search

What is a phishing technique in which cybercriminals misrepresent themselves over the phone?

1 anos atrás
Comentários: 0
Visualizações: 24

In this article:

Phishing, smishing and vishing are three ways a scammer might contact you in an attempt to gather personal information about you and carry out identity fraud.

Show

These and other methods of identity fraud use your personal data or financial accounts to steal money, receive loans or services in your name, or to commit other crimes. In 2021, there were more than 1.4 million reports of identity theft, according to the Federal Trade Commission. Knowing what methods fraudsters use and how to spot them can help you avoid becoming a victim.

Methods of Contact for Phishing, Smishing and Vishing
Phishing Email
Smishing SMS/text message
Vishing Phone, robocall, voicemail, voice over internet protocol (VoIP)

Phishing is a method of cyberattack that attempts to trick victims into clicking on fraudulent links in emails. The link typically takes the victim to a seemingly legitimate form that asks them to type in their usernames, passwords, account numbers or other private information. This information is then sent directly to scammers, and the victim may be none the wiser.

For example, an email may state that your bank account has been locked and requests that you click a link to regain access. In truth, that link will lead to a fraudulent form that simply collects your information, such as your online banking username and password. The scammers can then log in to your account and steal your money.

Smishing is a kind of fraud similar to phishing, except that it comes in the form of a text message. A smishing text will often contain a fraudulent link that takes victims to a form that's used to steal their information. The link may also download malware such as viruses, ransomware, spyware or adware onto the victim's device.

These smishing text messages may appear to be urgent requests sent from a bank or parcel delivery service, for example. They may claim that there's been a large withdrawal from your bank account, or that you need to track a missing package. It can be easy to fall for this scam if you think you must take quick action to solve an urgent problem.

Fraudulent calls or voicemails fall under the category of "vishing." Scammers call potential victims, often using prerecorded robocalls, pretending to be a legitimate company to solicit personal information from a victim.

Perhaps you get a call about your car's extended warranty. If you answer this call and get connected to an alleged agent, you may be asked to provide information such as:

  • First and last name
  • Address
  • Driver's license number
  • Social Security number
  • Credit card information

Some scammers may also record your voice and ask a question you're likely to answer with "Yes." They can then use this recording to pretend to be you on the phone to authorize charges or access your financial accounts.

To avoid becoming a victim of phishing, smishing or vishing, there are a few rules you can follow. These can protect you directly from scams and reduce the likelihood you will be targeted in the first place.

  • Never click on links from someone you don't know. Go directly to the real website for the organization the communication purports to be from and check to see if the notification indicated in the email or text message is real.
  • Never give out personal information to someone who contacts you out of the blue. If they claim to represent a bank, government organization or company you already do business with, hang up and tell them you will call right back. Then go to the official website of the organization and call them at their official phone number to find out what's really going on.
  • Don't answer calls or texts from numbers you don't recognize. Even if you answer only intending to ask to be taken off the list, the scammers will note that you interacted with the call. This will likely increase the number of calls you get from scammers in general.

Scams are increasingly common, and many people become targets before they've even heard of phishing, smishing or vishing. In addition to the preventative steps above, it's important to be familiar with resources that can help you if your personal information is stolen.

  • Credit freeze: You can freeze your credit for free with all three national credit bureaus—Experian, TransUnion and Equifax. If you know a scammer has gotten hold of your private information, freezing your credit can prevent them from opening credit accounts in your name.
  • Personal privacy scan: You can find out if your personal info is out on the web with Experian's personal privacy scan. This checks for your information online and can help protect you from robocalls and other phishing attempts by showing you where your info is exposed.
  • Identity theft protection: For complete identity theft protection after you've been victimized by a scammer, Experian's IdentityWorksSM provides a suite of tools that will help you keep tabs on identity after a run-in with a scammer. Some of these tools include:
  • Dark web surveillance
  • Three-bureau credit monitoring
  • Payday & non-credit loan alerts
  • Change of address alerts
  • SSN monitoring
  • Financial account activity monitoring

While phishing, smishing and vishing scams are not likely to go away anytime soon, these are simple steps you can take to help protect yourself.

