Phishing scams are notorious for being one of the most effective ways for “threat actors” (or hackers) to steal valuable information. The motivation behind this type of attack is that it’s quick, easy, and can net a significant amount of money through very little effort.
Threat actors have historically used an evolving variety of phishing tactics and these tactics are expected to continue to evolve and become more sophisticated in the future. This is why it’s more important than ever to recognize these attacks and know how to avoid them.
In this article, we’ll take a look at some of the most popular social engineering scams today, as well as anti-phishing tips your business can use to stay protected.
Types of Phishing Scams
Spear Phishing
It’s a common misconception that phishing attempts to a business email will always relate to business, and threat actors know this. For example, if a CFO receives an email regarding cutting a check for something she doesn’t normally do, she will likely recognize it as a phishing attempt (or at least ask her colleagues). However, if she is a wildlife advocate, and receives an email at her business email about an upcoming local event regarding anti-poaching legislation, she is likely more apt to click on a button.
This tactic involves posing as an affiliate of a legitimate company, belief system, political party, etc. of the person being targeted. For example, someone who has an interest in protecting wildlife may begin receiving messages from a fictitious conservation group that has been targeted by poachers. Some of these messages may include links that, when clicked, will install malware onto the computer.
Business Email Compromise
A type of scam where a spoofed email (an email which has been manipulated to seem as if it came from a trusted source) is sent to an individual within the company asking for their help with a purchase order or invoice payment. The request then asks them to send payment or bank account information.
This attack is most commonly aimed at financial or accounting divisions of an organization, so it’s especially important to train individuals in those divisions about this type of phishing attempt and have procedures in place that help to prevent successful phishing attempts.
Vishing
Social engineering attacks via calls or voicemails. The scammer uses spear phishing tactics to call employees or leave voicemails asking for money or information.
Smishing
Social engineering attacks sent via text. SMS offers a faster and easier way for cyber attackers to get people to click on malicious links without having to worry about people reporting scam emails.
New Phishing Tactics from 2021
In recent years, phishing has shifted away from the traditional email scams in favor of more high-tech, low-effort attacks. Some of these new tactics include:
Crypto Payment Scams: This is a new spin on scams asking people to pay with cryptocurrency. An impersonator (acting as law enforcement, a utility company, etc.) calls and asks you to send money. They direct you to go to a store that has a cryptocurrency ATM and buy cryptocurrency. Once you’ve bought it, they send you a QR code with their address embedded in it, asking you to scan the code to transfer the cryptocurrency. Once you scan it, they’ve stolen your money.
Health/Vaccine-Related Scams: Many scammers are mimicking healthcare organizations, such as the CDC or NHS, to send emails discussing COVID-19 vaccines, testing, and other health-related information. They will include a malicious link under the guise that it will allow you to order a test or schedule a vaccine appointment.
IT Support Scams: With the vast number of remote employees in today’s business landscape, it’s no surprise this scam has gained success. Scammers will impersonate an IT department or support personnel from a company such as Microsoft 365, requesting someone to fill out a form with their personal information in order to correct a software issue or update their account. Often, the scammer will include a malicious link in the email, which—when clicked on—will give them access to your computer.
This scam may also come in the form of a fake invoice. For example, someone impersonating a Cisco support team member may send a link for you to click and pay for a service you never received. Often, finance departments may not be aware of all the bills incurred by other departments in the company, so they can be more susceptible to falling for this kind of phishing attempt.
Online Ordering Scams: The pandemic has caused a huge spike in online ordering, which scammers are using to exploit online shoppers. Phishers send “shipped” or “missed delivery” notifications via text or email with malicious links attached. These attacks often seem legitimate because most people are, in fact, expecting a delivery. They may also send requests to update payments, check account information, or view falsified order confirmations.
CTA: Top 10 Red Flags of a Phishing Email
Want to know the top red flags of a scam email? Download our Top 10 Red Flags of a Phishing Email infographic for more phishing tips on how to spot socially-engineered cyber attacks.
Security Measures to Protect Your Business
The best way to protect yourself against these types of cyber attacks is to stay informed and be proactive in your prevention techniques. Here are some tips for protecting your business against phishing attacks:
Basic Phishing Security Tips
- Implement MFA on all your accounts and devices and require the same for your employees. Multi-factor authentication is nearly 100% successful, as long as you never give out codes or other verification information to anyone.
- Never respond to any suspicious messages or requests for personal information. Sometimes scammers will use pressure tactics, such as threats of bringing down systems or changing account settings if you don’t comply.
- If the text or email is requesting verification of personal information, log into your account directly to determine whether information needs to be verified. Most legitimate companies will never ask you to send information via text or email. Many companies, including Amazon, even post information on their websites on exactly how to discern whether an email or call is really from them.
- Do not click on any links or attachments when you aren’t 100% sure who sent them.
Advanced Phishing Security Tips
- Monitor employee access and device usage, which includes monitoring cell phone text messages. This will give you or your IT company insight into what kinds of social engineering attacks are being used within your company.
- Implement email spam filtering, which can filter out suspicious URLs or attachments before they reach your inbox. Keep in mind, although Microsoft and Google provide some level of protection, it’s always wise to opt for an additional layer of spam filtering. For example, at AIS, we use Proofpoint to protect our clients’ inboxes.
- Keep all business data encrypted in a secure storage location (whether onsite, or in the cloud). If a threat actor does penetrate your systems, your data won’t be readable.
Security Awareness Training
Another one of our phishing tips to keep your business safe is to offer Security Awareness Training to train your staff to spot and avoid social engineering attacks. An IT provider can set your team up with advanced training tools to help you create a culture of cybersecurity within your company.
Interactive Exercises
Security Awareness Training platforms engage employees in interactive training programs that can teach them how to recognize and address phishing attacks.
- Gamification with points and rewards to encourage positive participation
- Simulated phishing attacks based on current threats
- Quiz sessions to test comprehension
Monitoring
Security Training platforms help you monitor how employees are performing and get notifications for concerns you need to be aware of.
- Tracking and reporting for employees
- Account takeover monitoring that allows you to identify compromised accounts
- Instant notifications when company credentials are found on the dark web
Measuring
These platforms also allow you to measure the effectiveness of training programs for your team and make improvements.
- Regular progress reviews of your cybersecurity training
- An overview of key metrics, such as employee participation, quiz scores, and phishing test results
How AIS Can Help You
At AIS, we offer comprehensive security solutions, including email spam filtering and Security Awareness Training, for businesses—so you can feel more confident about your security posture. We understand how important cybersecurity is to business owners, which is why our team of experts are dedicated to helping companies improve their online security. Contact us for a free consultation today!