January 24, 2023

Five types of common phishing attacks

Financial loss and business data compromise are two of the most serious consequences of phishing attacks for South African businesses. Cybercriminals are becoming increasingly adept at using social engineering techniques to infiltrate business systems, steal data, or infiltrate networks with malware.

Without the proper tools and training, teams may remain unaware of a phishing related data breach for several weeks or months. This can have serious financial consequences for a business, especially when intellectual property or client data is lost.

Phishing can also lead to other more serious types of cyber attack, including ransomware or DDoS attacks. Digital assets may become unavailable, thus preventing employees from doing their jobs. Client and user experience is negatively impacted too, resulting in reputational costs to the business. Overall, performance is severely compromised.

With this in mind, there is a strong business case for protecting your business from a phishing attack. Tools such as enhanced email protection, DDoS protection and SIEM technologies are used by companies to monitor and protect their digital systems. These tools serve to deal with impersonation attempts, malicious users and unauthorised access to digital assets stemming from a phishing attack.

The type of protection your business requires depends on its size and structure of the network. It's important to consider different types of common phishing attacks to raise awareness among staff and plan an effective cyber security strategy to deal with such occurrences. According to a study on phishing attacks, there are five common types that employ social engineering.

Type 1: Email Phishing

Probably the most prevalent type of phishing attack, email phishing has been used for decades to trick and deceive recipients into handing over valuable information or making financial transactions. Cyber criminals use impersonation techniques and send seemingly legitimate emails with a malicious goal in mind. Threat actors impersonate a brand and send legitimate looking emails to a mass audience designed to solicit a recipient into sharing personal information.

Staff training can help raise awareness of email phishing so that employees know what to look out for. Poor quality graphics and strangely worded emails are telltale signs of spam correspondence. Any last-minute, urgent requests should also be treated with suspicion, particularly when the sender requires a change to personal information or immediate transfer of funds.

While user awareness training is essential, there are also cyber security tools that can automatically scan business emails to pick up on deceptive phishing attempts. With email phishing, threat actors often send mass emails to a large number of contacts. The hope is that at least one recipient will be fooled and respond to the attackers demands.

Type 2: Spear Phishing Attacks

Spear phishing happens when attacks are directed at a specific person within the company. It involves cyber criminals doing research and gaining insight into their target. Similar to the first type of phishing, spear phishing involves impersonation in order to meet their devious ends.

While spear phishing is more difficult and time-consuming to carry out, it can also be a lot more damaging. The victim may be groomed for several months before an attack takes place. In these instances, the purpose could be to infiltrate a business network. This could lead to a full-blown ransomware attack where the threat actor renders the business network unusable until they receive payment.

Type 3: Clone Phishing Attacks

With this type of fishing, criminals resend an email that the recipient has already received, but this time attaching a malicious link. When the recipient clicks on that link, malware can be installed on the IT system.

Staff training on the dangers of embedded links can go a long way to mitigate this type of attack. For large organisations, however, enhanced email protection is required to scan correspondence for any potential threats. Oftentimes employees are too focused on getting the job done that they don’t notice a potentially damaging URL.

Type 4: Whaling

As with the other types of phishing, this type of attack manipulates the victim into thinking that the correspondence comes from a legitimate sender. In a whaling attack, cyber criminals pretend to be a member of the company’s senior leadership team and target someone lower down in the organisation.

Impersonating a c-suite executive is an effective way to tease out sensitive client or financial information, or gain access to credentials and login details. With advanced email protection software, internal correspondence is also monitored for malicious attempts to extrapolate data or make a fraudulent transaction.

Type 5: Man-in-the-middle attacks

The fifth type of phishing attack is more technical than the rest. When a man-in-the-middle attack happens, the hacker intercepts correspondence between two parties. In doing so, they can monitor messages for any useful information that can be used to gain access to company data or financial systems. These attacks are also used to launch other phishing attacks.

Protect your business against common phishing attacks

While phishing mostly resorts to email hacking of some sort, there are other ways to employ social engineering tactics via various communication systems. Social media platforms, voice calls or instant messaging software can be used to instigate a phishing attack. As such, it is necessary that organisations cover their attack surface using the appropriate cyber security software. For more information or to get a quote for our cyber security solutions, email us at marketing@seacom.com or leave us a message.

SEACOM owns Africa’s most extensive network of information and communications technology (ICT) infrastructure, including subsea cables and secure internet connections. We offer a diverse range of flexible, scalable and high-quality solutions for businesses that meet world-class standards for connectivity.

SEACOM is privately owned and operated, making it agile and adaptable to the needs of the customer. This makes us the preferred ICT and internet connectivity partner for African businesses and peripheral service providers. We can guarantee high-speed, low-latency and secure internet connections to corporates and small enterprises.

For‌ ‌more‌ ‌information‌ ‌on‌ our internet and voice solutions, ‌follow‌ ‌us‌ ‌on‌ ‌‌LinkedIn‌,‌ ‌‌Facebook‌ ‌or‌ ‌‌Twitter.‌ ‌Keep‌ ‌an‌ ‌eye‌ ‌on‌ ‌our‌ ‌‌news‌ ‌section‌‌ ‌for‌ ‌insightful‌ ‌articles‌ and relevant news stories on African ICT, internet connectivity and our leading cloud and security solutions.

Need internet for your home? Our subsidiary, WonderNet, brings fast and cost-effective broadband internet to all Africans with a fibre-to-the-home offering.