MENU

This website uses cookies to ensure you get the best experience on our website. Learn More

From CEO Fraud To Google Docs - How To Avoid A Phishing Scam

19 September 2017 10:16

Phishing scams are one of the most common and most damaging techniques used by cyber criminals in today’s world - and there are a few (pretty simple) reasons as to why that is. From CEO spear phishing to Google Docs scams, here's some you'll need to watch out for.


A fishing hook with keys and locks attached to it, with coding in the background representing a phishing scam.

There’s a number of ways they can hook us, whether it be by email, by phone, or even in person. And the masses of emails that can be sent on an automated basis means that the criminal’s net is large enough to capture all types of victims. And the approach is as simple as they come - get someone to click a bogus link in an attempt to acquire sensitive information or access to systems.

But some aren't all that simple. Here's a list of some of the most common phishing attacks out there, and how you can best avoid them...

#1 Deceptive Phishing

Undoubtedly the most common type of phishing scam that most of us have been on the end of, deceptive phishing comes when an attacker impersonates a legitimate company in an attempt to obtain someone's login credentials or personal information.

A cyber criminal will often instil a sense of urgency in their victim in order to provoke a quicker reaction, with less time to think about the email’s authenticity. PayPal scams are notorious for this and highly effective. Scammers will send an email asking an individual to rectify an issue with their account - with the aim of obtaining the login details on a fake PayPal webpage.

The success rate of a deceptive phishing scam hinges on the level of the legitimate resemblance it can off towards a real PayPal email.

   How to avoid the phishing scam:

Inspect the domain of the email. Often, scammers will send the email from a domain using a fake company name, such as “@Micro5oft”. Also, check the URLs of a suspicious email carefully in order to check where the page is sending you to.

Finally, check for unusual language and grammar mistakes, and be suspicious if the email asks for personal information.

     - Read more: The real reason why phishing attacks are so successful

#2 Spear Phishing

Whereas deceptive phishing scams can rely on mass automated sending to thousands of recipients, some emails use hyper personalised tactics. In what’s known as ‘spear phishing’, a scammer can customise their fraudulent emails with the target’s name, company, job title, and even work phone number.

The aim of this is to trick the recipient into believing they have a connection with the sender. The victim is then lured into clicking a malicious URL or email attachment, in the hope of handing over their personal data.

LinkedIn is a haven for these types of scams, where cyber criminals have access to multiple bits of information that can help craft a spear phishing attack.

   How to avoid the phishing scam:

As with many other aspects of cyber security, security awareness training is essential here. End users must know the risks they pose when sharing sensitive personal and company information on social media profiles.

From a technological side, companies should also consider investing in solutions that are capable of analysing inbound emails for known malicious links and attachments.

#3 CEO Fraud (Otherwise Know As A “Whaling” Attack)

For an attacker, the beauty of a spear phishing attack is that they can target anyone in an organisation, even the big fish. Whaling attacks see a fraudster target a high-level exec, such as a CEO, in an attempt to steal their login credentials.

Once these details have been obtained, a scammer can conduct CEO fraud by impersonating an executive and authorising fraudulent wire transfers.

   How to avoid the phishing scam:

One of the main reasons as to why whaling attacks are so successful is because company execs don’t tend to participate in security awareness training. Given that these individuals are perhaps the ones with the most valuable piles of data in the company, it should go without saying that all employees need to be educated on cyber threats in today’s business world.

Also, organisations should consider altering their financial policies, blocking any financial transaction requests via email.

#4 Dropbox Phishing

It's well known that phishing attacks are becoming smarter, and are targeting their victims in new ways every year. Now, scammers are known to specialise their phishing emails from a legitimate individual company or service.

Take Dropbox for example. The file-sharing site is now used by millions of people across the world, where users can access and backup important documents. So it’s no surprise that attackers have chosen this a new avenue for fraudulent emails.

One infamous campaign saw cyber criminals host a fake login page on the legitimate Dropbox website - with emails sent in an attempt to lure victims into parting with their credentials.

   How to avoid the phishing scam:

One of the most criminally underused methods of protection for such sites is with two-step verification (2SV). Setting this up on your account is incredibly simple, and incredibly useful.

#5 Google Docs Phishing

This type of phishing scam is similar to that of the Dropbox scenario. Google Drive can support documents, spreadsheets, photos, presentations and entire websites - making it a prime target for scammers.

In 2015, attackers created a web page pretty much identical to Google’s login page, which saw users ultimately have their credentials harvested. Google was certainly left with red faces, as an SSL certificate also protected the page with a secure connection.

   How to avoid the phishing scam:

Just like a Dropbox account (and pretty much any file sharing/ social media accounts for that matter), 2SV should be enabled to add a much-needed layer of protection.

     - Read more: The 7 cyber security threats your company is overlooking

#6 Pharming

End users are becoming savvier to phishing scams of the past. Now, some fraudsters are abandoning the idea of “baiting” their victims entirely. Instead, they are resorting to pharming.

This is a method of attack which stems from domain name system (DNS) cache poisoning. The Internet’s naming system uses DNS servers to convert alphabetical website names, such as “www.microsoft.com,” to numerical IP addresses used for locating computer services and devices.

Under a DNS cache poisoning attack, a pharmer targets a DNS server and changes the IP address associated with an alphabetical website name. That means an attacker can redirect users to a malicious website of their choice even if the victims entered in the correct website name.

   How to avoid the phishing scam:

To protect against pharming attacks, organisations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also implement anti-virus software on all corporate devices and implement virus database updates, along with security upgrades issued by a trusted Internet Service Provider (ISP), on a regular basis.

Subscribe To Our Blog