Even though Cybersecurity Awareness month is coming to an end, it doesn’t mean that we should let our guard down and not be prepared. Knowing how to spot the signs of a cyberattack can go a long way in preventing someone from getting hold of your personal information and using it against you.
One of the most prevalent forms of infiltrating personal and corporate data is phishing. As recently seen at Uber, phishing is the fraudulent practice of sending emails, text messages, social media posts, or other communications that claim to be from reputable companies or individuals in order to trick readers into clicking on links that direct them to fraudulent websites. Once they land on the illegitimate site, the person can be unwittingly persuaded to divulge personal data, such as their username and password, credit card accounts and other sensitive information. In some cases, malware may be installed on the victim’s device.
In their Phishing Activity Trends Report for the 2nd Quarter 2022, the Anti-Phishing Working Group (APWG) observed that there were 1,097,811 total phishing attacks, a new record and the worst quarter for phishing that APWG has ever observed. Phishing is a growing menace to internet users, and the APWG is one of a number of data feeds that GoDaddy Registry utilize in our Registry Threat Mitigation Service (RTMS) platform to identify and action this, and many other types of threats.
Here are the main types of phishing attacks that users need to be aware of:
- Phishing: Where hackers impersonate a real company to obtain login credentials often via receiving an email asking for verification of account details with a link taking the user to an imposter login screen that delivers personal or even company information directly to the attackers.
- Spear Phishing: A more sophisticated phishing attack that includes customized information that makes the attacker seem like a legitimate source. For those in the workplace, they may use your name and phone number and refer to the user’s company in the email to trick you into thinking they have a connection to you, making you more likely to click a link or attachment that they provide.
- Whaling: A popular ploy aimed at getting the internet user to transfer money or send sensitive information to an attacker via email by impersonating a real company executive. Using a fake domain that appears similar to a well-known brand, they look like normal emails from a company, typically the CEO or CFO, and ask for sensitive information (including usernames and passwords).
- Shared Document Phishing: Here an email that appears to come from file-sharing sites like Dropbox, OneDrive or Google Drive alerts the internet user that a document has been shared with them. The link provided in these emails will take the user to a fake login page that mimics the real login page to steal account credentials.
- Smishing and Vishing: Mobile phone-based fraud is on the increase rapidly thanks to smishing and vishing. Smishing is a phishing attack via SMS where the victim receives a text message, supposedly from a trusted source, that aims to solicit their personal information. Vishing is the same, but the attacker aims to solicit the information via a phone call.
So how can you and your employees protect yourselves against phishing? Here are a few simple tips and best practices:
- Do not click on links or attachments from senders that you do not recognize. Be especially wary of opening any .zip, .rar, or other compressed or executable file types.
- Do not provide sensitive personal information (like usernames and passwords) over email or text message.
- Watch for email senders that use suspicious or misleading domain names.
- Inspect URLs carefully to make sure they’re legitimate and not imposter sites.
- Do not try to open any shared document that you’re not expecting to receive.