Skip to main content

Do You Know Your Smishing From Your Whaling? A Guide To Phishing Attacks

Published on 11/09/2018

Phishing is a type of social engineering attack used to steal individual’s sensitive data such as login credentials and credit card data. Attackers masquerade as trusted entities and dupe their victims into opening malicious links which can lead to the target revealing sensitive information or malware being installed on their devices.

Below we have outlined the various phishing attacks that malicious actors use. We have also provided advice and guidance on identifying these attacks, helping you to increase your organisations resilience against them.

Deceptive Phishing – Deceptive Phishing is one of the most popular scams that malicious individuals use to try and obtain sensitive information or login credentials. These attacks are often sent via email and use threats or create a sense of urgency in order to deceive unsuspecting individuals into clicking malicious links or willingly providing their sensitive data.

The most common examples of Deceptive Phishing include fraudulent emails claiming to be from your bank, online retail websites or other businesses you have an account with. They may claim that there has been a security breach or issue with your order and you need to log in to resolve it. However, some cyber criminals are beginning to use much darker methods to extort financial gains out of unsuspecting victims.

In a new phishing attack scam known as Sextortion, malicious individuals are sending emails to targets telling them that they have been recorded using their devices webcam whilst visiting adult content, and that the footage of this will be shared with their family and friends unless a ransom is paid, usually in crypto currency.

Spear Phishing – Spear Phishing attacks are similar to standard phishing attacks but customised to influence specific individuals. As these attacks are far more targeted than standard phishing scams, the criminals performing the attacks will gather much more information about their targets in order to make the emails look more legitimate, increasing the chance of their success.

Whaling – Whaling attacks are essentially Spear phishing attacks which are targeted at senior level individuals within a company. Cyber criminals target these individuals because successful attacks can be far more rewarding than mass phishing attacks. This is due to the nature of the sensitive information these targets have access to and the fact that the emails are carefully curated to appear legitimate.

In early 2016, a senior executive working at the social media giant Snapchat, was the victim of a whaling attack after receiving an email which they believed to be from their CEO. The employee in question was deceived into providing the attacker with payroll information and the case was later investigated by the FBI.

Pharming – Pharming attacks involve malicious individuals infiltrating your computer and installing malware which redirects you to bogus sites developed by the criminal. These attacks are often initiated by sending out malicious emails which when opened, install malware on the targets computer.

The main issue with this type of attacks is that they are difficult to detect. Even if the victim enters the URL of the website that they are trying to reach manually, they will still be redirected to the bogus site and are tricked into sharing their login credentials or sensate information.

Vishing – Vishing works in a similar way as standard email phishing attacks, where they attempt to deceive an individual into sharing their sensitive data, however the attack is conducted using voice technology (telephone, voice email or VoIP).

The victim receives a message stating that suspicious activity has taken place on one of their credit cards, bank accounts or other personal account, and is directed to call a number to verify their identity to ensure that “fraud does not occur” Or the attack is carried out in a direct telephone call, the attacker usually poses as a legitimate trusted source, such as a bank or government agency.

In June 2017 Emma Watson, a British businesswoman who was setting up a children's nursery, received a phone call from criminals claiming to be from her bank's fraud team. She was told that they had stopped some unusual transactions on her account, but because her account had been compromised she was instructed to transfer her money into another account which the criminals had set up in her name. Emma ended up transferring £100,000 into the fraudsters' online account. Only a fraction of which has been traced and returned so far.

How to Spot the Signs and Protect Yourself

Although these attacks have different targets and methods of delivery, they all share certain characteristics. Below we have outlined some of the more common signs of a potential phishing attack and provided guidance on protecting yourself and your organisation against them.

Poor Spelling, Unnecessary Characters and Missing Information

One of the quickest and easiest ways to spot phishing emails is by reading through the text contained within the email and looking for odd spe11ings or out of place cApiTals. These are often found in the subject line of phishing emails to confuse spam filters but can also be found in the main body of text.

Other signs of phishing emails include generic greetings such as “Dear Customer”, “Dear - your email address”, poor use of English and bad graphics. Finally, if you look at the sender's email it is usually unnecessarily long rather than a [email protected]

Request information on payments

If a phone call, voicemail, email or text message asks you to log into an online account or make a payment you were not aware of, be cautious. Companies will never ask you for your personal details in full, instead ask for snippets of your credentials (e.g. 1st, 4th and 6th characters from your password) to confirm your identity.

Keep your banking credentials secure

Never give out any of your banking credentials to anyone who has called you unexpectedly, even if they do claim to be from your bank.

Set up a spam filter

A spam filter will filter your incoming emails and mark anything suspicious as spam. If an email which looks bogus does make it into your inbox, mark it as spam and delete it. Never click any links or open any attachments contained within as they could potentially install malicious software on your computer just by clicking on them.

If you do think you have been the victim of a phishing attack or would like to speak to one of our specialists about protecting your organisation against cyber threats, please get in touch and one of our specialists will get back to you within one business day.  

 

© Financechain Limited trading as SES and ses-escrow.co.uk, 2019. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Financechain Limited trading as SES and ses-escrow.co.uk, with appropriate and specific direction to the original content.

Speak to a specialist

Please use the form below to get in touch, one of our specialists will get back to you within one business day.