Which kind of phishing attack is targeted phishing?

Spear-phishing is a type of phishing attack that targets specific individuals or organizations typically through malicious emails. The goal of spear phishing is to steal sensitive information such as login credentials or infect the targets’ device with malware.

Spear phishers carefully research their targets, so the attack appears to be from trusted senders in the targets’ life. A spear phishing email uses social engineering techniques to urge the victim to click on a malicious link or attachment. Once the victim completes the intended action, the attacker can steal the credentials of a targeted legitimate user and enter a network undetected.

Spear-phishing vs Phishing vs Whaling

These email examples below highlight the differences between phishing, spear-phishing, and whaling.

Phishing attacks prioritize quantity. The messaging in phishing emails, texts or phone calls are generic and sent to a large group of individuals or organizations in hopes of increasing the chance of “catching” a victim. Phishing attacks via phone calls are often called vishing for voice-phishing. Attacks via text messages are known as smishing for SMS-phishing.

Spear-Phishing

Spear-phishing attacks prioritize quality. Spear-phishing emails, texts or phone calls are highly personalized for a specific organization or individual. Spear-phishing attacks are more likely to deceive potential victims due to the amount of research and time spent personalizing messages that appear to be from legitimate senders.

Whaling

A whaling attack prioritizes C-level targets. Whaling uses the same personalized strategy of spear-phishing attacks, except attackers specifically target higher level management to expose financial and confidential information. Whaling attacks hope to extract more valuable, classified information by taking down big targets, which can magnify the damage inflicted upon an organization.

How a Spear-Phishing Attack Works

The personalized nature of spear phishing attacks is what makes them dangerous and easy to fall for. Hackers use reconnaissance methods in their research so they can increase the likelihood of a successful attack.

Spear phishers frequent social media sites like Facebook and LinkedIn to gather personal information about their target. They can also map out their target’s network of personal contacts, which gives them more context to crafting a trustworthy message. More sophisticated attackers may also use machine learning algorithms to scan through massive amounts of data and identify high level individuals they most want to target.

Being equipped with your personal data, spear phishers can then craft a seemingly legitimate email that grabs their target’s attention. Many people let their guard down because of the personalized messages and don’t think twice before clicking on a link or downloading an attachment. However, this mistake can lead to serious consequences such as stolen personal information or a malware infection.

Cyber Front Lines Report

Get a unique front-line view and greater insight into the cyber battle these seasoned security experts are waging against today’s most sophisticated adversaries.

Download Now

Prevention Tips

Here are some common red flags of a spear phishing attempt:

Unusual sense of urgency
Incorrect email address
Spelling or grammar mistakes
Asks for Sensitive Information
Contains Links that Don’t Match the Domain
Includes Unsolicited Attachments
Tries to Panic the Recipient

Security awareness training is fundamental in preventing any type of phishing attack, especially when many users are working from home. But even the best-trained and most security-conscious employees will occasionally click on a malicious link, either because they were in a hurry or it was very convincing.

Checkpoint Research recently released the Brand Phishing Report for Q3 2020, which provides data about phishing attacks that attempt to imitate well known brands.

According to the report, email phishing was the most common type of branded phishing attacks, accounting for 44% of attacks, and web phishing was a close second. The brands most commonly used by attackers in fake phishing messages were Microsoft, DHL, and Apple.

Here are two examples of recent phishing attacks, discovered by Check Point researchers.

Attempt to steal credentials for Microsoft accounts:

In August 2020, attackers sent phishing emails attempting to steal Microsoft account credentials. The messages attempted to trick the victim into clicking a malicious link that redirected to a fake Microsoft login page.

Amazon phishing email attempts to steal credit card information:

In September 2020, attackers sent a phishing email, which appeared to be from Amazon, attempting to steal user credit card information. The email claimed that the user’s account was deactivated due to too many login failures, and linked to a fake Amazon Billing Center website, which instructed the user to re-enter their payment information.

How Phishing Works

The basic element of a phishing attack is a message, sent by email, social media, or other electronic communication means.

A phisher may use public resources, especially social networks, to collect background information about the personal and work experience of their victim. These sources are used to gather information such as the potential victim’s name, job title, and email address, as well as interests and activities. The phisher can then use this information to create a reliable fake message.

Typically, the emails the victim receives appear to come from a known contact or organization. Attacks are carried out through malicious attachments or links to malicious websites. Attackers often set up fake websites, which appear to be owned by a trusted entity like the victim’s bank, workplace, or university. Via these websites, attackers attempt to collect private information like usernames and passwords, or payment information.

Some phishing emails can be identified due to poor copywriting and improper use of fonts, logos, and layouts. However, many cybercriminals are becoming more sophisticated at creating authentic-looking messages, and are using professional marketing techniques to test and improve the effectiveness of their emails.

5 Types of Phishing Attacks

Email Phishing

Most phishing attacks are sent via email. Attackers typically register fake domain names that mimic real organizations and send thousands of common requests to victims.

For fake domains, attackers may add or replace characters (e.g. my-bank.com instead of mybank.com), use subdomains (e.g. mybank.host.com) or use the trusted organization’s name as the email username (e.g. [email protected]).

Many phishing emails use a sense of urgency, or a threat, to cause a user to comply quickly without checking the source or authenticity of the email.

Email phishing messages have one of the following goals:

Causing the user to click a link to a malicious website, in order to install malware on their device.
Causing the user to download an infected file and using it to deploy malware
Causing the user to click a link to a fake website and submit personal data.
Causing the user to reply and provide personal data.

Spear Phishing

Spear phishing includes malicious emails sent to specific people. The attacker typically already has some or all of the following information about the victim:

Name
Place of employment
Job title
Email address
Specific information about their job role
Trusted colleagues, family members, or other contacts, and samples of their writing

This information helps increase the effectiveness of phishing emails and manipulate victims into performing tasks and activities, such as transferring money.

