15 July 2024Nouv
5 months ago

Phishing attempts remain at a constant increase year after year.  

According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 22% of breaches in 2019 involved phishing; Proofpoint’s 2019 State of the Phish Report shows that in 2018, 83% of data security professionals reported attacks – a 7% increase from the previous year.  

One route through which phishing risks may reach your organisation is via malicious websites disguised as legitimate ones. There are several types of such malicious sites. Some of these include: 

1. Pharming or DNS cache poisoning 

Pharming attacks involve redirecting a website’s traffic to another malicious site that impersonates it, by exploiting security vulnerabilities in the legit system then matching the domain names. In simpler English: hackers, after identifying security vulnerabilities on a bank’s website, can install malicious scripts so when you enter the URL, you are redirected to another link which is used to steal your information. 

2. Typosquatting or URL hijacking 

These are spoofed website URLs that look authentic and genuine but are different from the original websites they impersonate. They depend on users’ typing errors of website URLs. For example, they might: 

  • Deliberately misspell the URL copied from authentic websites; 
  • Use similar letters on the keyboard, (e.g. ‘n’ instead of ‘m’); 
  • Swap two letters; or 
  • Add another letter or alphabet. 

3. Clickjacking/User Interface redressing or iframe overlay 

Cybercriminals are also using multiple transparent layers to embed malicious clickable content over legitimate buttons. For instance, an online buyer may be tricked into thinking they are clicking on a button to make a purchase, whereas they would be triggering a link to download malware. 

4. Tabnabbing & reverse tabnabbing 

In these kinds of attacks, unattended browser tabs are rewritten and linked to malicious websites. Unsuspecting users often click on the tab thinking it is a legitimate link on their browser. 

5. Targeted phishing attacks 

Most emails containing phishing links are sent to thousands of people at random. The hackers rely on the sheer number of mails to be successful. The more emails sent, the higher the chance of someone falling victim to clicking their malicious links. In some cases, hackers may intentionally target individuals or organisations. 

Types of such targeted phishing attacks include: 

i) Clone phishing: In this type of attack, a copy of a legitimate email already delivered is used by hackers, often with the subject starting with something like “RE: MY RESUME”. These kinds of emails are sent from spoof addresses resembling that of the original sender. Such emails usually have different attachments or links that have been modified. Most people would open such emails as they recognize a familiarity in the subject line and the contents of their emails. 

ii) Whaling (CEO fraud): This kind of spear phishing is targeted at high-profile individuals. They could be board members or financial managers. It’s a much tougher process, but the rewards are greater. CEOs and highly placed executives have more critical data than junior staff. In addition, access to a senior employee can pave the way for carrying out business email compromise (BEC) attacks. 

iii) BEC (business email compromise): These phishing emails are supposedly for “urgent” requests sent to junior workers from the top-level people, such as CEO or CFO. Attackers use social engineering tactics to convince junior staff members into sending money or disclosing business information. 

Keeping oneself informed on latest phishing techniques, and training the workforce on these risks is the first, biggest step to anticipating and bracing your organization for any impending digital impact. To summarize, in the words of Sun Tzu: If you know the enemy and know yourself, you need not fear the result of a hundred battles. 

SIMILAR POSTS

NOUV Validated as Official Qualified Security Assessor Company

NOUV Launches New PCI Services in Europe and beyond. NOUV has recently been recognised as an official Qualified Security Assessor……

21 October 2024 • 2 months ago

Five Government Agencies Attend Getgovernanz’s First Due Diligence Course

“The fact that this first course was delivered to a number of government agencies sends a very positive message to……

15 July 2024 • 5 months ago

Making the shift from HR Departments to Human Capital Departments

Human Resources departments are unfortunately often seen as neither human nor resourceful. They are frequently viewed as a department to……

15 July 2024 • 5 months ago

How do I know when to use business intelligence for my business?

Let’s start with a cheeky Google search on a layman’s definition for Business Intelligence (from here on in, simply BI).   It’s……

15 July 2024 • 5 months ago

Let's discuss

We work with ambitious leaders who want to define the future, not hide from it. Together, we achieve extraordinary outcomes.

0
    0
    CART
    Your cart is emptyReturn to Course