{"id":55256,"date":"2021-10-12T14:18:33","date_gmt":"2021-10-12T18:18:33","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=55256"},"modified":"2024-02-20T18:45:06","modified_gmt":"2024-02-20T23:45:06","slug":"many-masks-phisher","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/many-masks-phisher","title":{"rendered":"The Many Masks of the Phisher"},"content":{"rendered":"\n
It\u2019s Cybersecurity Awareness Month! In honor of the theme \u2014 Do Your Part. #BeCyberSmart \u2014 we\u2019re doing our part by educating IT teams and organizations on protecting themselves. Throughout October, the JumpCloud blog will focus on top cybersecurity issues, from IT admin best practices to CISO responsibilities. Tune back in throughout the month for new cybersecurity content or check out our archive of existing security articles<\/a> for cybersecurity insights written specifically for the IT professional.<\/em><\/p>\n\n\n\n <\/p>\n\n\n\n Unlike many other attack methods, phishing preys on human nature. Further, its low-tech nature is one of the reasons it\u2019s still so popular. It\u2019s easy to implement and casts a wide net that doesn\u2019t often come up empty. <\/p>\n\n\n\n Because even one user who falls victim can let in malware that infects the entire infrastructure, everyone in your organization needs to be able to detect and appropriately respond to phishing. <\/p>\n\n\n\n In keeping with this year\u2019s Cybersecurity Awareness Month theme, this article will help IT admins prepare users to recognize and respond correctly to phishing attacks.<\/p>\n\n\n\n Because phishing is all about hackers infiltrating your organization by pretending to be someone a user trusts, this article will cover some of a phisher\u2019s most common disguises. It will also cover how to best respond to a suspected attack, and how to prevent attacks from taking hold. <\/p>\n\n\n\n Note<\/em><\/strong>: If you don\u2019t already have a phishing awareness campaign in place, you can start by sharing these tips with your employees so they know what to look for and what to do if they suspect phishing. <\/em><\/p>\n\n\n\n The first phishing email was sent in the mid 1990s<\/a>. The traditional tactic remains in use today, largely for widespread, untargeted attacks. Other, more focused phishing styles have evolved as well, and phishers have learned what worked and how to hone in on their targets. Understanding these attack types will prepare you and your users to spot them. <\/p>\n\n\n\n Email phishing is the most standard form of phishing, which most users are likely familiar with. In a phishing email, a hacker sends an email posing as someone trustworthy to convince the recipient to click a malicious link, download malware, or hand over their credentials. <\/p>\n\n\n\n Smishing (SMS phishing) is similar to email phishing, but it occurs over text. <\/p>\n\n\n\n Vishing is also a variant of email phishing that occurs via voice\/phone call.<\/p>\n\n\n\n Spear-phishing takes the traditional phishing email and personalizes it with social engineering, targeting a specific individual. This tactic takes hackers longer to execute, but it is generally more convincing than a standard phishing attempt. Because of the extra time investment, spear-phishing attacks usually target higher-value targets with deep levels of access.<\/p>\n\n\n\n Whaling uses the same tactics as spear-phishing, but it targets senior-level personnel. It\u2019s important for executives to be aware of whaling and understand they aren\u2019t immune to attack. Make sure they take part in any phishing awareness training you implement.<\/p>\n\n\n\n Clone phishing swaps real links or attachments for malicious ones in a legitimate, previously sent email, and then resends it. Often, phishers use an email that was sent to a group, and resend the email to the group. If they have access to the sender\u2019s email account, they may send it from that account under the premise of resending with updated information. <\/p>\n\n\n\n Hackers are always looking for new ways to reach their targets, and Google searches are now within their vector arsenal. In search engine phishing, hackers forge a legitimate website and optimize it to show up for a common Google search. If they design it up correctly, it would be difficult to spot the site as a fake. Hackers usually do this with account pages, hoping users visit the page and input their credentials, unknowingly giving them away.<\/p>\n\n\n\n Now that we\u2019ve established popular types of phishing attacks, it\u2019s important for users to understand who <\/em>phishers might pose as. This is critical information for the end-user, who needs to know what a phishing email might look like when it pops up in their inbox. These are some of the most popular masks phishers wear when they attack. <\/p>\n\n\n Phishers have gotten pretty good at impersonating big brands, from duplicating their logo to creating fake (but believable) login pages. Phishers often use this tactic to masquerade as brands that use online accounts, like subscription services, banks, credit card companies, and software.