網路釣魚Phishing

網路釣魚攻擊會嘗試竊取透過電子郵件、 網站、 文字訊息或其他形式的電子通訊,通常看起來就是從合法的公司或個人官方通訊的機密資訊。Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication that often look to be official communication from legitimate companies or individuals.

使用者名稱和密碼、 信用卡的詳細資料、 銀行帳戶資訊或其他認證,可以是網路釣客 (如稱為 「 網路釣魚攻擊後方 cybercriminals) 嘗試竊取的資訊。The information that phishers (as the cybercriminals behind phishing attacks are called) attempt to steal can be user names and passwords, credit card details, bank account information, or other credentials. 攻擊者然後可以使用遭竊的資訊適用於惡意用途,例如駭客入侵、 身分遭竊或竊取直接從銀行帳戶和信用卡銷售款項的方法。Attackers can then use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. 網路釣客也可以銷售 cybercriminal 中的資訊 underground 市場。Phishers can also sell the information in cybercriminal underground marketplaces.

網路釣魚 」 的運作方式How phishing works

網路釣魚攻擊是詐騙經常使用社交工程上鉤或引誘內容。Phishing attacks are scams that often use social engineering bait or lure content. 例如,稅金佳節期間上鉤內容牽涉到嘗試誘提供您的個人資訊,例如身分證號碼或銀行帳戶資訊的稅金歸檔公告。For example, during tax season, bait content involves tax-filing announcements that attempt to lure you into providing your personal information such as your Social Security number or bank account information.

尋找合法的通訊,通常是電子郵件,連結到網路釣魚網站是網路釣魚攻擊中所使用的最常見方法的其中一個。Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. 網路釣魚網站通常會模擬登入頁面需要使用者輸入的登入認證和帳戶資訊。The phishing site typically mimics sign-in pages that require users to input login credentials and account information. 為使用者提供它,使得攻擊者的資訊的存取權,網路釣魚網站然後會擷取機密資訊。The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.

另一個常見的網路釣魚技巧是使用的電子郵件,可直接存取您開啟惡意附件,例如 PDF 檔案。Another common phishing technique is the use of emails that direct you to open a malicious attachment, for example a PDF file. 附件通常包含訊息,詢問您提供至另一個網站,例如電子郵件或檔案共用網站來開啟文件的登入認證。The attachment often contains a message asking you to provide login credentials to another site such as email or file sharing websites to open the document. 當您存取這些網路釣魚網站,使用您登入的認證時,攻擊者現在可以存取您的資訊,並可以取得您的相關的其他個人資訊。When you access these phishing sites using your login credentials, the attacker now has access to your information and can gain additional personal information about you.

發票網路釣魚Invoice phishing

在此詐騙,攻擊者會嘗試引誘您的電子郵件,指出您已從已知的廠商或公司待處理發票,並提供讓您存取和支付發票的連結。In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company and provides a link for you to access and pay your invoice. 當您存取網站時,攻擊者是 poised 竊取個人資訊和款項。When you access the site, the attacker is poised to steal your personal information and funds.

付款/傳遞詐騙Payment/delivery scam

系統要求您提供,讓您的付款資訊可更新為常已知的廠商或供應商的信用卡或其他個人資訊。You are asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. 要求更新時,讓您可以採取的已排序事宜傳遞。The update is requested so that you can take delivery of your ordered goods. 一般而言,您可能熟悉公司,很可能已完成與他們的商務用在過去,但您並不知道的任何您最近已從他們購買的項目。Generally, you may be familiar with the company and have likely done business with them in the past, but you are not aware of any items you have recently purchased from them.

稅金色調佈景主題的網路釣魚詐騙Tax-themed phishing scams

常見的 IRS 網路釣魚詐騙是一個在其中一個緊急電子郵件字母的傳送目的地指出您要 IRS 欠銷售款項的方法。A common IRS phishing scams is one in which an urgent email letter is sent indicating that you owe money to the IRS. 如果您無法存取網站及時並支付您的稅金,通常電子郵件威脅合法的動作。Often the email threatens legal action if you do not access the site in a timely manner and pay your taxes. 當您存取網站時,攻擊者可以竊取您的個人的信用卡或銀行資訊,並清空您的帳戶。When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts.

