Phishing
Phishing is the practice of sending fraudulent emails that appear to come from a reputable source. These attacks trick individuals into revealing sensitive data, including passwords and credit card numbers.
What is Phishing?
Phishing attacks are counterfeit communications that claim to be from a trusted source, such as a known contact or organization. A phishing email typically contains malicious attachments or links to websites. If the message tricks the victim, he or she is lured into providing confidential information. Sometimes malware is also downloaded onto the target’s computer.
The term phishing can be traced back to the 1990s when hackers would pretend to be AOL administrators and phish for login credentials, so they could browse the internet for free. A group known as the Warez community would steal users’ information and create fake random credit card numbers to get an AOL account.
Over the past few years, the pandemic has forced numerous companies to go remote, thus improving the success rate of phishing campaigns. These attacks are becoming more common and more sophisticated over time, so it’s essential to understand the types of phishing and how to defend against them.
Types of Phishing
Phishing attacks are the single greatest threat to organizations today. In Q1 of 2022, APWG recorded over 1 million phishing attacks, and in 2021, almost 40% of cyber breaches featured phishing. Generally, there are five common types of phishing attacks to look out for. Each attack uses slightly different techniques, but they all have the same objective — to steal our personal data and infect our devices. Learn more about the types of phishing below.
Email Phishing
Most phishing attacks are via email. Typically, an attacker will register a fake domain that mimics a real organization and send out thousands of generic requests to users. They may add or replace characters, use subdomains, or use the trusted organization’s name as the email username. Email phishing attacks use a sense of urgency, or threat, to coerce a user into acting quickly without checking the source or authenticity of the email.
Spear Phishing
Spear phishing takes place when the hacker knows which specific individual or organization they are after and attempts to trick them into believing they have a connection with the sender. They research the victim to obtain information, including their name, place of employment, job title, and email address. This way, the attack is highly personalized and increases the likelihood of the target falling into their trap.
Whaling Phishing
A whaling attack is a special form of phishing that takes aim at senior executives, such as the CEO or CFO. In this case, the attacker’s goal is to manipulate the victim into authorizing high-value wire transfers to a financial institution of their choice. In most cases, criminals will not use fake links or malicious URLs because they are trying to impersonate senior staff. Whaling attacks will often use social media, including Facebook, Twitter, and LinkedIn, to gather personal information about their victim and make the attack more plausible.
Search Engine Phishing
A phishing scam may involve directing the user to a fake website via search engines. Search Engine Phishing involves hackers working to become in the top position on search using a search engine. When a user clicks on the link displayed in the top results, it will direct you to the hacker’s phishing website. The fraudulent site may collect credit card information when the user attempts to buy a product. Hacker sites can impersonate any type of website, but banks, money transfer sites, social media, and shopping sites are prime candidates.
Vishing and Smishing
Vishing and smishing are two types of social engineering attacks that use SMS (smishing) and voice (vishing) to trick a victim into handing over money or personal information. An attacker can execute a vishing campaign by setting up a VoIP server to mimic various entities to steal data and/or funds. Smishing leverages text messages with malicious links to achieve the same goal.
Angler Phishing
Angler phishing is a relatively new type of phishing attack that targets social media users. An attacker will disguise themselves as a customer service account, hoping to reach an upset customer. The fake account will offer the person a link that they claim will take them directly to an agent ready to help them. Instead, clicking on it will either install malware or lead them to another website used to get information or money from them.
How to Identify Phishing Emails
The only way to spot a phishing scam is by knowing what a typical phishing email looks like. An attacker will use social engineering tactics to make the email look genuine and include a request to click on a link, open an attachment, or provide valuable information. Phishing emails often escape detection by email filters due to their sophistication. However, they all have certain characteristics and are frequently constructed to trigger emotions such as fear, curiosity, sympathy, and greed. Telltale signs of a phishing scam include the following:
Legitimate businesses will never request login credentials, bank account information, social security numbers, or other sensitive data by email. Emails from an unexpected or unfamiliar sender that ask for personal information should be treated with caution because they are probably a scam.
