pentester

November 06, 2023How to Recognize and Avoid Phishing ScamsGiving you and your employees a good grasp of what online phishing tactics look like ideally turns all attempts into big red flags — to be reported to management, of course!
Blog post cover image

Despite the vast array of methods used to steal pertinent data from companies, most of them have similar traits that make them easy to identify. All phishing methods originate from a source that is not entirely "right." The bells and whistles of regular communication are often missing, and you or your employees will witness odd grammatical mistakes, false employee portals, deceptive websites, or odd calls to action that you otherwise wouldn't encounter.

Your employees ideally should not only navigate what they quickly identify as a phishing attempt, but they should also be able to direct the attention of a higher-up towards the issue to spread awareness and let an IT professional beef up security measures wherever applicable. One way to get your business up to this level is to educate your team on the more common phishing methods, including:

  • Email Phishing
  • Spearing
  • Whaling (CEO Impersonation)
  • Smishing/Vishing

There are more types of phishing methods, but these are the most common methods that can be combated against by using penetration testing, multi-step authentication, and data encryption, making them the most valuable types of educational examples for your team. Knowing each kind of attack is helpful because the skill-set of phishing is constantly developing alongside our technologies and is still a considerable threat.

Email Phishing

This method is incredibly common, as all the sender needs to know about you to gain access to you is your email, and unlike a text message, it can appear to be much more formal. Senders of email phishing attacks typically are successful because they use company logos, formalized signatures, and fancy domain names alongside their emails to appear professional.

Phishing attacks sent by email will often include a call to action, and they will appear frantic, and they may impose some kind of deadline or company emergency. With email phishing scams, it is crucial to save the information you obtain about the sender and have your employees tell you when they receive such an email.

Spearing

Spearing is a method that will probably overlap with other methods because it's how information is gained is the key, rather than the means of communication. Spearing is when a cybercriminal uses publicly available information to impersonate or target an employee. This can include telephone numbers, shifts details, or emails.

Spearing is, in a way, a level up from the more generic email phishing in that it may seem more internal. You can prevent many spearing attacks by using a formalized communication hub for your business. If an official penetration tester can approve your hub for communications, then you are ready to protect yourself from Spearing.

Whaling (or CEO Impersonation)

Whaling is a form of impersonation that, similar to spearing, relies on OSINT (Open-source Intelligence) to gather information about a company. The potency of this method is that the information collected in whaling is typically concerning a c-level executive or CEO. This type of attack aims for the head honcho and, when successful, leads to incredible amounts of damage.

This is a particularly lethal type of attack, and the damage is often so thorough that CEOs have been known to be fired from companies after the losses occur.

Smishing or Vishing

These two phishing methods are similar in that they require phones, but the methods inside are different, as one relies on text while the other relies on phone calls.

Vishing uses a phone call and typically also creates some kind of sense of urgency. For example, many phone calls from scammers happen around tax season, and they encourage recipients to hand over pertinent personal information. Your team can most often identify vishing attacks when they see that a phone number that claims to be someone involved in a delivery process does not have the correct area code. Having a secure database for communication helps to halt vishing.

Smishing is the use of text to either obtain critical information or install malware. Sometimes smishing can coincide with other attacks, such as spearing. Those who employ smishing may include malware links or links to imposter portals that collect employee information.

Notable Mentions

Angler Phishing

Angler phishing employs the use of social media to do basically what more common attacks against corporations do. You or your employees may be added to a post that claims to be associated with your business. If, for example, Facebook messenger is used, your employees may be sent malicious links by somebody impersonating your business.

Pharming

Pharming intercepts a valid URL and changes it from the authentic address into a malicious IP address that you or your teammate arrives at when clicking a link. For this reason, it is not easy to detect. The real danger in pharming is the malware associated with the website. Look for poorly created pages, and especially HTTP instead of HTTPS in the URL.

All In All, You Should Be Constantly Building Your Defenses

Because your team will likely become more and more adept as time and training go on, you will need to also rely on managed IT services. For example, it is wise to implement routine penetration testing to get a good look at how a hacker may see your company from the outside.

← Phases of a Penetration TestWhat's the Difference between an IT team and a Cybersecurity Team →