Whaling

Whaling attacks target senior management and other highly privileged roles. The ultimate goal of whaling is the same as other types of phishing attacks, but the technique is often very subtle. Senior employees commonly have a lot of information in the public domain, and attackers can use this information to craft highly effective attacks.

Typically, these attacks do not use tricks like malicious URLs and fake links. Instead, they leverage highly personalized messages using information they discover in their research about the victim. For example, whaling attackers commonly use bogus tax returns to discover sensitive data about the victim, and use it to craft their attack.

Smishing and Vishing

This is a phishing attack that uses a phone instead of written communication. Smishing involves sending fraudulent SMS messages, while vishing involves phone conversations.

In a typical voice phishing scam, an attacker pretends to be a scam investigator for a credit card company or bank, informing victims that their account has been breached. Criminals then ask the victim to provide payment card information, supposedly to verify their identity or transfer money to a secure account (which is really the attacker’s).

Vishing scams may also involve automated phone calls pretending to be from a trusted entity, asking the victim to type personal details using their phone keypad.

Angler Phishing

These attacks use fake social media accounts belonging to well known organizations. The attacker uses an account handle that mimics a legitimate organization (e.g. “@pizzahutcustomercare”) and uses the same profile picture as the real company account.

Attackers take advantage of consumers’ tendency to make complaints and request assistance from brands using social media channels. However, instead of contacting the real brand, the consumer contacts the attacker’s fake social account.

When attackers receive such a request, they might ask the customer to provide personal information so that they can identify the problem and respond appropriately. In other cases, the attacker provides a link to a fake customer support page, which is actually a malicious website.

What are the Signs of Phishing?

Threats or a Sense of Urgency

Emails that threaten negative consequences should always be treated with skepticism. Another strategy is to use urgency to encourage or demand immediate action. Phishers hope that by reading the email in a hurry, they will not thoroughly scrutinize the content and will not discover inconsistencies.

Message Style

An immediate indication of phishing is that a message is written with inappropriate language or tone. If, for example, a colleague from work sounds overly casual, or a close friend uses formal language, this should trigger suspicion. Recipients of the message should check for anything else that could indicate a phishing message.

Unusual Requests

If an email requires you to perform non-standard actions, it could indicate that the email is malicious. For example, if an email claims to be from a specific IT team and asks for software to be installed, but these activities are usually handled centrally by the IT department, the email is probably malicious.

Linguistic Errors

Misspellings and grammatical misuse are another sign of phishing emails. Most companies have set up spell checking in their email clients for outgoing emails. Therefore, emails with spelling or grammatical errors should raise suspicion, as they may not originate from the claimed source.

Inconsistencies in Web Addresses

Another easy way to identify potential phishing attacks is to look for mismatched email addresses, links, and domain names. For example, it’s a good idea to check a previous communication that matches the sender’s email address.

Recipients should always hover over a link in an email before clicking it, to see the actual link destination. If the email is believed to be sent by Bank of America, but the domain of the email address does not contain “bankofamerica.com”, that is a sign of a phishing email.

Request for Credentials, Payment Information or Other Personal Details

In many phishing emails, attackers create fake login pages linked from emails that appear to be official. The fake login page typically has a login box or a request for financial account information. If the email is unexpected, the recipient should not enter login credentials or click the link. As a precaution, recipients should directly visit the website they think is the source of the email.

5 Ways to Protect Your Organization from Phishing Attacks

Here are a few ways your organization can reduce the risk of phishing attacks.

Employee Awareness Training

It is paramount to train employees to understand phishing strategies, identify signs of phishing, and report suspicious incidents to the security team.

Similarly, organizations should encourage employees to look for trust badges or stickers from well-known cyber security or antivirus companies before interacting with a website. This shows that the website is serious about security, and is probably not fake or malicious.

Deploy Email Security Solutions

Modern email filtering solutions can protect against malware and other malicious payloads in email messages. Solutions can detect emails that contain malicious links, attachments, spam content, and language that could suggest a phishing attack.

Email security solutions automatically block and quarantine suspicious emails and use sandboxing technology to “detonate” emails to check if they contain malicious code.

Make Use of Endpoint Monitoring and Protection

The increasing use of cloud services and personal devices in the workplace has introduced many new endpoints that may not be fully protected. Security teams must assume that some endpoints will be breached by endpoint attacks. it is essential to monitor endpoints for security threats and implement rapid remediation and response on compromised devices.

Conduct Phishing Attack Tests

Simulated phishing attack testing can help security teams evaluate the effectiveness of security awareness training programs, and help end users better understand attacks. Even if your employees are good at finding suspicious messages, they should be tested regularly to mimic real phishing attacks. The threat landscape continues to evolve, and cyber attack simulations must also evolve.

Limit User Access to High-Value Systems and Data

Most phishing methods are designed to trick human operators, and privileged user accounts are attractive targets for cybercriminals. Restricting access to systems and data can help protect sensitive data from leakage. Use the principle of least privilege and only give access to users who absolutely need it.

Which type of phishing attack is a targeted attack?

Spear phishing targets a specific group or type of individual such as a company's system administrator.

What is target phishing called?

Spear phishing is a phishing method that targets specific individuals or groups within an organization.

What are the 4 types of phishing?

Types of Phishing Attacks.

Spear Phishing..

Whaling..

Smishing..

Vishing..

Which type of phishing is smishing?

Smishing is a phishing cybersecurity attack carried out over mobile text messaging, also known as SMS phishing. As a variant of phishing, victims are deceived into giving sensitive information to a disguised attacker. SMS phishing can be assisted by malware or fraud websites.