to spot). Simple typographical errors suggesting non-fluency were another sign. Today, your best bet is to carefully inspect URLs, and consider navigating to whatever is being linked to using a search engine.
A study conducted on phishing attacks between October 2018 and March 2019 found that over 70% were done with the theft of credentials in mind. Credentials can be lucrative for a hacker. Often consumers use the same credentials on multiple sites, which opens the door to financial fraud. Credentials can also come in handy if a hacker is looking to steal proprietary information from a company, or steal personally identifiable information they may store, which can be used in the commission of identity theft.
Vishing (or voice phishing) is similar to a phishing attack, but it is conducted over the phone. Scammers will often call targets from a phony (or spoofed) phone number, typically claiming to be representatives of banks or financial organizations alerting the target to an account issue. Other methods include loan offers, employment opportunities, and debt collectors, but the goal is consistently to get the target to provide information about their accounts and even wire money.
“Vishing is how hackers take advantage of phone number databases... They’ll call you and claim to be from your bank (they just need your account number and routing information), the IRS (just confirm your Social Security number) or even Microsoft (just let them log into your PC remotely) to try to gain access to your personal or financial information or even install malware on your devices,” says CyberScout Founder Adam Levin.
Vishing attacks target private individuals more often than organizations: A report by the Stanford Center on Longevity found that private senior citizens are 34% more likely to be targeted by scammers. The grandparent scam is the most common. It is a simple form of social engineering that works on an emotional level. A senior citizen is called by someone pretending to be a grandchild needing immediate financial help (the most often requests are for money to be wired or retail gift cards).
Spear Phishing is a form of social engineering that targets specific people, or specific positions within organizations. Whereas most phishing attacks implement a “spray and pray” method of transmitting scam emails in bulk with the expectation of having a lower number of successes, spear phishing is often carried out with some knowledge about the target. Spear phishing emails will often be personalized by name, appear to come from a known co-worker or associate, and will often try to induce its target to open a file or attachment.
“[H]ackers will go through lists of contact data looking for people that seem either more vulnerable to phishing tactics or more important – like people who work at financial services companies – and send them tailored emails that appear to come from specific, important people they know. They’re often asked to click on links or download seemingly innocuous files and – bam! – the hackers are in,” says Levin.
The goal of spear phishing is less likely to get information out of a target, but rather to compromise a target’s computer or network as a launching point for a larger data breach. A recent study asserts that up to 91% of data breaches within organizations start with a spear phishing email.
Whaling is similar to spear phishing, but directed toward upper management and C-Suite level positions at a company or organization. For obvious reasons, the greater value to a scammer renders their target a “whale” rather than a “phish.”
Whaling scams are a major factor in business email compromise (BEC) scams. According to the FBI, they have cost companies more than $12 billion in domestic and international losses between 2013 and 2018. No industry or level of technical proficiency within an organization can grant an organization immunity from BECs because, as CyberScout Founder Adam Levin points out, “avoidable mistakes are what feed the predators in this cyber eco-system of trickery and human fallibility.”
In 2019, both Facebook and Google were scammed out of $100 million.
Smishing stands for SMS phishing, and is directed toward mobile device users. Many of the social engineering methods associated with phishing are implemented here. The attacker will pretend to be the representative of a familiar organization or business. Sometimes the target will be asked to download an app or open a link. Individuals are more often the victims of smishing exploits, but large organizations can be targeted, too, as famously occurred with the alleged hack of Amazon CEO Jeff Bezos’s phone via a link sent through WhatsApp.
“The smishing text informs you that someone has tried to access your account or it’s been frozen (again don’t get caught up on the details, the account or anything else), and your password or some other data needs to be updated. There’s a link to use where you can authenticate yourself by entering your personal information (for example, your Social Security number), and secure your account,” says CyberScout Founder Adam Levin, adding “if you regularly use your smartphone to access the internet, bear in mind that there are hidden dangers everywhere, and pause before you pounce on text warnings.”
The sheer number of variations on the term phishing may sound excessive, but each does represent a new and potentially catastrophic threat to businesses and their data. The likelihood that any of us will see at least one new form of “-ishing” in the near future is high, and we all need to plan accordingly.
Companies and organizations should invest sufficient resources in employee training so that everyone in an organization--from the mailroom to the boardroom, knows how to recognize cyber threats, and particularly phishing schemes. While the techniques and methods used in “-ishing” scams are getting more sophisticated all the time, the tried-and-true methods are still effective:
Practice good password hygiene. People are still re-using passwords and it’s a Welcome mat for hackers.
Use two-factor authentication. Many companies still don’t require two-factor authentication for accounts.
Be careful! Employees are still wiring money without person-to-person following up to confirm requests.
Training alone won’t prevent social engineering. There are an increasing number of email services that deploy AI technologies. While not perfect, AI is getting better at being able to identify scam and phishing emails.
It is also a good idea to invest in digital certificate technology to confirm that emails sent from colleagues are legitimate.
Finally. cyber-risk insurance and identity protection for employees should be a standard part of company policy and benefits packages and identity theft resolution should always be included in the array of employee benefits offered through your human resources department.
Individuals should follow what CyberScout Founder Adam Levin calls the Three M’s of cybersecurity: Minimize, Monitor, and Manage.
Minimize risk of exposure by practicing good cyber hygiene, not sending sensitive information over email or unencrypted connection, and be skeptical about any messages alerting them to “urgent” issues with accounts.
Monitor accounts by checking credit and bank accounts, signing up for alerts, and double-checking every transaction. Many victims of phishing scams aren’t aware that they’ve been had until weeks after the fact.
Manage the damage by reporting scams to the proper authorities, sign up for identity theft protection when possible, and change logins and passwords if they suspect they’ve been breached.
By Travis Taylor