Phishing attacks have been around since the early days of the internet. Cybercriminals propagated the first phishing attacks in the mid-1990s, using the America Online (AOL) service to steal passwords and credit card information. While modern attacks use similar social engineering models, cybercriminals use more evolved tactics. At its core, phishing is an attack methodology that uses social engineering tactics to make a person take an action that is against their best interests. With a better understanding of the 14 types of phishing attacks and how to identify them, organizations can protect their users and data more effectively.

1. Email phishing

Also called “deception phishing,” email phishing is one of the most well-known attack types. Malicious actors send emails to users impersonating a known brand, leverage social engineering tactics to create a heightened sense of immediacy and then lead people to click on a link or download an asset.

The links traditionally go to malicious websites that either steal credentials or install malicious code, known as malware, on a user’s device. The downloads, usually PDFs, have malicious content stored in them that installs the malware once the user opens the document.

How to identify email phishing:

Most people recognize some of the primary indicators of a phishing email. However, for a quick refresher, some traditional things to look for when trying to mitigate risk include:

  • Legitimate information: Look for contact information or other legitimate information about the organization being spoofed, then look to identify things like misspellings or a sender email address that has the wrong domain.
  • Malicious and benign code: Be aware of anything including code that tries to trick Exchange Online Protection (EOP) such as downloads or links that have misspellings.
  • Shortened links: Do not click on any shortened links because these are used to fool Secure Email Gateways.
  • Fake brand logo: Review the message for any logos that look real because they may contain fake, malicious HTML attributes.
  • Little text: Ignore emails that have only an image and very little text because the image might be hiding malicious code.

2. HTTPS phishing

The hypertext transfer protocol secure (HTTPS) is often considered a “safe” link to click because it uses encryption to increase security. Most legitimate organizations now use HTTPS instead of HTTP because it establishes legitimacy. However, cybercriminals are now leveraging HTTPS in the links that they put into phishing emails.

How to identify HTTPS phishing

While often part of an email phishing attack, this is a slightly nuanced approach. When trying to decide if a link is legitimate or not, consider:

  • Shortened link: Make sure that the link is in its original, long-tail format and shows all parts of the URL.
  • Hypertext: These are “clickable” links embedded into the text to hide the real URL.

3. Spear phishing

Although spear phishing uses email, it takes a more targeted approach. Cybercriminals start by using open source intelligence (OSINT) to gather information from published or publicly available sources like social media or a company’s website. Then, they target specific individuals within the organization using real names, job functions, or work telephone numbers to make the recipient think the email is from someone else inside the organization. Ultimately, because the recipient believes this is an internal request, the person takes the action mentioned in the email.

How to identify spear phishing:

  • Abnormal request: Look out for internal requests that come from people in other departments or seem out of the ordinary considering job function.
  • Shared drive links: Be wary of links to documents stored on shared drives like Google Suite, O365, and Dropbox because these can redirect to a fake, malicious website.
  • Password-protected documents: Any documents that require a user login ID and password may be an attempt to steal credentials.

4. Whaling/CEO fraud

Another type of corporate phishing that leverages OSINT is whale phishing, also called whaling or CEO fraud. Malicious actors use social media or the corporate website to find the name of the organization’s CEO or another senior leadership member. They then impersonate that person using a similar email address. The email might ask for a money transfer or request that the recipient review a document.

How to identify CEO fraud:

  • Abnormal request: If a senior leadership member has never made contact before, be wary of taking the requested action.
  • Recipient email: Since many people use email applications that connect all their email addresses, make sure that any request that appears normal is sent to a work email not personal.

5. Vishing

Voice phishing, or “vishing,” happens when a cybercriminal calls a phone number and creates a heightened sense of urgency that makes a person take an action against their best interests. These calls normally occur around stressful times. For example, many people receive fake phone calls from people purporting to be the Internal Revenue Service (IRS) during tax season, indicating that they want to do an audit and need a social security number. Because the call creates a sense of panic and urgency, the recipient can be tricked into giving away personal information.

How to identify vishing:

  • Caller number: The number might be from an unusual location or blocked.
  • Timing: The call’s timing coincides with a season or event that causes stress.
  • Requested action: The call requests personal information that seems unusual for the type of caller.
  • Unexpected call: When there are other, more established methods of communication, a call from even a known number or area code should be treated with a dose of suspicion.

6. Smishing

Malicious actors often apply similar tactics to different types of technologies. Smishing is sending texts that request a person take an action. These are the next evolution of vishing. Often, the text will include a link that, when clicked, installs malware on the user’s device.

