Everyone who has familiarized themselves with attacks on the web or social engineering has undoubtedly heard about phishing – a phishing attack is a type of social engineering where an attacker has an aim to trick users on the web to provide him their confidential data (usually email addresses or usernames and passwords.)
From the perspective of an attacker, phishing is a very simple and straightforward way to gain access to user credentials – the most simple phishing attacks begin by an attacker simply visiting the target webpage, copying its contents, and making a similar page on a very similar-looking domain. Such an approach has multiple aims:
- An attacker hopes that the victim won’t notice any differences between the original domain and the domain created by an attacker (domains usually have a difference of one or a couple of characters);
- An attacker is hopng to make the webpage convincing enough to the victim to provide his or her details into it and, as such, gain access to an account.
As it can be said about almost all types of attacks, though, phishing also has a couple of types – it can be split into spear phishing, whaling, smishing, and vishing. While the aim of the phishing attacks is almost always the same, these types differ in a couple of ways:
- Spear phishing is aimed at a specific person and not a group of people and, as such, attackers usually implement known information about the person into their phishing attempt. This type of attack makes it easier to target people, but on the other hand, only a very specific person can be targeted since the attack requires a lot of prior work (gathering information.)
- Whaling is very similar to spear phishing, just that such attacks target “high-ranked” individuals (think executives, known celebrities, etc.)
- In those times when phishing attacks are accomplished via SMS messages, we’re dealing with smishing attacks. This type of an attack is sometimes thought to receive more “engagement” from an end-user since it’s derived via SMS messages.
- Phishing attacks conducted via the phone can also be called vishing attacks. Vishing attacks usually target people via calling them instead of sending SMS messages (see above), and during such attacks, attackers usually claim to be “a part of the organization” (think executives, etc.) and convince unsuspecting employees to hand over either credentials or other sensitive information.
No matter which type of a phishing attack is used, the end goal is almost always the same – an attacker aims to gain sensitive information from a person or an organization. And even though security experts have been advising how to deal with phishing attacks for decades, they’re still pretty prevalent. They’re prevalent because attackers still count on one of the most important factors – people being unaware that they’re being socially engineered.
Protecting Yourself From Social Engineering
As complex as social engineering might sound, there are a couple of known ways to protect both yourself and your organization from such attacks:
- Educate yourself and your employees on the threats of social engineering – education might be as simple as reading threads like this one, going to seminars, conferences, or workshops, or reading up booklets or books about security on the web or social engineering in general.
- Conduct internal phishing campaigns and simulations – one of the best ways to ensure that your organization stays protected from attacks is to simulate them once in a while. Assess the results you would like to see, make up a mock scenario, and without informing your employees (or informing only a small part of decision-makers in the team so they’re aware), run a mock phishing simulation and evaluate the results. Was your team aware that they’re being targeted? What could they’ve done better to protect themselves? What was the end goal of the campaign and was it achieved?
There are multiple ways to protect your team and yourself from phishing attacks, however, it’s very important to remind your team that phishing (and other attacks related to it, for that matter) isn’t going away, and remember that your team might only be a part of the attacker’s bigger picture – is your web application protected from the most prevalent attacks on the web? (think OWASP Top 10 and the like?) Is your web application making use of a web application firewall or defense in depth principles?
Once you’re confident that your team is aware of the campaigns that might interest an attacker and that might be conducted towards them, you can be confident that you’re much lesser of a target to an attacker than you might be otherwise. Combine these practices with a data breach checker available 24/7 by implementing an API solution that scans through a list of data breaches, tell your team to search for themselves amongst the list of hundreds of data breaches, and you’re good to go!
Phishing attacks are a treasure trove for attackers – using those attacks, attackers can gain access to our most sensitive data without much effort. As sad as that might be to state, phishing attacks as well as other types of attacks targeting web applications, are very unlikely to go away any time soon – however, they’re pretty easy to protect against. Make good use of the advice contained in this article, search for your team or yourself using the search engine to know whether you’re at risk of identity theft attacks or not, implement the API offering into the infrastructure of your company to protect it from thieves, and until next time!