下載Downloads

另一個常使用的網路釣魚詐騙是其中一個攻擊者會傳送詐騙的電子郵件,要求您開啟或下載文件,通常另一種需要您登入。Another frequently-used phishing scam is one in which an attacker sends a fraudulent email requesting you to open or download a document, often one requiring you to sign in.

提供其他威脅的網路釣魚電子郵件Phishing emails that deliver other threats

網路釣魚電子郵件可以非常有效,並且讓攻擊者可以使用它們來散布勒索軟體透過連結或電子郵件附件。Phishing emails can be very effective, and so attackers can using them to distribute ransomware through links or attachments in emails. 當執行時,勒索軟體加密檔案,並顯示贖金,要求您支付總金額來存取您的檔案。When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.

我們也看過有連結至使用各種嚇策略欺騙您呼叫 hotlines 並支付不必要的技術支援詐騙網站的網路釣魚電子郵件 」 的技術支援服務 」 應該修正故意裝置、 平台,或軟體問題。We have also seen phishing emails that have links to tech support scam websites, which use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.

針對企業的目標式的攻擊Targeted attacks against enterprises

驚恐網路釣魚Spear phishing

驚恐網路釣魚是特定對象的網路釣魚攻擊,包括高度自訂的誘惑內容。Spear phishing is a targeted phishing attack that involves highly customized lure content. 若要執行驚恐網路釣魚,攻擊者通常會執行偵察工作、 調查社交媒體和預期的目標的相關的其他資訊來源。To perform spear phishing, attackers will typically do reconnaissance work, surveying social media and other information sources about their intended target.

驚恐網路釣魚可能涉及您誘騙登入假的網站和 divulging 認證。Spear phishing may involve tricking you into logging into fake sites and divulging credentials. 驚恐網路釣魚,則也可能會設計誘上自動安裝惡意程式碼的連結,即可開啟文件。Spear phishing may also be designed to lure you into opening documents by clicking on links that automatically install malware. 使用此惡意程式碼中的地方,攻擊者可以從遠端操作受感染的電腦。With this malware in place, attackers can remotely manipulate the infected computer.

Implanted 惡意程式碼可做的更複雜的攻擊稱為進階持續性威脅 (APT) 的進入點。The implanted malware serves as the point of entry for a more sophisticated attack known as an advanced persistent threat (APT). APTs 通常被設計來建立控制權以及竊取透過長時間的資料。APTs are generally designed to establish control and steal data over extended periods. 做為攻擊的一部分,攻擊者通常是用來嘗試部署更多的轉換駭客工具、 橫向移動到其他電腦、 危害或建立具有特殊權限的帳戶,以及定期從洩漏資訊洩漏網路。As part of the attack, attackers often try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.

WhalingWhaling

Whaling 是一種在其中攻擊針對特定的公司使用其認證和/或銀行帳戶資訊的存取的直接存取目標內的高階或資深主管網路釣魚。Whaling is a form of phishing in which the attack is directed at high-level or senior executives within specific companies with the direct goal of gaining access to their credentials and/or bank information. 做為合法的 subpoena、 客戶控訴或其他主管問題可能會撰寫電子郵件的內容。The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. 這種類型的攻擊可能也會導致 APT 在組織內的攻擊。This type of attack can also lead to an APT attack within an organization. 連結或附件開啟時,它可以協助攻擊者存取認證,以及其他個人資訊,或啟動將會導致 APT 的惡意程式碼。When the links or attachment are opened, it can assist the attacker in accessing credentials and other personal information, or launch a malware that will lead to an APT.

商務用電子郵件攻擊指標Business email compromise

公司的電子郵件指標 (BEC) 是複雜的詐騙為目標企業通常使用外部供應商以及定期執行 wire 傳輸付款的企業。Business email compromise (BEC) is a sophisticated scam that targets businesses often working with foreign suppliers and businesses that regularly perform wire transfer payments. 一種最常見的配置 BEC 攻擊者常用來牽涉到透過驚恐網路釣魚攻擊,其中攻擊者會建立網域和他們的目標的公司或詐騙類似的公司網路存取他們的電子郵件給詐騙到放開的使用者個人帳戶轉帳等資訊。One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack, where the attacker creates a domain similar to the company they are targeting or spoofs their email to scam users into releasing personal account information for money transfers.

