Because Phishing Email attacks are always evolving, below are 6 types of phishing attacks to watch out for in 2019.
1) Vishing (voice + phishing = vishing): Vishing is an attempt to obtain private and sensitive information over the phone. Scammers use robots or real people to call and convince victims to share their information. Majority of reputable government entities, organizations or companies will not ask for personal information over the phone.
2) Smishing (sms + phishing = smishing): Like phishing, smishing uses cell phone text messages to lure victims. Texts often contain a malicious link, phone number or a URL. If a phone number is used, the criminals will usually set up an automated voice response system. Valid business messages rarely come via text, unless you know you are receiving one in advance.
3) Drive-by download: A user does not need to click on anything, open or download an email attachment to become infected. A drive-by download is a malicious code sent to a computer or mobile device which leaves a device vulnerable to an attack. It takes advantage of an app, system or browser that has security flaws. Devices which have not been updated are usually the most vulnerable. So keep your security patches/software upgrades up-to-date.
4) Malware-based phishing: This is a particular problem for small and medium businesses who do not always keep their software and patch applications up to date. Malware is introduced by running malicious software on a user’s device by exploiting vulnerabilities. Automated patch update services/SaaS can take of this affordably and effectively.
5) Whaling: This attack targets high-profile employees, like CEO, CFO, COO or any other senior management positions. Because of the more official or serious look to the scam and their target, the attack is considered to be a “big phish” or “whale”. Never conduct an important business transaction from one email exchange alone. Verify via phone or separate email string.
6) Pharming: Involves getting a victim to surrender personal and sensitive information via a fraudulent website. Provide PII online by going to the website yourself (vice clicking on an email link sent to you) only after an exchange of credentials and account specifics that you have set up previously.
Here are a few basic steps and guidelines to consider to stop major types of phishing attacks:
-Think in layers and develop defenses in the email network. This means having various security controls in place to protect vulnerabilities through the use of firewalls, endpoint protection, user awareness training, and secure gateways.
-Think before clicking on a random message or link. When in doubt, go directly to the source before clicking on something that could be dangerous.
-Ongoing security awareness training and simulated phishing attacks for users is a great way to be prepared and well informed. KnowBe4 is a cybersecurity awareness and training platform that can help train employees to better manage the critical IT security problems of social engineering. Read Mike Ferris’s product review on KnowBe4 and see how it can make your organization more secure.
-Use a behavioral-based endpoint protection solution (this is an approach to the protection of computer networks that are connected to client devices). Using an endpoint protection tool provided by Symantec, Panda, or Forcepoint for example, will help add an additional security layer.
-Install an anti-phishing toolbar. These are small services that can be rather valuable in protecting a user from a known phishing attack. Anti-phishing tools are offered by Netcraft, Barracuda, and Spamblocker from Earthlink.
To know more about preventing different types of phishing attacks, read the 3 Ways E-mail Phishing Attack Have Evolved.