Phishing Continued: Types of Attacks

This is Part 2 of a 3 part blog series on Phishing.

As mentioned in Part 1, phishing generally refers to malicious emails. They are typically designed to convince users to “take bait” and click on links that contain malware or to submit personal, or financial, information to fake websites.  The fake websites often mimic those of banks, subscription services, large retailers, or fund transfer companies.

There are two main phishing types: Mass and Spear.

Mass Attacks

Mass phishing attacks are sent to many people rather than being targeted toward a single person. Mass phishing attacks often take advantage of trust in well-known brands, like Netflix or Paypal, to lure their targets in and trick them into passing their private information to spoofed, or fake, websites. This personal information is then sold.

Mass attacks are becoming more sophisticated but most of them are still relatively easy to recognize as fakes. The easiest way to recognize a fake email is to look at the originating email address. If it does not appear to be an authentic-looking company email address, that’s a bad sign.

Spear Phishing

Spear phishing attacks are intended to target specific individuals within organizations by impersonating a trusted sender or source. These attacks encourage individuals to take a certain action, such as sending money or downloading malware.

From compromised passwords, to misdirected company funds, to downloading malware, spear phishing attacks are successful primarily because they are socially engineered to convince even technically-aware victims to take action they otherwise would not.

This can also lead into a related issue of phishing attacks that compromise business emails.

Business Email Compromise

Business email compromise phishing attacks are the hardest to detect because they rely on actual company emails rather than spoof emails. Given the complexity, Business Email Compromise attacks are the most difficult to avoid and can be the most costly for businesses.

These attacks are well-orchestrated: they create an urgent response in the target, usually directed toward convincing employees to transfer company funds directly into fake bank accounts.

Do you know if your email infrastructure is set up to guard against phishing attacks? Get in touch with us for more information on how to mitigate your risk.