<\/p>\n\n\n\n These phishing emails usually pose as one of these brands, alerting the recipient that their account is locked, set to expire, needs review \u2014 anything to get them to open the link and log in. Often, the phisher uses a fake login page, captures the credentials, and infiltrates the account.<\/p>\n\n\n\n If your boss said they urgently needed your help with something for a big meeting they were about to step into, would you say no? Many phishers bet on employees trusting their leaders, sending texts, emails, and other fake correspondences masquerading as an employee\u2019s boss. When the phisher does their research on their target, these can often be quite convincing. <\/p>\n\n\n\n This ruse doesn\u2019t stop at direct superiors. Phishers often pose as someone from HR or IT to gain valuable credentials, as well as a fellow coworker who needs help. Fortunately, while phishers are fairly skilled at researching and impersonating others, humans generally have a trustworthy gut on interpersonal communication. If something feels off about the voice, topic, or channel with which someone contacts an employee, they should check-in with that employee via another channel to verify the communication. <\/p>\n\n\n\n Customers wanting to pay for your company\u2019s services seem pretty routine, which is why this phishing method works. In these attacks, phishers email you as a \u201ccustomer,\u201d claiming that they\u2019ve attached their payment. (Spoiler alert: the attachment isn\u2019t their payment. It\u2019s likely malware.)<\/p>\n\n\n\n Legal action can scare anyone, even if they haven\u2019t done anything wrong. That\u2019s the thinking behind these attacks, which pose as a government body threatening legal fees, jail time, or other penalties unless the recipient takes action. That action is usually remitting payment or clicking a malicious link, downloading malware.<\/p>\n\n\n\n Social media and remote work have eliminated the discomfort of meeting someone virtually. So a message in your email or LinkedIn saying, \u201cHey, it looks like we both worked with Amanda at CompanyABC; let\u2019s connect!\u201d sounds fairly benign. <\/p>\n\n\n\n Phishers can find a person, company, club, or other connection in your social media and use it to establish common ground with the recipient. This generates trust, which might assuage the uneasiness of clicking a link or sharing information with them.<\/p>\n\n\n\n When executed correctly, these phishing attacks are some of the most convincing and dangerous. This attack is often the tactic spear-phishers and whalers use, doing their research and targeting someone high up to make their attack count. <\/p>\n\n\n\n While grammar and believability used to be a primary factor in catching phishing attempts, they\u2019ve become much more sophisticated. Many no longer contain these mistakes, and they shouldn\u2019t be employees\u2019 sole tip-offs.<\/p>\n\n\n\n Employees should learn to look for context clues when they are asked to click a link, download something, log into an account, or share information, assets, or money. Common context clues that could tip someone off to a phishing attempt include: <\/p>\n\n\n\n When in doubt, users should check with the sender on another channel to confirm that they sent the message. For senders in the organization, a quick chat will often suffice; for companies, contacting customer service, using their chat bot, or emailing an account representative are common methods. (Note: don\u2019t use contact information listed in a suspected phishing email; visit the company\u2019s website manually to find contact info). <\/p>\n\n\n\n Instead of clicking a link, users should type in the URL manually. This will prevent them from clicking on a malicious site with a URL that uses an \u201co\u201d instead of a \u201c0.\u201d This also goes for email addresses and phone numbers if you reply to a message: type them in manually instead of replying within the thread.<\/p>\n\n\n\n This is especially true when logging in or changing a password: never do so through an email or other indirect channel. Users should only ever type in credentials when on a website they trust and can validate it is the real thing, and never in an email. Ideally, your users can change their password on their machine<\/a> (a safe place to change that password) and it is propagated to their other services.<\/p>\n\n\n\n Phishing emails usually make a claim \u2014 users should check those claims\u2019 legitimacy if they can. For example, if an email claims a user\u2019s account is locked out, they want to pay for a service, or they have an upcoming meeting they need help with, users can try logging into the account in a separate browser, review the customer\u2019s purchase history, and check the sender\u2019s calendar for upcoming meetings. Phishers can\u2019t control the context clues around them, and real-life deduction can often outwit a phishing attempt.