Phishing is a broad category that can encompass many flavors of the same basic cyberattack. An estimated 90% of incidents that end in a data breach start with a phishing email. Phishing can also lead down dark roads to a host of nasty cyberattacks like business email compromise, ransomware and account takeover. However, some of the specialized versions of phishing that you may encounter do have hallmarks that can clue you in to the scam. Go behind the scenes into three nasty varieties of phishing to learn the key indicators and red flags to look for to avoid becoming the victim of one of these potentially devastating phishing attacks.
Explore today’s biggest threats & what’s next in The State of Email Security 2022 GET IT>>
Angler Phishing (Social Media Phishing)
A phishing attack conducted through the use of social media lures, like messages telling the target that they have been tagged in a photo, direct messages on messaging apps or emails from social media site administrators.
Enticing the target to interact with a fake or spoofed login page for the requisite social media site that they can then use to capture the victim’s password. The cybercriminals can then perform an ATO and use the victim’s account for fraud like BEC or snoop for information on the victim’s connections to help them better target sophisticated spear phishing attacks.
Angler phishing is a relatively new form of phishing that has risen to prominence over the past decade. The preferred format for a malicious message using this technique is email, but it can also be conducted through messaging. LinkedIn messages are the most effective for cybercriminals, with a 47% open rate. However, cybercriminals will imitate messages from any social network to lure in unsuspecting victims.
Some examples include:
- Recruiters are looking at your profile!
- You appeared in new searches this week!
- Please add me to your LinkedIn network
- A new photo of you has been tagged on Facebook
- Someone sent you a direct message on Twitter
- See who is looking at your profile!
- You’ve been tagged in a photo on Instagram
- Confirm my WhatsApp account
- Your TikTok Verified Badge
Employees that take the bait in social media phishing attacks can fall victim to dangerous ensuing attacks including credential compromise and business email compromise. In January 2021, organizations experienced about 34 social-media-related phishing attacks per month. However, in June this number rose closer to 50, representing a 47 percent increase through the first half of 2021. By September 2021, organizations were looking at more like 61 social-media-related phishing attacks per month – a shocking 82% increase in just three quarters.
AI is the secret weapon you’re looking for to boost business email security. SEE WHY>>
A phishing attack featuring personalized details in the lure that add believability to increase the likelihood that the recipient will take the bait. Spear phishing is the most common type of specialized phishing attack, and can be aimed at anyone at any level within an organization. These messages can also be very tricky to spot – 97% of employees are unable to detect a sophisticated phishing message lie the type used in spear phishing attacks.
To lure unwary recipients into taking an action that achieves the desired end for the bad guy like handing over credentials, sending money, allowing them access to sensitive systems and data, infecting systems with ransomware or malware or other nefarious purposes.
Cybercriminals use personalized information about their targets to craft emails that seem legitimate, often powered by information obtained from social media profiles, dark web markets and corporate websites. These lures can include:
- Emails from the recipient’s alma mater asking for updated address information.
- A message advising the victim to reset their password at a social media site.
- Free downloads from organizations to which the recipient belongs.
- Requests for donations from charities that are in the recipient’s sphere.
- Fake notifications about copyright infringement on YouTube, Tik Tok, etc.
- Attachments like brochures or notices from trusted sources like a government agency.
- Spoofed messages from the recipient’s regular service providers, suppliers or other vendors.
Spear-phishing is the most common vector for business email compromise attacks, the most expensive cyberattack a business can suffer. This attack is commonly used to capture credentials, steal information, cause a data breach and deploy malware including ransomware. The open rate for spear phishing emails is about 70%. Even worse, a report by FireEye shows that 50% of recipients who open spear phishing messages click on a malicious link inside.
Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>
Whaling (CEO Fraud or Executive Phishing)
Whaling, sometimes known as CEO fraud or executive phishing, is a highly specialized spear-phishing attack that is crafted to perfectly imitate a company executive, or alternately, to fool a company executive into thinking that the message is from a trusted source.
To lure an executive or privileged employee into performing an action like supplying their credentials, giving the bad guys sensitive information or transferring money. Cybercriminals often use spoofed messages and conversation hijacking in this scenario to convince executives that they are a trustworthy business associate or a representative of an organization that the executive trusts.
Highly specific lures are crafted using personalized information about the target gathered from publicly available sources, harvested from social media sites and obtained from dark web markets and data dumps. Sometimes the cybercriminals will leverage a legitimate email account gained through BEC. These lures can include:
- Social media alerts or direct messages from sites like LinkedIn, Facebook, Twitter, What’s App, etc.
- Emails from the recipient’s bank, credit card company or a similar source
- Invoices from contractors or freelancers
- Updates from a software vendor
- Charitable donation requests
- Fake political emails from candidates or parties
- Attachments like brochures or notices from trusted sources like a government agency
- Spoofed messages from the recipient’s regular service providers, suppliers or other vendors
- Falsified event invitations
- New messages in old conversations
Whaling and CEO fraud aren’t the most frequently conducted types of phishing because each operation requires extensive research and a high level of skill in crafting and delivery. Bad actors will frequently use brand impersonation in these attacks and usually favor posing as Zoom, Amazon and DHL.
Looking for a security rockstar? Get 5 superstar benefits at 1 low price! SEE THE BENEFITS>>
Get Affordable Email Security That Can Handle Every Phishing Threat
Graphus’ AI-powered email security is a powerful defense against phishing threats like these. Compared to built-in email protection or a SEG, automated, API-based email security solutions like Graphus prevent 40% more spear phishing messages from reaching an employee’s inbox. Here’s how:
- TrustGraph is a powerful shield between employee inboxes and malicious messages. This proprietary technology uses more than 50 distinct data points to discover up to 99% of sophisticated phishing messages, even zero-day attacks.
- EmployeeShield displays a bright, prominent box on suspicious messages, reminding them to be cautious. Employees can designate a message as genuine or malicious with a single click.
- Phish911 makes it simple for employees to report any message that they don’t think is safe. When an employee reports a potentially malicious email, the message is immediately removed from everyone’s inboxes.
Let us show you how you can stop phishing immediately with Graphus – the most simple, automated and affordable phishing defense available today.