Phishing scams often attempt to impersonate official organizations. You can check if the email is sent from a verified domain by checking the “from” field. For example, if Amazon sends you an email, it will be from @amazon.com rather than @clients.amazon.org. If you’re unsure, check the sender’s address against previous emails from the same organization.
Most work-related file sharing uses collaboration tools such as SharePoint, OneDrive, or Dropbox. A legitimate company will never attach or expect you to download files directly from their emails. If a link or attachment has an unfamiliar extension or one commonly associated with malware (.zip, .exe, .scr, etc.), it’s most likely a phishing email.
Bad grammar and spelling mistakes are an easy way to spot phishing scams. Many companies use spell-checking tools on outgoing emails by default to ensure their emails are grammatically correct. Attackers deliberately insert grammatical errors to weed out less cautious users, who make easier targets.
Most work-related file sharing uses collaboration tools such as SharePoint, OneDrive, or Dropbox. A legitimate company will never attach or expect you to download files directly from their emails. If a link or attachment has an unfamiliar extension or one commonly associated with malware (.zip, .exe, .scr, etc.), it’s most likely a phishing email.
How to Prevent Phishing
Phishing scams have been around practically since the inception of the internet, and they allow cybercriminals to make huge profits. Unfortunately, because of phishing’s success, it will not go away anytime soon. However, there are ways to avoid becoming a victim yourself. Follow these basic guidelines below to keep you and your organization safe from phishing attacks.
New phishing scams develop every day. It’s important to stay informed about the latest techniques so organizations don’t fall prey to one. Ongoing security awareness training and simulated phishing are highly recommended for all users within the company.
As a general rule, you should never click on links that appear in random emails or instant messages. Hover the cursor over any links to ensure they will take you to the expected site. Also, look for HTTPS:// at the start of the URL.
Most popular internet browsers allow you to customize them with anti-phishing toolbars. These toolbars run quick checks on the websites you’re visiting and compare them against a list of known phishing sites. If a threat is detected, the toolbar will alert you about it.
Before submitting any of your personal information, make sure the site’s URL begins with “HTTPS” and that there is a closed lock icon near the address bar. You should also check for the site’s security certificate to be safe.
Most work-related file sharing uses collaboration tools such as SharePoint, OneDrive, or Dropbox. A legitimate company will never attach or expect you to download files directly from their emails. If a link or attachment has an unfamiliar extension or one commonly associated with malware (.zip, .exe, .scr, etc.), it’s most likely a phishing email.
Firewalls act as a buffer between you, your computer, and outside attackers. For the best defense, you should use a desktop firewall and a network firewall. When used together, they significantly reduce the chances of a hacker infiltrating your environment.
Phishing Frequently Asked Questions
Phishing is a technique used to “fish” for usernames, passwords, and other sensitive information from a “sea” of users. The term phishing and its concept were introduced in the ’90s when a group of hackers known as the Warez community would impersonate AOL employees to steal users’ data.
Phishing schemes use fake emails to trick the recipient into taking the attacker’s desired action. The main goal of phishing is to obtain information, money, or both from unsuspecting victims or their associated organizations.
If you click on a phishing link but do not submit any information to the web page, you may not be at risk for an attack. However, the link might still have been used to deploy malware or spyware, so it’s a good idea to notify your security team.
Your email spam filters work to keep many phishing emails out of your inbox. But scammers are always looking for new and innovative ways to carry out an attack, so extra layers of protection can help. You can follow our seven prevention tips above to avoid a phishing scam.
A variety of tools are available to help protect your business, employees, and customers from phishing attacks. Platforms such as KnowBe4, Infosec IQ, and ProofPoint offer both phishing awareness training and simulations to elevate your defense strategy. At Mindcore, we are proud to be KnowBe4 advisors and work to improve your cyber security defenses by applying the KnowBe4 platform’s tactics.