Everyone who knows a little bit more about cybersecurity knows that phishing is one of the top threats on the internet. As the name suggests, phishing is a type of scam that tries to get information and data by tricking the victim with fake emails, messages, websites, and calls. That’s why you need to be careful with messages and emails with requests for paying bills or updating information.
Phishing itself is dangerous, but, when combined with social engineering, it becomes even more potentially devastating. Social engineering is a tactic that allows crooks to use information from the victim to commit fraud. Basically, the attacker scours the internet, including social networks like Facebook, LinkedIn and Twitter, in search of information so that the scam is more likely to succeed.
From the alliance between phishing and social engineering was born spear phishing. Unlike phishing which is a massive attack, spear phishing is a targeted scam, with a specific focus on a person, a group or even a company. In this sense, social engineering enhances the phisher' attack, allowing him to manipulate victims more easily.
We know that it's not always easy to recognize an attack. But education about threats and their functioning (the so-called security awareness) is still one of the most effective forms of defense. The more knowledge, the better. Following this idea, we’ve created a list of the 5 common types of baits that phishers use in emails and messages to lure you.
5 baits used by phishers to trick you
1. Email spoofing
Email spoofing happens when cybercriminals use a hacked email account or a similar email address to the original one in order to deceive their victims. Imagine that an employee had the email account compromised, and now the attacker is sending emails to partners requesting wire transfers.
2. Website spoofing
Website spoofing is widely used in phishing and spear phishing scams. It happens when the attacker creates fake websites with the goal of gaining the victims' trust to steal important data and information. Website spoofing is often tied to email spoofing, as many criminals send emails with links to fake websites.
3. Malicious links and attachments
Two baits heavily used by phishers are attachments and malicious links. Remember the Sony Pictures data breach, in 2014? It appears that hackers have had access to the company's system using malicious links and emails apparently sent by Apple.
4. Urgent subjects and text lures
Urgent subjects and elaborate texts are other baits much used by phishers. In the case of the Nigerian fraud, for example, the criminal tells a convincing and false story that can end up with you having financial losses. When it comes to frauds involving bank names, you may receive an email with an urgent matter stating that you need to change your banking credentials for security reasons.
5. Identity forgery
In this type of bait, the attacker takes advantage of someone the victim trusts to apply the scam. Being sent from a “trusted” person, the chances of success are bigger, right? Let's take the case of RSA, a security company, in 2011, as an example. The company was hacked because employees interacted with emails from someone seemingly close. The subject was something like "Recruitment Plan."
Remember: scammers often use more than just one bait. Depending on the fraud level, all 5 baits may be used, even if spread through different moments of the conversation. When it comes to phishing and spear phishing attacks, the best tip is always to try to confirm a suspicious request, preferably over the phone or in person.
For those who want more protection, especially companies, a Secure Email Gateway (SEG), with anti-spam, anti-virus, anti-malware and other security mechanisms, may be a good start. In addition, you need to invest in security awareness. As we've said, the more knowledge, the better.