Spoofing is one of the many ways in which a spear phishing attack is perpetrated. Once the attacker has some sense of its target’s habits, they disguise themselves as a trusted source, often by changing an email address, name, phone number, or URL by just one letter, symbol, or number. Unless the target is paying close attention, the subtle change can easily go unnoticed.
Once attackers convince their targets that these “spoofed” communications are from a trusted source, they can use that trust to ask for sensitive information, money, or trick them into downloading malicious software. When in doubt of an email, text message, phone call, or website’s authenticity, be sure to take a very close look at the address, and if you’re unsure, reach out to the supposed sender on a different platform to confirm the communication is real.
Like spoofing, pretexting is a type of attack in which cyber criminals assume a false identity, but this type of attack goes a step further. Instead of just assuming the identity of a known and trusted source, the attacker assumes the identity of some sort of authority figure or service provider by concocting a plausible situation.
For example, the attack could be perpetrated by someone claiming to be a bank representative checking on a suspicious transaction. More sophisticated attackers might even have some basic information about their targets — such as their name, phone number, and the last four digits of their bank card — which they can use to establish credibility when requesting more sensitive information, claiming they need it for verification purposes. That’s why it’s always important to confirm the identity of any unfamiliar caller or email asking for personal information for any purpose.
Typosquatting, also referred to as URL hijacking, occurs when a malicious actor purchases a domain name that closely resembles a trusted brand’s website. It’s a more passive form of spoofing, but in this case, attackers are depending on users to misspell a website address themselves. If a user were to accidentally misspell the URL they are looking for, they might end up on a site that looks like the one they wanted to visit, but is actually set up to perpetrate an attack.
For example, website URLs like Goggle.com and Goole.com have been used in the past to attack unsuspecting users intending to visit Google.com. Some of these sites just want to serve up popup ads to bring in some advertising revenue; others will seek to install malicious software onto visitors’ devices. It might seem like a minor mistake, but it can have significant consequences, so always double check any address you type in manually before clicking “enter.”
6. Shoulder surfing
During the pandemic, laptops stayed put at home. But as employees move their devices back and forth between the office and home, travel for business, and set up temporary digs in other shared workspaces, there’s a greater potential for risk. Stealing sensitive data in these scenarios is as easy as glancing for just a beat too long over a would-be-target’s shoulder to spy what’s on their screen, where someone can pick up login credentials or a PIN code. Shoulder surfing, as it’s known, is a form of social engineering where an attacker attempts to gain secure info to later access devices or services. One way to get around this is with a product like HP Sure View, an integrated privacy screen that blurs what can be viewed from an angle and can be toggled on and off in less secure situations.
7. Zero-click attack
Zero-click attacks, also known as “zero-click exploits,” require no action on behalf of the victim, meaning that even the most vigilant employee can fall prey. To make matters worse, these types of attacks often leave little trace behind, which makes detection extremely difficult.
Instead of relying on social engineering, these attacks depend on exploiting vulnerabilities in software applications, often messaging and voice calling apps. Once they get access, attackers can extract information or money from their targets in a variety of ways, such as installing ransomware or stealing customer or employee data. While individual employees may not be able to spot a zero-click attack, they can help prevent them by keeping their operating systems and apps up to date, only downloading apps from official app stores, and deleting any apps that are no longer in use.
“Threat actors will continue to target employees because they view them as the weakest link,” says Pratt. “But with the right communication and training, employees can become an organization’s strongest line of defense.”