Phishing continues to evolve, and Lane Spitzner of SANS Security Awareness explains the changes in a post on the Cyber Security Intelligence website (https://www.cybersecurityintelligence.com/blog/phishing-its-not-about-malware-or-even-email-7046.html). Here are the trends:
- Phishing is not just through emails but can be through texts or any messaging technology.
2.The goals have changed. Instead of installing malware phishing tries to
- Steal passwords.
- Get people to call a number used by scammers. (Suggestion: don't call phone numbers you don't recognize.)
- Business email compromise or CEO fraud attacks. (Verify any requests to be sure they are legitimate.)
69% of phishing emails attempt to take a user to a website, primarily for password harvesting but sometimes for "surveys" ( don't participate unless you know the sponsor). 14% are imposter scams. 8% are telephone oriented attack delivery (TOAD). Only 9% are attempts to install malware.
While attacks continue to evolve, the most common indicators of phishing remain:
- Urgency.
- Pressure to ignore or bypass procedures.
- Curiosity about an offer (if it's too good to be true, it probably is).
- Tone doesn't seem right.
- Generic salutation.
- Personal rather than organization email address.