Phishing attacks are a form of social engineering where a cybercriminal imitates a trusted entity and tricks an individual into opening a fraudulent email, SMS, or instant message. This message is designed to deceive the victim into sharing sensitive information or clicking a link that will run malicious code.
In the past year, 83% of all cyberattacks in the UK were phishing attacks. Unfortunately, if these lead to a data breach or ransomware attack, this can be devastating for businesses, and they often result in a loss of customers. The phishing methods that cybercriminals use are becoming more complex, so it is important to understand these methods to be able to spot them before your business falls victim to a cyberattack.
Bulk phishing is the most common form of phishing attack. This is where a cybercriminal sends a large number of fraudulent emails to employees and individuals. Although they are not tailored to the victim, they can be effective as if enough emails are sent, eventually someone will open one.
Examples of bulk phishing attempts include emails relating to winning a prize, issues with the user’s account, or emails stating that a password has expired and needs to be changed. Some of these can easily be spotted due to poor grammar, spelling and design of the email, however others are nearly indistinguishable from an official email. You should always check where an email has come from and look for different spellings of the email address or URLs in the text. If you are ever in doubt, it is always safer to not open an email.
Spear phishing is an attack where the cybercriminal has researched their target and found personal information to be able to tailor the attack to them. This is typically more successful than bulk phishing as when an email contains personal information it lowers the target’s guard, making them more likely to open a malicious link or file.
These emails may include the victim’s name, or place of work, imitating a supplier or third-party technical support requiring the user to send their password for security purposes. Spear phishing attempts can be difficult to spot, however you should always verify suspicious requests in person if possible and never share your password with others.
Whaling is a form of spear phishing where the attacker targets a company’s executives in order to steal login credentials. This can be devastating for a company, as an executive’s account often has a high-level access to the network along with employee and customer data. Threat actors may also use a spear phishing attack to gain access to an employee’s email account then use their account to phish the executive as they are more likely to trust an email from an employee than an unknown individual.
It is important for an entire company to aware and educated about cybersecurity, especially executives, and there should be policies and software in place to avoid high level employees being phished.
Vishing and Smishing
Vishing also known as voice phishing are attacks performed over the phone or VoIP. These are often messages imitating a bank or technical support asking for account information for security purposes. These can be detected as fraudulent as a company will never ask for personal information over the phone. Another method of detecting if a call is fraudulent is by checking to make sure the number that has called is listed on the official company website and not a known scam phone number.
Smishing or SMS phishing, is using phone text messaging to mislead or deceive a victim. These can be particularly effective as text messages are more likely to be read and responded to, rather than emails. It is important to apply the same level of scrutiny to phone calls and text messages that you would an email, as it is just as dangerous of an attack vector.
What Can You Do?
Phishing has been a common cyberthreat for a long period of time, and it is unlikely to stop anytime soon, especially as cybercriminals are constantly changing their methods to be more complex and difficult to identify. It is important that all employees are aware of phishing methods to avoid being victim to an attack. However, it only takes one employee opening a malicious link or file to have a company-wide data breach. It is in a company’s best interest to have software that uses AI to block phishing attacks before they even land in your inbox.