For those planning training sessions or candidates intending to take an online exam during this period, we will be offering online exam sessions on December 27 and 29, as well as January 5, 2024. You can check the link to online exam events here.

PECB Security Update

Here at PECB, the online security commitment and the provision of support to our clients in protecting their businesses against information fraud and theft is of high importance. We are willing to ensure systematic help and protection by keeping you informed regarding the main emerging and concerning trends and threats among cybercriminals and fraudsters. In this update, therefore, we aim to enhance phishing awareness by providing the necessary information to contribute towards cultivating users’ resistance against phishing scams. 

Phishing

Phishing refers to one of the most widely-perpetrated forms of fraud, in which the attacker tries to get confidential and sensitive information, such as login credentials or account information, by impersonating trusted entities and using spoofed emails to lure online users that lack phishing awareness into providing personal information. Phishing can also be used to infect the victim with malware.

Typically, a victim receives a message that appears to have been sent by a known contact or organization. An attachment or link in the message may install malware on the user’s device or guide them to a malicious website, set up to trick them into revealing personal and financial information, such as passwords, account IDs or credit card details.

The world’s increasing dependence on the internet has magnified the challenges posed by scams and tricks. Consequently, phishing is progressively becoming more popular, as it is far easier to entice unsuspecting victims into clicking a malicious link from what appears to be a legitimate email, than trying to break through a computer’s defense system.

What are the different types of phishing?  

Phishing types differ in terms of the groups they target and the benefits they aim to receive. You have probably encountered the simplest type of phishing up until now, which is an email from someone purporting to be a trustworthy source, requiring information that can help you in accomplishing something very valuable (mostly money, funds, requests for tax and financial documents, or any other document that can induce the victim into sending the information that the attacker is requesting).Some of the most frequent types of phishing are:

Whaling (CEO Phishing)
 
The purpose of the phishing attack is to gain unlawful access to information that is valuable to companies or persons. That is why sometimes these types of attacks target people that hold the
‘key’ to the important information. They aim to acquire information from executives and people in authority. By gaining access to the email of someone with authority, attackers are able to manipulate employee’s information, initiate wire transfers, or also wreak havoc in almost every department within the company. 
 
Spear Phishing
 
This type of attack is one of the most sophisticated ones. That is because they are designed to be highly personalized, and the attacker has information about the victim before even initiating the phishing attack; thus, enhancing their authenticity and legitimacy, and increasing the likelihood of the individual complying with their request. Spear-phishing is less challenging for fraudsters considering the wide availability of information on the internet. They use the social media presence to monitor your most recent purchases, including here online platforms that you use to purchase things, places you have been shopping and so forth. You can be a target of a Spear Phisher by the information that you provide from your PC or even your phone. These types of attackers might find your page, email address, your list of friends, and they can even go as far as tracking a post that you made about a recent purchase. By using the information from your latest purchase, they can pretend to be a friend, send you an email and require from you a password to your photo page. If you provide them with the password, they will try to log into the site you purchased from, by trying different variations of usernames. If they do log in, unrepairable financial damages can be caused. There are cases when the possibilities of this type of phishing get to even blackmailing and other serious types of threats. 
 
W2 Phishing

A highly used version of whaling is the one that focuses on using the email of an executive for the mere reason of having access to the W2s of employees or the W9s of the contractors. Tax season is an exceedingly bad time for these types of attacks, as most organization's finance offices are accustomed to getting these sorts of solicitations. Such solicitations can be spoofed to originate from the IRS, or even from CPA office. The requests coming from the high-level executives in a company are most effective; however, seeming to come from IRS, they can ingrain just enough fear to stay away from the investigation.

Phishing to deliver ransomware

Even though the primary goal is gaining access to information, this type of attack is used to also get financial rewards by including ransomware in the delivered emails.In 2016, it is assessed that the majority of phishing emails comprised some type of malicious links that could lead to ransomware. These types of ransomware lock the files and photos of the users that fall into the trap of phishing email, and in most cases, the victims are required to pay in exchange for regaining access to their files. 

SMiShing & Vishing
 
In this type of phishing attack, the attacker will send a large paragraph (SMS), to hundreds of people stating that “Your credit/debit card has been deactivated due to suspicious activity. Please call our toll free number to verify your details”. Evidently, this type of attack may be an effective approach to persuading the victims and making them believe that this is an emergency situation and information asked has to be provided instantly.