<\/p>\n\n\n\n If users can\u2019t confirm a message\u2019s legitimacy, they should never interact with it. This includes replying, clicking anything, and opening attachments. <\/p>\n\n\n\n When users suspect phishing, they should have a clear set of steps to follow. Usually, this is reporting it to their IT or security team. Organizations often use a designated phishing reporting email address or require users to install a phishing reporting tool in their email.<\/p>\n\n\n\n Phishing security relies on employees to stay vigilant and do their part. Your IT department should run regular training on phishing awareness \u2014 often combined with more holistic security awareness training<\/a>. Phishing awareness training should include what phishing is, how to detect it, and how to appropriately respond and report suspected phishing attempts. <\/p>\n\n\n\n Consider running phishing simulation tests to gauge how well employees react to phishing. In these tests, employees receive fake phishing emails to see how they respond. These are usually conducted by a third party, and many services include reporting, periodic testing to gauge improvement, help with phishing awareness training, and recommendations for next steps. <\/p>\n\n\n\n In today\u2019s environment, passwords are far from safe<\/a> \u2014 in fact, they\u2019re actually quite vulnerable, and no longer considered the best way to protect accounts. Companies are stepping up their authentication to include multi-factor authentication<\/a>, swapping traditional authentication methods for secure authentication protocols, and combining them through a secure single sign-on (SSO)<\/a> tool.<\/p>\n\n\n\n While the above methods are effective to an extent, they don\u2019t completely prevent phishing. Reliably protecting your organization against phishing involves two elements: <\/p>\n\n\n\n Single sign-on (SSO) solutions use secure protocols instead of passwords to authenticate and authorize users to their resources. This eliminates the need for (and risk of) users typing in their credentials. Because phishing often occurs when a user types their credentials into a falsified website, circumventing this manual login process acts as a defense against phishing.<\/p>\n\n\n\n The most reliable way to defend against phishing is to combine SSO with a means for changing passwords on devices rather than on websites. For example, JumpCloud\u00ae<\/sup><\/a> stores SSO data in its User Portal; users can change their passwords directly from their device, and the device propagates the changed credentials to the individual services. This way, the user never needs to input their password directly into a website or application that JumpCloud supports (and because JumpCloud takes a multi-protocol approach to authentication and authorization, it supports just about all of them).<\/p>\n\n\n\n To truly defend against phishing, you need a solution that can provide both of the above elements. One of the best ways to do this is with a unifying directory platform like JumpCloud<\/a> that manages and secures access to all your resources. <\/p>\n\n\n\n JumpCloud is a security-focused cloud directory platform that securely connects employees to virtually all the resources they need, from wherever they are. It accomplishes this with tools like multi-factor authentication, a multi-protocol approach to authentication, and secure single sign-on. Better yet, it\u2019s free for up to 10 devices and 10 users \u2014 sign up now<\/a> to try it in your environment.<\/p>\n","protected":false},"excerpt":{"rendered":" Help end-users understand common phishing tactics and disguises so they can recognize and respond to attacks.<\/p>\n","protected":false},"author":144,"featured_media":55258,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[2337],"tags":[],"collection":[2775],"platform":[],"funnel_stage":[3016],"coauthors":[2532],"acf":[],"yoast_head":"\nPopular Types of Phishing <\/strong><\/h2>\n\n\n\n
Email Phishing<\/h3>\n\n\n\n
Smishing<\/h3>\n\n\n\n
Vishing<\/h3>\n\n\n\n
Spear-Phishing<\/h3>\n\n\n\n
Whaling <\/h3>\n\n\n\n
Clone Phishing<\/h3>\n\n\n\n
Search Engine Phishing<\/h3>\n\n\n\n
Common Phishing Dupes<\/strong><\/h2>\n\n\n\n
A Popular Account<\/h3>\n\n\n\n
Someone in Their Organization<\/h3>\n\n\n\n
A Customer<\/h3>\n\n\n\n
The Government<\/h3>\n\n\n\n
A New Connection<\/h3>\n\n\n\n
Notes on What to Look for: <\/strong><\/h2>\n\n\n\n
\n
How to Respond to Suspected Phishing<\/strong><\/h2>\n\n\n\n
Try Another Channel<\/h3>\n\n\n\n
Go to the Source<\/h3>\n\n\n\n
Check the Information<\/h3>\n\n\n\n
Never Interact with a Suspicious Message<\/h3>\n\n\n\n
Report It<\/h3>\n\n\n\n
Preventing Phishing and Minimizing Its Effects<\/strong><\/h2>\n\n\n
<\/figure><\/div>\n\n\n
Regular Phishing Awareness Training<\/h3>\n\n\n\n
Phishing Simulation<\/h3>\n\n\n\n
Step Up Your Password Game<\/h3>\n\n\n\n
The More Holistic Solution<\/strong><\/h2>\n\n\n\n
\n
\n