如何防範網路釣魚攻擊How to protect against phishing attacks

社交工程攻擊的設計決策利用使用者的可能所經過的時間。Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. 請留意,並且永遠不會提供透過電子郵件或未知的網站,或透過電話敏感或個人資訊。Be aware and never provide sensitive or personal information through email or unknown websites, or over the phone. 請記住,網路釣魚電子郵件的目的是要顯示合法。Remember, phishing emails are designed to appear legitimate.

感知Awareness

最佳的保護是感知和教育版。The best protection is awareness and education. 不會開啟附件,或按一下未經要求的電子郵件中的連結,即使已辨識的來源是來自電子郵件。Don’t open attachments or click links in unsolicited emails, even if the emails came from a recognized source. 如果是預期的電子郵件,留意有關開啟附件,並確認 URL。If the email is unexpected, be wary about opening the attachment and verify the URL.

企業應該教育和訓練員工来留意的任何通訊要求個人或財務詳細資訊,並指示他們立即回報給公司的安全性作業小組威脅。Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information, and instruct them to report the threat to the company’s security operations team immediately.

以下是網路釣魚詐騙的數個警覺:Here are several telltale signs of a phishing scam:

  • 連結或電子郵件中所提供的 Url 是不指向正確的位置,或嘗試有您存取的第三方網站時,不子公司與寄件者的電子郵件。The links or URLs provided in emails are not pointing to the correct location or are attempting to have you access a third-party site that is not affiliated with the sender of the email. 例如,下列影像中提供的 URL 不符合您被引導至的 URL。For example, in the image below the URL provided does not match the URL that you will be taken to.

    入侵套件工作的方式範例

  • 沒有要求的個人資訊,例如身分證號碼或銀行或財務資訊。There is a request for personal information such as social security numbers or bank or financial information. 官方通訊通常不會從您的電子郵件表單中要求個人資訊。Official communications won't generally request personal information from you in the form of an email.

  • 電子郵件地址中的項目將會變更,因此,它可以很類似,到合法的電子郵件地址,但已新增數字,或變更字母。Items in the email address will be changed so that it is similar enough to a legitimate email address but has added numbers or changed letters.

  • 訊息是預期的並會未經要求The message is unexpected and unsolicited. 如果您突然從實體或人員很少應付收到一封電子郵件,請考慮此電子郵件可疑。If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect.

  • 訊息或附件會要求您啟用巨集、 調整安全性設定或安裝應用程式。The message or the attachment asks you to enable macros, adjust security settings, or install applications. 一般的電子郵件不會詢問您執行此動作。Normal emails will not ask you to do this.

  • 訊息包含錯誤The message contains errors. 合法的公司訊息是較不可能有印刷樣式或文法錯誤,或包含錯誤的資訊。Legitimate corporate messages are less likely to have typographic or grammatical errors or contain wrong information.

  • 寄件者位址不符訊息本身上的簽章。The sender address does not match the signature on the message itself. 例如,電子郵件旨在為從 50%Contoso Corp,但寄件者位址是 john@example.com。For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john@example.com.

  • 在 「 」 欄位中有多個收件者,並顯示的隨機的地址。There are multiple recipients in the “To” field and they appear to be random addresses. 公司的訊息會正常直接傳送至個別的收件者。Corporate messages are normally sent directly to individual recipients.

  • 訊息本身上的問候語不個人解決您The greeting on the message itself does not personally address you. 姑且不小心地址另一個人的訊息,那些濫用您的名稱或提取您直接從您的電子郵件地址的名稱通常惡意。Apart from messages that mistakenly address a different person, those that misuse your name or pull your name directly from your email address tend to be malicious.

  • 但是還有熟悉是不一致或,是相當不正確的動作這類網站看起來過時的標誌、 印刷樣式,或要求使用者提供不會要求您藉由合法的登入網站的其他資訊。The website looks familiar but there are inconsistencies or things that are not quite right such as outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in websites.

  • 開啟的頁面是不實際的頁面,但而是熟悉的設計目的是看起來像網站您的影像。The page that opens is not a live page but rather an image that is designed to look like the site you are familiar with. 快顯可能會出現要求的認證。A pop-up may appear that requests credentials.

如果有疑問,聯繫,確認如果任何可疑的電子郵件確實是合法的已知通道業務。If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.