Vishing is almost identical to the SMS tactic, as it involves the obtainment of information from users through the phone. The only difference is that in vishing, attackers call users directly on their phones asking for their sensitive information by using an urgent scenario like the debit/credit card situation mentioned above.

Some other tactics of phishing may include:
  • Company logos and other identifying information are taken directly from that company’s website, newsletters or other communication tools.

  • Email spoofing: Online deception that creates the appearance that an email was sent from the spoofed organization. e.g. payments@knownbank.com while the return address would lead to the scammer.

  • Malicious links designed to appear as they go to the spoofed organization. e.g. www.pecb.com (links to https://en.wikipedia.org/wiki/Phishing).

  • Carefully and intentionally misspelled URLs are common tricks e.g. www.pecb.com/login -> www.pcecb.com/login 

  • Links can appear to be authentic by copying the website of the spoofed organization so that the victim thinks s/he is logging in or providing information to a trusted organization.

How to evade/assess phishing attacks? 
 
  • Learn how to identify suspicious Phishing emails by noticing unusual activity such as a duplicate image of a real company, copying the name of a company and using it as bait.

  • Check the information source, and never respond to requests asking for passwords through email (banks never ask for passwords by email).

  • Do not go to your bank's website by clicking links from emails, since they can easily direct you to a fraudulent website and steal your sensitive information.

  • Install a good antivirus on your computer in order to prevent these forms of attacks. Also, you should continually update your operating systems along with the web browsers which include the latest frameworks for phishing attacks protection.

  • If you need to enter your sensitive data in a website, it must include the ‘https: //’ as this is considered to be more ‘safe.’

  • Avoid/delete emails claiming that you are about to receive money from anyone outside your country, as such emails have a 100% chance of being false and a trap for phishing attacks. 

  • Check the accounts that you regularly use in a periodical manner to see if there is any unusual activity, be that on bank accounts, online purchase accounts, personal work account etc. 

In cases of suspicious activity in your bank account, some bank's policies include declining suspicious transactions, and also have their fraud prevention teams contact you and investigate if the purchase was conducted with your consent. Also, whilst noticing unusual activities in your account, some banks also use the ‘freeze accounts’ option, which means that you are unable to use the account until they are assured that your account has not been subject to unauthorized access.

How to repair the damage after being attacked? 
 
If you are a victim of a phishing attack, you need to do a detail oriented damage control, be that on your computer, phone, or in one of your bank accounts. If you believe that together with the phishing attack there was a ransomware infection, the first step is to immediately shut down your computer and get some professional help. If the attack occurs at work, inform the IT department as soon as the attack takes place. The ransomware can be spread into the whole servers of the company and can endanger or damage crucial information or data. That is why, you need to take immediate and rapid action by notifying the competent people, in this case, the IT guys, to help you lock up and back up data that is vital to the company before it’s too late.

Further, immediately after you call the IT department, you need to log in online from a different source or computer and begin changing your passwords of banks, purchase accounts and so on. By doing so, you reduce the risk of data loss, financial damage, and intellectual property theft. Thus, firstly you need to secure your financial accounts, and then move to your email addresses and social media accounts.

Phishing attacks on the rise?
 
At the beginning of 2016, a report from the APWG (Anti-Phishing Working Group) identified 123,555 phishing websites. Further, they discovered that in the last quarter of 2016, 95,555 ‘templates’ of phishing email campaigns were reported and received by their customers. The report also conveyed that phishing attackers had a preference of baiting for companies in the financial sector with a whopping of 19.6 percent. This report exemplifies the undeniable fact that the number of phishing campaigns is growing each and every day. This is a result of the well-organized development of phishing attacks that is possibly due to the user’s lack of awareness. 
 
Summary
 
Generally, phishing attacks unveil the fact that users do not have an idea on how they operate and the methods employed to successfully commit fraudulent acts. You can always help your friends or colleagues by enhancing their awareness of scams such as phishing and what they can do to avoid it. Further, regular awareness sessions in companies are more than necessary. Considering that these types of scams are constantly evolving, we have to hold continual and updated awareness sessions.

 

 
 
 
 
 
 
 
 
 
 
 

S'ABONNER À NOTRE NEWSLETTER