Is your company protected against “SHING” attacks?

• Do we take into account the weakest link in the chain?
• Do we take into account the attacks of social engineering?
• Do we take into account the Human factor, which represents the 74% of incidents, according to him 2023 Data Breach Investigation Report of Verizon?

“He phishing is a technique that consists of sending an email by a cybercriminal to a user pretending to be a legitimate entity (social network, bank, public institution, company, supplier, partner, etc.) with the aim of steal information private, perform a economic charge O infect the device, through its content, attached files O links to fraudulent pages in the email”.

• Smishing, which combines the menages sms and the phishing as such, using text messages to direct victims to false, illicit, or fraudulent websites, and even request recipient users to take some type of action.

• wishing, consisting of an attack of phishing through a phone call, in which the caller tries to impersonate someone legitimate such as a company, an official body, a public administration, a supplier, a client, etc., and requests from the recipient of the call certain types of personal, private, or information. confidential, and even take some type of action.

• QRshing, which uses the reading of QR codes false, fraudulent, illicit, or malicious to lead users to a website o one form from which it is downloaded malware, or where request introduction of personal, private or confidential data.

• Spear phishing, which, being an attack of phishing In any of its modalities, it is a attack specifically directed at one person (or several) in the company, to a company employee, to a public body or administration, to a specific company, to a specific organization, to a politician, etc. It is a type of phishing further "studied”, elaborate and efficient, since cybercriminals have previously investigated the organization, its employees, the people to attack, already knowing the recipients, their habits, roles, responsibilities, capabilities, access they have, to information to which they can access, permissions to carry out certain types of activities and, therefore, what they can get out of them.

• Whale phishing, Whaling, O Whishing, which, being similar to spear phishing, differs from him in that, in this case, the attack is directed at specific people of very high standing. High profile within the company or organization (a “fat fish” of the organization such as the partners, the president, the members of the Board of Directors, the CEO, the General Director, the members of the C-Level, and even other types of corporate profiles, such as the DPO, etc.) , which have access and manage specific information of a confidential and strategic nature.

• Pharming, which consists of a type of phishing more sophisticated, since Cybercriminals redirect traffic from a real website, truthful and legitimate (through different types of techniques), to a fake website, fraudulent or illegitimate, where the privacy and security of the information is compromised.

• Clone phishing, consisting of a cybercriminal intercepts and previously obtains a legitimate organization email supplantada, which later modifies (generally by entering text with instructions for the recipient to apply, or a fraudulent link or even attached files with malware). This achieves a greater degree of reliability of the message and, therefore, more effectiveness.

• Angler phishing, O Phishing social, through which cybercriminals make a identity fraud, or simply, they pose as a technical support worker of a company (for example, the case of Fake Microsoft Technical Support who calls us by phone), or from the purchasing department, or billing department, or similar, to deceive the recipient and make them provide certain personal and/or confidential information of the company.

• CEO fraud. In this case, although similar to the previous case, there are also situations in which, within a company, the identity of a senior official is impersonated (generally with specific weight, such as the CEO, a manager, a department head, etc.), to ensure that the recipient of the message (an employee) trusts that the message really comes from who it seems to come from, being legitimate and , therefore, the employee does what he is told to do in that email. These types of attacks, or attack techniques, are also known as Ataques BEC (Business Email Compromise).

• Malvertising, which goes somewhat further, since the cybercriminals they come to buy advertising and ads on social networks and platforms (e.g. animated and clickable images and banners), including links to illegitimate and/or fraudulent sites. A specific case of this type of attacks is that of Pop-Up phishing, which displays pop-up messages (generally notices, advertisements, or advertisements) when visiting a web page. However, these fraudulent ads They could be displayed in any other way.

• Black Hat SEO, Search engine phishing, O SEO Poisoning. In this case, things are more complex, since the cybercriminals They have a strategy They work and invest money in manipulating SEM/SEO positioning of its links on the Internet, with the aim that they always appear in the first positions of search engines such as Google, Bing, and Yahoo.

• Fake WiFi Phishing, O Fake hotspot phishing, O Evil Twin Phishing, which consists of the cybercriminals generate a fake WiFi yours, which looks like another open public WiFi, already existing, and available, in a specific place, where users connect thinking it is the correct one.

• SIM Swapping, through which cybercriminals convince service providers to transfer phone number of the person you intend to attack to a new SIM card. With this, attackers gain access to messages and calls from the attacked person.

• Watering hole phishing, O watering hole attack, which involves a specific attack on a specific company or organization. The cybercriminals They detect the websites, domains or URLs that are visited the most or with the most traffic from the devices of the employees of a specific company and redirect them from those correct URLs to malicious URLs (owned and managed by the employees). cybercriminals) that can download malware. It can resemble the pharming, but it is not exactly the same.

• Hishing O Hardware phishing which, although it may not contemplate a technique of deception as in previous cases, consists of the cybercriminals, through various methods, “hide” malware on different devices (computers, laptops, mobile phones, etc.) that are going to be delivered to other users (rental, new sale, second-hand sale, etc.).

• He Pretexting seeks to get the attacked person (the victim) to provide personal and/or confidential information, using a “pretext" O "pretexts” (excuses) that address your interests, those of the company, the business, etc., and motivate you to do something specific due to a supposedly necessary urgency to act, urgency, aspects of solidarity, social issues, etc. Thus the cybercriminals They manipulate their victims into doing what they want them to do. Some cases, types or examples are the cheats O scams that refer to situations related to a supposed Technical support (for example, the case of Microsoft Technical Support), the case of CEO fraud, the economic ones, related to assumptions awards, inheritances and gambling, etc.

• He Baiting consists of depositing the leave "abandoned” a storage device (a USB stick, a removable hard drive, an SD memory, or another type of device) containing malware inside. The objective is that whoever finds it, takes it, accesses it, uses it and connects it to other devices, in order to infect you and thus spread said malware, affecting massively. Other variants, depending on the medium or place in which that malware resides, may be Fake WiFi Hotspot (where a WiFi access point), code reading Fraudulent QR codes (QRshing), fraud in Social Networks or Social Media (where they are shared URLs, links, links even images O multimedia elements clickable, from which the malware), Own Black Hat SEO, etc.

• He Tailgating, which is the set of techniques social engineering with which cybercriminals they get a Unauthorized access, to the company network (or any other service or system that has validation/login), by analyzing the behavior of users/employees. Some of these techniques can be Keylogging (by which the keystrokes carried out by users/employees), or the Bluetooth Hacking (or attack and access to communication Bluetooth for "sigh" O intercept the information that passes through it), among many others.

• Email (phishing traditional).
• SMS messages of text (smishing).
• calls telephone (wishes).
• QR codes (QRshing).

• The Email cyberattacks increased by 464%, according to him Mid-Year Cyberthreats Report of Acronis.

• He 41% of the cyber incidents They started with a case of phishing, according to him X-Force Threat Intelligence Index, of IBM.

• He Email is the main threat vector. He 98% of threats start with an email by way of attack directed at people, of which, the 12% are cases of phishing and the 49% cases of credential theft, according to him 2023 Data Breach Investigation Report of Verizon.

• Three out of four email incidents (phishing and others) are aimed at SMEs, according to Coveware.

• But the investment of companies regarding protections To combat these situations it refers, It barely accounts for 10% of their budgets, according to the Information Security Worldwide 2019 - 2025 of Gartner.