How to identify smishing:

  • Delivery status change: A text requesting that the recipient take action to change a delivery will include a link so always look for emails or go directly to the delivery service website to check status.
  • Abnormal area code: Review the area code and compare it to your contacts list before responding to a text or taking a suggested action.

7. Angler phishing

As malicious actors move between attack vectors, social media has become another popular location for phishing attacks. Similar to both vishing and smishing, angler phishing is when a cybercriminal uses notifications or direct messaging features in a social media application to entice someone into taking action.

How to identify angler phishing:

  • Notifications: Be wary of notifications that indicate being added to a post because these can include links that drive recipients to malicious websites.
  • Abnormal direct messages: Be on the lookout for direct messages from people who rarely use the feature since the account might be spoofed, or fraudulently recreated.
  • Links to websites: Never click a link in a direct message, even if it looks legitimate, unless the sender regularly shares interesting links this way.
What is a phishing technique in which cybercriminals misrepresent themselves over the phone?

8. Pharming

Pharming is more technical and often more difficult to detect. The malicious actors hijack a Domain Name Server (DNS), the server that translates URLs from natural language into IP addresses. Then, when a user types in the website address, the DNS server redirects the user to a malicious website’s IP address that might look real.

How to identify pharming:

  • Insecure website: Look for a website that is HTTP, not HTTPS.
  • Website inconsistencies: Be aware of any inconsistencies that indicate a fake website, including mismatched colors, misspellings, or strange fonts.

9. Pop-up phishing

Although most people use pop-up blockers, pop-up phishing is still a risk. Malicious actors can place malicious code in the small notification boxes, called pop-ups, that show up when people go to websites. The newer version of pop-up phishing uses the web browser’s “notifications” feature. For example, when a person visits a website, the browser prompts the person with “www.thisisabadlifechoice.com wants to show notifications.” When the user clicks “Allow,” the pop-up installs malicious code.

How to identify pop-up phishing:

  • Irregularities: Review for spelling errors or abnormal color schemes.
  • Shift to full-screen mode: Malicious pop-ups can turn a browser to full-screen mode so any automatic change in screen size might be an indicator.

10. Clone phishing

Another targeted email phishing attack, clone phishing, leverages services that someone has previously used to trigger the adverse action. Malicious actors know most of the business applications that require people to click links as part of their daily activities. They will often engage in research to see what types of services an organization uses regularly then send targeted emails that appear to come from these services. For example, many organizations use DocuSign to send and receive electronic contracts, so malicious actors might create fake emails for this service.

How to identify clone phishing:

  • Abnormal timing: Be wary of any unexpected email from a service provider, even one that is part of normal daily job function.
  • Personal information: Look out for emails requesting personal information that the service provider never asks for.

11. Man-in-the-middle (MTM) attacks

A man-in-the-middle phishing attack occurs when the cybercriminal gets in “the middle” of two sources, and tries to steal data or information that is shared between the two users. This can be anything from personal information to accounting details to payment credentials.

How to identify a man-in-the-middle attack:

MTM phishing attacks can be identified or detected by using deep flow inspection (DFI) and deep packet inspection (DPI) throughout network monitoring. These two types of inspections provide network security monitors with packet size and length information, which can be used to help identify unusual network traffic throughout your organization.

12. Evil twin

An evil twin phishing attack uses a fake WiFi hotspot, often making it look legitimate, that might intercept data during transfer. If someone uses the fake hotspot, the malicious actors can engage in man-in-the-middle or eavesdropping attacks. This allows them to collect data like login credentials or sensitive information transferred across the connection.

How to identify an evil twin phishing attack:

  • “Unsecure”: Be wary of any hotspot that triggers an “unsecure” warning on a device even if it looks familiar.
  • Requires login: Any hotspot that normally does not require a login credential but suddenly prompts for one is suspicious.

13. Watering hole phishing

Another sophisticated phishing attack, watering hole phishing starts with malicious actors doing research around the websites a company’s employees visit often, then infecting the IP address with malicious code or downloads. These can be websites that provide industry news or third-party vendors’ websites. When the user visits the website, they download the malicious code.

