Phishing attacks are on the rise and new tactics lure in more victims. One new attack is spear-phishing, another is called SMiShing. But, what is spear-phishing or SMiShing? In this blog, we will describe these attacks so you know how to detect them and can maintain anti-phishing best practices. First, let me show you some interesting statistics that should encourage you to understand the threat and provide a strong case to offer anti-phishing training in your organization:
- When asked how the number of phishing attacks aimed at employees had changed in the past 12 months, 45 percent of respondents note the attacks have increased, BankInfoSecurity confirms in preliminary results collected for its 2013 Faces of Fraud Survey. (source)
- When asked to distinguish malicious emails from legitimate ones, nearly everyone in a group of 53 undergraduates failed, according to a recent study done by North Carolina State University.
- Ninety-one percent of advanced persistent threats start with phishing attacks and success could give cyber criminals the ‘keys’ to bypass security and initiate further attacks (source)
- Phishing is a global problem for businesses as well as individuals, targeting 37.3 million people globally in the past year (source)
What is Spear-Phishing and SMiShing?
Spear-phishing is a form of phishing in which the attackers target specific individuals or companies. Many times in these cases criminals research prior to the attack and have personal information, making the claim seem more legitimate to the victim and increasing the chance that the recipient will click the link in the email, following the call to action. The FBI has seen an increase in this tactic spanning across many industries. The FBI wrote that in these attacks, criminals gain access to private computer networks, create fake identities, steal intellectual property and compromise financial credentials.
In SMiShing, attackers use SMS messages as a platform to lure in victims. These messages contain claims such as: someone sent you a gift, your bill is ready for payment or you have a prize waiting for you. In many cases, the message then tells you to click on the link below or copy, paste in your browser and login to see the gift/bill/prize as well as the sender (in the instance of the “gift” they come in as anonymous and tell you that you will discover the “sender” when you click the link). These can be tempting to click, but DO NOT fall for it.
In our follow-up blog, we will discuss six tips to stay protected from these attacks. For more information on Security Awareness Training, click here.