With that in mind, it’s imperative that organizations conduct security awareness training on an ongoing basis so that their employees and executives stay on top of emerging phishing attacks (For more information, read How to Identify a Phishing or Spoofing Email).

Spear phishing

A unique form of phishing in which the message is made to look as if it came from someone you know and trust as opposed to an informal third party.
Spear phishing works better than phishing because it uses information that it can find about you from email databases, friends’ lists, and the like.

Whaling

It is nothing more than phishing or spear phishing but for big users. Instead of sending out a To Whom It May Concern message to thousands of users, the whaler identifies one person from whom they can gain all the data they want—usually a manager or owner—and targets the phishing campaign at them.

Vishing

When you combine phishing with Voice over IP (VoIP), it becomes known as vishing, an elevated form of social engineering. Although crank calls have been in existence since the invention of the telephone, the rise in VoIP now makes it possible for someone to call you from almost anywhere in the world, without worrying about tracing, caller ID, and other land line–related features. They then pretend to be someone they are not in order to get data from you.

Session hijacking

In session hijacking, the phisher exploits the web session control mechanism to steal information from the user. Phishers place themselves between the user and host, thereby letting them monitor user traffic and launch specific attacks.

Keylogger

Another way of extracting information from a victim’s system is to use a piece of technology known as keylogger. Software in this category is designed to capture and report activity in the form of keyboard usage on a target system. When placed on a system, it gives the phisher the ability to monitor all activity on a system and reports back to the phisher.

Malvertising

Malvertising, or malicious advertising, is the use of online, malicious advertisements to spread malware and compromise systems. Generally this occurs through the injection of unwanted or malicious code into ads.

Smishing

A form of phishing, smishing is when the phisher tries to trick you into giving them your private information via a text or SMS message. Smishing is becoming an emerging and growing threat in the world of online security.

Content Injection

The content-injection social network phishing refers to inserting malicious content in social networks. The malicious content can often be in the form of bogus posts (e.g., tweets, posts in the Facebook feed or in LinkedIn feed) published by users whose accounts were affected with rogue apps. When the victim clicks on the link, he/she will be requested to provide his/her personal data, which may be used by the phisher for committing identity theft and other scams.

Link manipulation

Link manipulation is the technique in which the phisher sends a link to a malicious website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link.

Phishing through Search Engines

Search engine phishing occurs through online website search engines. Here, the person may encounter offers or messages that entice the person to visit the website. The search process may be legitimate, but the website is actually fake and only exists to steal the person’s personal information.

Web Based Delivery

Also known as “Man-in-the-middle “. Which is based on the principle that a system can be placed between two legitimate users to capture or exploit the information being sent between them. Both sides of the conversation assume that the man in the middle is the other end and communicate normally. This creates a security breach and allows the phisher to trace details during a transaction between the legitimate website and the user.

Malware-Based Phishing

Refers to scams that involve running malicious software on users’ PCs. Malware can be introduced as an email attachment, as a downloadable file from a web site, or by exploiting known security vulnerabilities

System Reconfiguration Attacks

Modify settings on a user’s PC for malicious purposes. For example: URLs in a favorites file might be modified to direct users to look alike websites where their information can be stolen..

Hosts File Poisoning

Hosts file poisoning involves injecting new entries for Internet sites into a computer’s hosts file, so that web site requests are either rerouted to another site, taking the user unwittingly to a fake “look alike” website where their information can be stolen.

Impersonation

Impersonation involves any act of pretending to be someone you are not. Impersonation can be done over the phone, by email, and so forth.

Trojan

A Trojan horse may be included as an attachment, try to log into your user account to collect credentials through the local machine. The acquired information is then transmitted to phishers.

Ransomware

Phishing ransomware attacks begin with what seems to look like a legitimate email, asking the recipient to open a file or click on a link. Once the attachment or link has been opened, the phisher then gains access to the device’s data and can distribute the malicious payload, asking the recipient end to pay a ransom in exchange for the return of stolen data or personal information.

The post Phishing Techniques appeared first on CIATEC.

Unfortunately, phishing messages are becoming harder and harder to identify (For more information, read How to Identify a Phishing or Spoofing Email). Because of the increasing sophistication of these scams, there is a high probability either you or someone who uses your devices will, at some point, fall victim and need to recover from a phishing scam.

Here are suggestions for what to do after clicking a phishing link:

• Disconnect Your Device
  Disconnecting from the Internet should be one of the first things you do in order to battle any form of malware.
• Backup Your Files
  Copy your sensitive files elsewhere just to be safe. You don’t want to back up everything on your computer, as there’s a risk that you could save some infected files along with it.
• Report the incident
  If you feel like the scammers got into a very important profile of yours like a banking account or something like that, immediately report it to customer support, they might be able to help you.
  Moreover, if you suspect a computer virus infection inform your IT department so that they can nullify the threat before it spreads.
• Change Your Credentials
  If you provided login credentials for anything like usernames and passwords, now is the time to change your passwords and if you have a similar password on another service you might want to change it as well.
• Scan Your System for Malware
  Scammers will sometimes try to fool you into installing malicious software so that they can steal your information more easily by using things like key loggers.
  If you installed such an application, do remove it, now. If you are unable to find it or remove it, try to locate and run your antivirus program’s full system scan.
• Proceed with Caution
  The best protection is to err on the side of caution and use the “delete” button on emails that seem sketchy. Remember, a legitimate organization or business will never ask you to share sensitive, personal information via insecure channels like email, text or pop-up messages.

Those were 6 main suggestions to help you recover from a phishing scam, but I really hope you don’t need them, stay safe!

The post A must-do steps to recover from a phishing scam appeared first on CIATEC.

The main way online thieves get these credentials is through sending out emails that look exactly like official emails from your bank, credit card company, PayPal, Amazon or other online companies or services.

Real-life example of Phishing
I was in the office one day a couple of weeks ago when I received a text message from … According to the message, my credit card had expired and I was invited to click on the link in the text to update my details. I checked my credit card status independently with the bank and there were no issues. The text was enough to force me to carry out some due diligence though, and had I not worked in the security industry I may well have clicked on the link!

How to Identify a Phishing or Spoofing Email

Here are some tips on how to identify a phishing or spoofing email.

• • Don’t trust the display name A favorite phishing tactic among cyber criminals is to spoof the display name of an email.  Check the email address in the header from—if looks suspicious, don’t open the email. 
  • Look before you click When you hover over a link in Outlook or a web browser, a small window pops up to show you where the link really goes. If the real link doesn’t match the sender or doesn’t match what you expect, assume it is poisoned and don’t click it.
  • Check for spelling mistakes and bad grammar Authentic messages usually don’t have major spelling mistakes or poor grammar.  If it’s written poorly, don’t open it. 
  • Review the salutation and check for legitimate contact information If addressed to a vague “valued customer” or “dear user” it’s probably a phish. Lack of details about the sender or how you can contact them or their company strongly suggests a phish. 
  • Don’t give up personal information Legitimate banks and most other companies will never ask for personal credentials via email. Don’t give them up. 
  • Don’t trust an offer that seems too good to be true If you receive a message from someone unknown to you who is making big promises, the message is probably a scam. 
  • Beware of urgent or threatening language in the subject line Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt.” 
  • No Clicking on Attachments Either Hackers embed malicious attachments that contain viruses and malware in their phishing emails. Malware can steal your credentials,  damage files on your computer,  or spy on you without you ever knowing.

The post The dangers of phishing appeared first on CIATEC.