How to identify watering hole phishing:

  • Pay attention to browser alerts: If a browser indicates that a site might have malicious code, do not continue through to the website, even if it’s one normally used.
  • Monitor firewall rules: Ensure that firewall rules are continuously updated and monitored to prevent inbound traffic from a compromised website.

14. Search engine phishing

Search engine phishing is when a cybercriminal creates a fake product to target users while they are searching the web. If a user falls victim to this type of phishing attack and decides to try and purchase these products, a cybercriminal then has the opportunity to access sensitive information given by the user during the checkout process.

How to identify search engine phishing

It can be hard to identify if you are being targeted by a cybercriminal with search engine phishing. However, search engine phishing often displays discounts, giveaways, employment opportunities, etc. which are often too good to be true. To best avoid and identify these types of phishing attacks, be cautious of products that are hard to find or unreasonably cheap.

Recent examples of a phishing attack

Recently, cybercriminals have been using phishing attacks against Twitter users seeking to gain verification on their accounts (ie. the blue checkmark). Verified accounts are designed to confirm the identity of the user behind the account, most popular for celebrities, influencers, politicians, etc.

However, a recent report has found that cybercriminals are using the incentive to become verified to trick users into giving out sensitive information, using email phishing as their number one tactic. For example, once a cybercriminal identifies a user that is trying to receive Twitter account verification, they send a phishing email to the user saying that there was a problem with their request and that they need to “Check Notifications” to confirm their account details. If the user falls victim to this and clicks on the malicious link, the user is then sent to a non-secure website, created by the cybercriminal. From there, cybercriminals have full access to any information the user enters on that site.

How to prevent a phishing attack

Although phishing starts with social engineering tactics, some newer methodologies can be difficult for users to detect. Taking multiple steps to prevent malicious actors from successfully infiltrating systems, networks, and software can mitigate phishing risks.

Train your employees

The first line of defense is ensuring that employees have the training necessary to protect information. As malicious actors evolve their methodologies, you should provide training that goes beyond the traditional “phishing emails” approach. Any phishing awareness training should also include newer methodologies, like watering hole phishing attacks.

Use email filters

Although normally associated with “spam filters,” email filters can also scan for additional risks indicating an attempted phishing attack. For example, cybercriminals often hide malicious code in a PDF’s active content or the coding that enables things like readability and editability. Finding the right email filtering solution can help reduce the number of risky phishing emails that make it through to users.

Install website alerts in browsers

Protecting against malicious websites is more important than ever. Recognizing that organizations are filtering emails more purposefully, cybercriminals now target website code. Make sure that end-users’ browsers alert them to potentially risky websites.

Limit access to the internet

Using access control lists (ACLs) is another way to mitigate the risks arising from malicious websites. You can create access controls for your networks that “deny all” access to certain websites and web-based applications.

Require multi-factor authentication

Since malicious actors often look to steal user credentials, requiring multi-factor authentication can mitigate this risk. You want to require users to provide two or more of the following every time they log into your networks, systems, and applications:

  • Something they know: a password or passphrase
  • Something they have: a device or token (an authentication application on a device, a keycard, or a code texted to a smartphone)
  • Something they are: a biometric (a fingerprint or facial ID)

Monitor for and takedown fake websites

Organizations in highly targeted industries, like financial services and healthcare, often use companies who can monitor for and spend time taking down spoofed versions of their websites. This is a way to protect your employees and customers who click on a malicious link from giving cybercriminals their login credentials.

Install security patch updates regularly

Many phishing attacks exploit common vulnerabilities and exposures (CVEs), or known security weaknesses. To prevent this, make sure to regularly install security updates that respond to these known risks.

Set regular data backup

Often, phishing attacks leave behind malware, which can also include ransomware. To mitigate the impact that ransomware can have on your organization’s productivity, create a robust data backup program that follows the 3-2-1 method of 3 copies of data, on 2 different media, with 1 being offsite.

Phishing attacks FAQs

What are phishing attacks?

Phishing attacks are a methodology that uses social engineering tactics to make a person take an action that is against their best interests.

What is a whaling attack?

A whaling attack is a method used by attackers to disguise themselves as senior executives at an organization with the goal of gaining access to sensitive information and computer systems for criminal purposes.

What is email phishing?

Email phishing is when cybercriminals send emails to users impersonating a known brand to create a heightened sense of immediacy and then lead people to click on a link or download an asset.

How to prevent a phishing attack?

