{"id":109200,"date":"2024-04-19T09:13:45","date_gmt":"2024-04-19T13:13:45","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=109200"},"modified":"2024-11-05T17:45:09","modified_gmt":"2024-11-05T22:45:09","slug":"modern-phishing","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/modern-phishing","title":{"rendered":"How to Defend Against Modern Phishing Attacks"},"content":{"rendered":"\n

Phishing isn\u2019t what it used to be. Older, popular scams \u2014 like grammatically incorrect love letters and mysterious princes who just need a little money \u2014 have given way to sophisticated and dangerous social engineering attacks. In fact, phishing has become so prevalent and effective that it is one of the three primary ways<\/a> hackers compromise credentials. <\/p>\n\n\n\n

Fortunately, there are policies and controls that IT administrators can put in place to minimize the threat and consequences of phishing attacks. This article will cover modern phishing, including what it looks like today, how employees should respond to suspected phishing attempts, and how you can help prevent phishing in your organization. <\/p>\n\n\n\n

What Is Phishing?<\/h2>\n\n\n\n

Phishing is a social engineering attack vector where bad actors impersonate reputable sources to trick users into compromising their credentials or downloading malware. It\u2019s an attack vector that preys on human nature and is relatively low-cost and low-effort to execute. This unique combination makes phishing particularly prevalent and dangerous.<\/p>\n\n\n\n

While phishing became infamous in the \u02bc90s through clearly fraudulent emails with poor grammar, attacks have become much more sophisticated and diverse. We\u2019ll cover some of these emerging tactics here.<\/p>\n\n\n\n

Popular Types of Phishing <\/h2>\n\n\n\n

Understanding phishing attack types will prepare you and your users to spot them. The first phishing email was sent in the mid-1990s<\/a>, when attackers posed as AOL employees to steal credentials via AOL messages and email. This traditional tactic remains in use today, largely for widespread, untargeted attacks. <\/p>\n\n\n\n

Other, more targeted phishing styles have evolved as well. The following are some of the most common:<\/p>\n\n\n\n

Email Phishing<\/h3>\n\n\n\n

Email phishing is the most standard form of phishing, which most users are likely familiar with. In a phishing email, a hacker sends an email posing as someone trustworthy to convince the recipient to click a malicious link, download malware, or hand over their credentials. <\/p>\n\n\n\n

Smishing<\/h3>\n\n\n\n

Smishing (SMS phishing) is similar to email phishing, but it occurs over text. <\/p>\n\n\n\n

Vishing<\/h3>\n\n\n\n

Vishing is also a variant of email phishing that occurs via voice\/phone call.<\/p>\n\n\n\n

Spear-Phishing<\/h3>\n\n\n\n

Spear-phishing takes the traditional phishing email and personalizes it with social engineering, targeting a specific individual. This tactic takes hackers longer to execute, but it is generally more convincing than a standard phishing attempt. Because of the extra time investment, spear-phishing attacks usually target higher-value targets with deep levels of access.<\/p>\n\n\n\n

Whaling <\/h3>\n\n\n\n

Whaling uses the same tactics as spear-phishing, but it targets senior-level personnel. It\u2019s important for executives to be aware of whaling and understand they aren\u2019t immune to attack. Make sure they take part in any phishing awareness training you implement.<\/p>\n\n\n\n

Clone Phishing<\/h3>\n\n\n\n

Clone phishing swaps real links or attachments for malicious ones in a legitimate, previously sent email, and then resends it. Often, phishers use an email that was sent to a group, and resend the email to the group. If they have access to the sender\u2019s email account, they may send it from that account under the premise of resending with updated information. <\/p>\n\n\n\n

Search Engine Phishing<\/h3>\n\n\n\n

Hackers are always looking for new ways to reach their targets, and Google searches are now within their arsenal. In search engine phishing, hackers forge a legitimate website and optimize it to show up for a common Google search. If they design it correctly, it can be difficult to spot the site as a fake. Hackers usually do this with account pages, hoping users visit the page and input their credentials, unknowingly giving them away.<\/p>\n\n\n\n

Who Do Phishing Attackers Impersonate?<\/h2>\n\n\n\n

Now that we\u2019ve established popular types of phishing attacks, it\u2019s important for users to understand who phishers might impersonate. This is critical information for the end-user, who needs to know what a phishing email might look like when it pops up in their inbox. <\/p>\n\n\n\n

A Popular Account<\/h3>\n\n\n\n

Phishers often impersonate brands that use online accounts, like subscription services, banks, credit card companies, and software. Under the guise of a familiar brand, they\u2019ll email customers claiming that their account is locked, set to expire, needs review \u2014 anything to get them to open the link and log in. The recipients who follow the link will usually land on a fake login page that captures and exploits their credentials.<\/p>\n\n\n\n

Someone on the Inside<\/h3>\n\n\n\n

If your boss said they urgently needed your help with something, would you say no? <\/p>\n\n\n\n

Many phishers bet on employees trusting their leaders. They\u2019ll trick employees into clicking a link or sharing credentials by impersonating the employee\u2019s boss and making an urgent request, usually via text or email. When the phisher does their research on their target, these attacks can often be quite convincing. <\/p>\n\n\n\n

This ruse doesn\u2019t stop at direct superiors. HR personnel, IT admins, and fellow coworkers are other people phishers impersonate to trick employees into cooperating with an ask. <\/p>\n\n\n\n

A Customer<\/h3>\n\n\n\n

Customers wanting to pay for your company\u2019s services seem pretty routine, which is why this phishing method works. In these attacks, phishers email you as a \u201ccustomer,\u201d claiming that they\u2019ve attached their payment. (Spoiler alert: the attachment isn\u2019t their payment. It\u2019s likely malware.)<\/p>\n\n\n\n

The Government<\/h3>\n\n\n\n

Legal action can scare anyone, even if they haven\u2019t done anything wrong. That\u2019s the thinking behind these attacks, which pose as a government body threatening legal fees, jail time, or other penalties unless the recipient takes action. That action is usually remitting payment or clicking a malicious link, downloading malware.<\/p>\n\n\n\n

A New Connection<\/h3>\n\n\n\n

Social media and remote work have eliminated the discomfort of meeting someone virtually. Phishers are exploiting this phenomenon by impersonating your connections. They\u2019ll find a person, company, club, or other connection in your social media and use it to establish common ground. After they\u2019ve established trust, they\u2019ll try to get you to click a link or share information with them. <\/p>\n\n\n\n

When executed correctly, these phishing attacks are some of the most convincing and dangerous. This attack is often the tactic spear-phishers and whalers use, doing their research and targeting someone high up to make their attack count. <\/p>\n\n\n\n

How to Spot a Phishing Attempt <\/h2>\n\n\n\n

While grammar and believability used to be a primary factor in catching phishing attempts, they\u2019ve become much more sophisticated. Many no longer contain these mistakes, and they shouldn\u2019t be employees\u2019 sole tip-offs.<\/p>\n\n\n\n

Employees should learn to look for context clues when they are asked to click a link, download something, log into an account, or share information, assets, or money. Common context clues that could tip someone off to a phishing attempt include: <\/p>\n\n\n\n