Rewterz Informative Update – Phishing, Vishing, Baiting, Smishing – What is happening?

Severity

High

Analysis Summary

Social Engineering is a cybersecurity umbrella term consisting of all types of attacks that use human interaction and social skills to obtain or access information that can be used to attack and harm an individual or organization. The attacker plays on several human emotions and emotional tactics to entice a response from the victim. The email may seem respectful, urgent, demanding, and helpful and play on emotions like greed, curiosity, or fear. Some of the social engineering types are:

Phishing

Phishing includes fraudulent or deceitful emails with infected links which appear to be from reputable and trusted sources. The purpose is to lure victims into opening an infected attachment or link. The threat actors may appear to be from within the company or from outside sources. There are several types of phishing techniques, including:

Spear Phishing

Spear phishing targets a victim by collecting information from online sources or social media to masquerade as a known sender. An example of this is getting an email from a “restaurant” that you have received a coupon that needs to be downloaded by opening an attachment.

Whaling

Whaling, like the name suggests, is used to targeting high or C-level employees like CEOs and CTOs. The “bigger fish” are targeted using the same social engineering techniques.

Vishing

Vishing is a social engineering technique that utilizes voice communication like cold-calls or call center schemes to attack the victims. It also includes luring the victim into calling a number and divulging their personal information. Broadcasting the service or using VoIP (Voice over Internet Protocol) also helps exploit the victims as the caller ID can be changed and take advantage of the mistrust the public has on landline services.

Smishing

Smishing is a social engineering technique that utilizes SMS or text communication. Emails contain links to email addresses, webpages, or phone numbers that can automatically open an email or browser window or dial a number. Modern smishing techniques have a high success rate.

Baiting

As the name suggests, baiting includes enticing the victim with free giveaways. Some cybercriminals use discount offers, free gifts, or coupons to trick the victim into engaging.

Examples of highly successful or popular phishing attempts are the Nigerian prince, 419, or advance-fee scams.

Impact

• Financial loss
• Disruption of operations
• Damage to reputation
• Credential theft
• Exposure of sensitive data

Remediation

• Employees should be trained to practice healthy online habits, but also to be able to mitigate the initial security attack.
• The psychological triggers or social engineering tactics used by attackers should be taught to every employee.
• Firewalls, antivirus, and anti-malware software should be installed and updated.
• Always be suspicious while answering or opening from unknown sources or suspicious senders.