如需詳細資訊,下載並讀取此 Microsoft防止社交工程攻擊的電子書,特別是在企業環境中。For more information, download and read this Microsoft e-book on preventing social engineering attacks, especially in enterprise environments.

對於組織的軟體解決方案Software solutions for organizations

  • Microsoft EdgeWindows Defender 應用程式防護所提供的使用 Microsoft 的業界前置 HYPER-V 虛擬化技術的鎖定目標攻擊威脅不斷增加的保護。Microsoft Edge and Windows Defender Application Guard offer protection from the increasing threat of targeted attacks using Microsoft's industry leading Hyper-V virtualization technology. 如果瀏覽之的網站會被視為不受信任,HYPER-V 容器將會隔離其餘部分網路因而防止您的企業資料存取該的裝置。If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data.

  • Microsoft Exchange Online 保護 (eop) 的技術提供企業級可靠性和保護,以防止垃圾郵件和惡意程式碼,同時維持期間或之後緊急的存取權的電子郵件。Microsoft Exchange Online Protection (EOP) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. 使用各種不同層級的篩選,EOP 可以提供不同的控制項,垃圾郵件篩選,例如大量郵件控制項和國際垃圾郵件,將會進一步提高您保護服務的。Using various layers of filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international spam, that will further enhance your protection services.

  • 使用Office 365 進階威脅防護 (ATP)可協助保護您的電子郵件、 檔案及抵禦惡意程式碼的線上存放裝置。Use Office 365 Advanced Threat Protection (ATP) to help protect your email, files, and online storage against malware. 它提供 Microsoft Teams、 Word、 Excel、 PowerPoint、 Visio、 SharePoint Online,以及商務用 OneDrive 中的整體保護。It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. 藉由防範不安全的附件並展開保護,以防止惡意的連結,它補充 Exchange Online 保護,以提供更佳的零時差保護的安全性的功能。By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection.

如需詳細的秘訣和軟體解決方案,請參閱防止惡意程式碼感染For more tips and software solutions, see prevent malware infection.

如果我已經已經過的網路釣魚詐騙受害者我該怎麼辦?What do I do if I've already been a victim of a phishing scam?

如果您認為您已受害者的網路釣魚攻擊,請連絡您的 IT 系統管理員。您應該也會立即變更所有與帳戶相關聯的密碼,並向您的銀行的信用卡公司、 等報告任何詐騙活動。If you feel that you have been a victim of a phishing attack, contact your IT Admin. You should also immediately change all passwords associated with the accounts, and report any fraudulent activity to your bank, credit card company, etc.

報告垃圾郵件Reporting spam

提交給Microsoft的網路釣魚詐騙電子郵件傳送包含詐騙的電子郵件附件的方式: phish@office365.microsoft.com。Submit phishing scam emails to Microsoft by sending an email with the scam as an attachment to: phish@office365.microsoft.com. 如需在提交給 Microsoft 的訊息的詳細資訊,請參閱送出垃圾郵件、 非垃圾郵件和網路釣魚詐騙訊息,以進行分析的 MicrosoftFor more information on submitting messages to Microsoft, see Submit spam, non-spam, and phishing scam messages to Microsoft for analysis.

為 Outlook 和 Outlook web 使用者,針對 Microsoft Outlook 使用 **報告訊息增益集**。For Outlook and Outlook on the web users, use the Report Message Add-in for Microsoft Outlook. 如何安裝和使用此工具的相關資訊,請參閱啟用報告訊息增益集For information about how to install and use this tool, see Enable the Report Message add-in.

將網路釣魚詐騙一封電子郵件傳送到反網路釣魚工作群組: reportphishing@apwg.org。群組會使用電子郵件傳送給對抗網路釣魚詐騙和駭客從產生的報告。Send an email with the phishing scam to The Anti-Phishing Working Group: reportphishing@apwg.org. The group uses reports generated from emails sent to fight phishing scams and hackers. 涉及 Isp、 安全性廠商、 財務機構及法律機關。ISPs, security vendors, financial institutions and law enforcement agencies are involved.

哪裡可以找到更多有關網路釣魚攻擊Where to find more information about phishing attacks

如需最新的網路釣魚攻擊、 技術及趨勢資訊,您可以閱讀這些Microsoft 安全性部落格上的項目:For information on the latest phishing attacks, techniques, and trends, you can read these entries on the Microsoft Security blog: