Phishing Attacks: What Are They And How To Prevent Them?
In 2019, 80% of all reported security incidents and 32% of confirmed data breaches involved phishing attacks. Phishing attacks are easier for attackers to orchestrate and for the targeted individuals/businesses to fall prey to. What makes phishing particularly dangerous is the fact that it exploits human trust and leverages the element of human error. For instance, 97% of people globally are unable to identify sophisticated phishing emails.
Given that these attacks are only becoming more sophisticated, how to prevent phishing? Read on to know more.
Phishing Attacks: An Overview
Phishing attacks happen when an attacker, impersonating a trusted entity (colleague/ senior/ known non-profits/ reputed companies, etc.,) tricks the victim into opening an email/ message/ chat or clicking on a malicious link. By doing so, victims may:
- Divulge sensitive information
- Wire money to the phishers
- Download malicious attachments
- Install malware on their device
- Distribute malware to other devices in the network
- Unauthorized purchases and so on.
Phishing is also leveraged to orchestrate other attacks such as
- Ransomware attacks
- Data and identity theft
- Gaining unauthorized access
- Blackmail and extortion
- Advanced persistent threats to networks
How Does Phishing Work?
People will not divulge their personal information to anyone and everyone. So, phishers take extra efforts to lure the victims to accomplish their end-goals. For instance, spending weeks and months in creating a fake social media persona or researching extensively about victims, etc.
Typically, phishers craft communication (SMS, email, voice-based content, social media accounts, etc.) that create a sense of urgency/panic or instill fear in the recipients/ users. The subject lines and captions are eye-catching and lure the victim into performing the necessary action. For instance, you’ve won the lottery, the best way to prevent COVID-19, your password expires today, and so on.
In the least sophisticated attacks, the users are not redirected to another website. Simple actions such as clicking a link are sought from victims.
In more sophisticated attacks, the readily available phishing kits are used. These kits enable phishers with minimal technical skills to easily orchestrate phishing attacks, from gathering mailing lists to spoofing legitimate brands and setting up fake websites.
You may also want to read, Phishing Mistakes Hurting You, and Your Customers.
Types of Phishing Attacks
- Email phishing scams: Fraudulent messages sent out to random users in bulk through email.
- Spear phishing: Highly targeted type of phishing, attacking specific users.
- Whaling: Big fish such as CEOs or other high-level executives are targeted based on in-depth profiling.
- Smishing: Fraudulent SMS alerts in this phishing attack
- Vishing: Phishing orchestrated using phone calls or other voice-based media.
- Pharming: The victims are redirected to fraudulent websites using DNS cache poisoning.
- Social media phishing: Social media platforms are used for this attack type.
How to Prevent Phishing?
1. Extensive and Continuous User Education
Phishing prevention best practices dictate that all users/ stakeholders (employees, customers, end-users, partners, etc.) must be continuously and extensively educated through a structured anti-phishing program. They must be aware of the signs to look for and ways to protect themselves. Include engaging tools that allow users, especially employees, to make mistakes and learn from them.
2. Multi-Factor Authentication (MFA)
MFA is a simple technical barrier that adds extra layers of verification. For instance, entering OTP sent to a registered mobile number, a physical token, biometrics, etc. over and above the username and password. This prevents phishers from using compromised credentials to gain unauthorized access.
3. Effective Password and Access Management Policies
Apart from MFA, effective password and access management policies must be enforced by every organization. For instance, clearly defined user roles and privileges, frequent changing of passwords, the barrier to reuse passwords, and so on.
4. A Next-Gen WAF
Next-gen Web Application Firewalls (WAF) such as AppTrana WAF are well-equipped to filter out malicious requests at the perimeter itself before they hit the application. Though a WAF cannot be used to eliminate the channel of phishing and bats the hacker sends out to get a user to click on a link, it can still be considered a layer of defense for providing another barrier to the attacker if their target for exploits post phishing is the application. The WAF can identify and prevent malware injections, defacements and other attacks caused such as reflected XSS. AppTrana WAF also analyzes the requests and intelligently decides whether to flag, allow, block, or challenge users.
Another important phishing attack prevention measure is to conduct security testing/ pen-testing. This enables organizations to see how aware and equipped the users are about phishing.
In 2019 alone, a whopping USD 17,700 was lost every minute owing to phishing attacks! There cannot be a stronger case for robust phishing attack prevention measures. Think about, how you can prevent these sophisticated threats lurking in inboxes, social media, and websites and take appropriate actions.