4 Most Common Types of Phishing Attacks & 6 Security Best Practices

We’ve recently been told by many of our clients that they want to be better informed about prevalent phishing attacks so that they can proactively educate their team and protect against such attacks.

istock 625496696

We’ve recently been told by many of our clients that they want to be better informed about prevalent phishing attacks so that they can proactively educate their team and protect against such attacks.

It’s clear to see where their concern is coming from. From an overall industry standpoint, 91% of security breaches begin with phishing or spear-phishing (Source: Wired), and Verizon’s 2017 Data Breach Investigations Report has said that one in 14 people clicked on a link or opened an attachment in a phishing message.

To help those organizations that want to be more informed about prevalent phishing attacks, this blog looks at four of the most common phishing attacks that organizations are most likely to see, and six security best practice tips.

4 Common Types of Phishing Attacks

Here are the four common types of phishing attacks, in greater detail:

Deceptive Phishing

  • What It Is: Deceptive Phishing is the most common type of phishing attack, and it refers to any attack where the attacker impersonates a legitimate company in an attempt to steal your personal information or your login credentials. The link actually leads to a fraudulent website with a URL that is almost identical to the official URL (typically only one letter will be out of place).
  • An Example: You get an email from a bank claiming that your account has been frozen unless you click on the link provided and enter your account information.
bp 12 image 1 ProserveIT

Spear Phishing

  • What It Is: Spear Phishing is a much more personalized way for attackers to get to you. They customize their emails with your name, position, company, work phone number, or other personal information that is available online (typically through company websites or social media platforms like LinkedIn), in an effort to make you think that they have a connection with you. Their goal is to lure you into clicking on a malicious URL or an email attachment, which will in turn give them access to your personal data. According to this detailed Forbes article, the most effective spear phishing attacks are often the simplest and simply mimics the normal day-to-day operational activities that might occur in your own role within your organization.
  • An Example: You get an email that’s supposedly from your organization’s HR department asking you to verify your benefits policy information.
bp 12 image 2 ProserveIT

CEO Fraud

  • What It Is: CEO Fraud is when the attacker has successfully spear phished a CEO or other top executive of the company (known as “whaling”), and they’ve managed to steal his or her login credentials. The attacker then sends an email from the CEO’s account, or creates a new domain name that’s off by one letter or number and duplicates the CEO’s credentials, and requests that employee to perform a wire transfer of funds to a financial institution of their choice. These types of attacks rarely set off typical spam traps because they’re not mass emailed – the victims are carefully targeted by the attacker.
  • An Example: You get an email that’s supposedly from your CEO saying they need you to wire transfer the money, and to let you know when you’re free so they can send you the information of where it needs to go.
bp 12 image 3 ProserveIT

Malware-Based Phishing

  • What It Is: Malware-based Phishing is when the attacker sends an email attachment or downloadable file to the victim that exploits the security vulnerabilities of the user’s machine. When that attachment or file is clicked on, it triggers the malicious software that’s been embedded within the file/attachment. Malware (including computer viruses, worms, Trojan horses, ransomware, or other malicious programs) then run on the host’s computer, and, in some cases, spread to others to infect them (as in the recent “Wannacry” and “GoldenEye” ransomware attacks).
  • An Example: You get an email from someone you don’t know asking you to download an invoice.
bp 12 image 4 ProserveIT

6 Tips – How to Protect Your Business From Hackers

TIP 1. Educate your employees.

The majority of cyberattacks are direct results of phishing emails, websites and phone calls. Basic training of your employees is, therefore, an effective way to stop low-level threats. Educating your employees on protocols, policies and procedures is a good first step in preventing cyberattacks. 

TIP 2. Keep software up to date.

Having up-to-date security software, web browsers, and operating systems is the first line of defense against viruses, malware, and other online threats. Getting advice from experts on your IT infrastructure to see what can be done to keep your infrastructure current and safe is recommended.

TIP 3. Backup and encrypt your data.

Encryption is an extra protection on your digital footprint. The extra step in translating the data provides confidentiality and drives key security. As such, it also minimizes the risks of data loss after you have been a victim of a cybercrime.

TIP 4. Have a plan.

Reactive actions are not sufficient to protect your organization from data and revenue loss, so, whether it’s a disaster recovery and business continuity plan or a formal security policy, businesses should be proactive. Even something as simple as a password strategy will help to slow down hackers (think of it as the same kind of deterrent as having a security alarm sticker on your front door).

TIP 5. Consider cybersecurity insurance.

Insurance is designed to mitigate risks. Cyber liability insurance is designed to protect your business from fallouts of cyberthreats. It comes down to the ROI. Does the cost of insurance outweigh the potential pay out on cyber-losses?

TIP 6. Utilize the right tools.

For today’s advanced threat environment, using the right tools are extremely important. Traditional IT security tools like anti-virus program can’t protect you from advanced threats like ransomware. Here are three tools you can utilize:

  • Microsoft Advanced Threat Analytics (ATA) allows for visibility and protection against advanced attacks by automatically analyzing, learning, and identifying (ab)normal behaviour. Watch an on-demand webinar if you want to learn more.
  • Office 365 Advanced Threat Protection (ATP) allows you to protect your organization’s mailboxes in real time against unknown and sophisticated attacks. It protects your mailbox against any unsafe attachments and malicious links. See more details about Office 365 ATP.
  • Windows 10 was designed to be the most secure version of Windows yet. Windows 10 is meant to disrupt the malware and hacking industry by removing the attack vectors that cybercriminals and hackers depend on. You can take advantage of Windows 10 Compatibility Workshop to get to know more about Windows 10. Or, participate in an IT Security Assessment & Roadmap Workshop to see how you can quickly improve your organization’s overall security.

About ProServeIT

As a multi-award-winning Microsoft Gold Partner, ProServeIT has been helping organizations of all sizes increase their efficiency, eliminate their “IT debt” and apply a security lens to everything they do. ProServeIT understands that every organization has different needs and challenges, and will work with you to understand your organization’s culture, your customers, and what’s most important t you as a company. Providing customized solutions that help you simplify your IT infrastructure, increase your team’s productivity, and grow your business, ProServeIT can use their expertise and experience to digitally transform your business.