To best prevent a phishing attack on your business, you must:

  • Train your employees

  • Monitor for and takedown fake websites

  • Require multi-factor authentication

  • Install website alerts in browsers

  • Limit access to the internet

  • Use email filters

  • Set regular data backup

SecurityScorecard: Promoting resiliency by monitoring risk

SecurityScorecard’s platform provides easy-to-read security ratings using an A-F system. We monitor across ten categories of risk, including DNS health, patching cadence, web application security, information leaks, and social engineering. Our platform uses publicly available information for a non-intrusive approach to monitoring the security posture of your organization and its supply chain.

With SecurityScorecard’s platform, you can gain insight into potential security weaknesses that can make phishing attacks successful.

What is a phishing technique in which cybercriminals misrepresent themselves over the phone?

Q&A What

Postagens relacionadas

What theorem number that states the median of a trapezoid is parallel to each base and its length is one-half the sum of the lengths of the bases?
What theorem number that states the median of a trapezoid is parallel to each base and its length is one-half the sum of the lengths of the bases?

What is happening to Japan economy?
What is happening to Japan economy?

What two elements have the same properties?
What two elements have the same properties?

An object is dropped and hits the ground 4.5 seconds later from what height in feet was it dropped
An object is dropped and hits the ground 4.5 seconds later from what height in feet was it dropped

For what value of a the given two system of equations have no solutions 3x 5y 22 ax 20y 40?
For what value of a the given two system of equations have no solutions 3x 5y 22 ax 20y 40?

What is the process of validating the identity of a user or the integrity of a piece of data?
What is the process of validating the identity of a user or the integrity of a piece of data?

What is the least specific taxonomic category?
What is the least specific taxonomic category?

If you test an unknown substance with the biuret reagent and it turns purple, what is present?
If you test an unknown substance with the biuret reagent and it turns purple, what is present?

What is operational control weakness?
What is operational control weakness?

What will be the angle between incident ray and reflected ray if the angle between reflected ray and plane mirror is 250?
What will be the angle between incident ray and reflected ray if the angle between reflected ray and plane mirror is 250?

Publicidade

ÚLTIMAS NOTÍCIAS

Which of the following information does a hyper-v resource metering record choose all that apply
1 anos atrás . por AdvisableDiploma
What is a reason given for the declining perceived advantage of marriage
1 anos atrás . por IntuitiveDialect
Which of the following tasks are typically performed following a windows server 2022 installation?
1 anos atrás . por HauntingMutation
List the order of group policy processing, starting with the policies, which are processed first.
1 anos atrás . por DuskyWindfall
Can build a wall in 50 hours how many workers will be required to do the same work in 40 hours?
1 anos atrás . por MedianFiring
Which of the following vitamins are absorbed along with fats and stored in the bodys fatty tissue and in the liver?
1 anos atrás . por WantingSnapshot
During the late 19th century, which of the following groups most benefited from the poverty
1 anos atrás . por GloomySchoolboy
What type of decision is the following: should we fire an employee who is perpetually late?
1 anos atrás . por IntentSquid
What criterion that differentiates the products or services of one firm from those of another?
1 anos atrás . por LameDiscord
How to create a Public Profile on Snapchat 2022 iphone
1 anos atrás . por GargantuanRegulator

Toplistas

#1
Top 5 eu agradeço eu agradeço eu agradeço eu agradeço 2022
2 anos atrás
#2
Top 5 entrar no site da uol 2022
2 anos atrás
#3
Top 9 resultado do jogo do bicho de ontem pt 2022
2 anos atrás
#4
Top 8 o que significa a palavra good 2022
2 anos atrás
#5
Top 7 casamento de 20 anos 2022
2 anos atrás
#6
Top 8 com base nessa imagem, as pessoas que integraram o movimento ludista, no século xix, buscavam 2022
1 anos atrás
#7
Top 6 foi se o tempo em que a economia 2022
1 anos atrás
#8
Top 8 mensagem fofa para melhor amiga 2022
2 anos atrás
#9
Top 4 nome dos dedos fura bolo 2022
2 anos atrás
#10
Top 6 independencia do brasil resumo para 2 ano fundamental 2022
2 anos atrás

Publicidade

Populer

Publicidade

Sobre

Jurídica

Ajuda

Social

direito autoral © 2024 aprendervalor Inc.