Phishing gets lots of media attention; however, for many it is a bit of a mystery. What is phishing? Are there different types of phishing? How can you prevent a phishing attack? Let’s investigate each of these areas in detail.
What is phishing?
Wikipedia describes phishing as a fraudulent attempt to obtain sensitive information, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication. Attackers will spoof their email address to appear like someone else, set up fake websites, and disguise website URLs. It is becoming harder to figure out who and what you can trust. Avanan’s 2019 Global Phish Report found that 1 in every 99 emails and 1 in 25 branded emails is a phishing attack. Microsoft and Amazon are the most popular brands used in phishing emails. Additionally, 30% of phishing emails slip through security programs, so the threat is significant.
Phishing campaigns have two primary objectives:
- Obtain sensitive information – Phishing emails often seek to get you to reveal important information, such as your username or password. This gives the attacker the necessary info to access a system or account. It is very common for messages to appear like they are from your bank, credit card company, or a number of other places you would expect to be reputable.
- Distribute malware – The emails that aren’t stealing your credentials are trying to infect your computer with malware hidden in attachments (you can read more about malware in our blog here). Often these .zip files or Microsoft Office documents will appear to be something you are expecting, but in reality it is malicious code. In 2017, it was estimated that 93% of phishing emails contained ransomware attachments.
Types of phishing
There are a few different types of phishing. However, the one thing they all have in common is the fraudulent attempt to obtain sensitive information. Major categories of phishing are:
Spear phishing – Attackers craft a message targeted at a specific individual. Social media sites are often used to identify the target and gather information for the attack.
Whaling – Similar to spear phishing, but the target is a high-value person. The target is generally a person with power, a CEO, senior executive or board member, at a large organization.
Clone phishing – Attackers clone a legitimate previously delivered email and replace the links and/or attachments with malicious code. Clicking the links or opening the attachments enables the attacker to take control of your system and send additional malicious emails masquerading as you.
Phone phishing – Similar to email phishing, the caller claims to be a trustworthy entity like a bank or the government. They try to scare you with a problem that must be cleared up immediately. Their objective is to access account information or have you pay out money.
SMS phishing – These attacks are carried out by SMS text. The text message contains a malicious link that enables the attacker to obtain sensitive information.
Identifying and preventing a phishing attack
The harsh reality is that at some point virtually everyone and every organization will experience a phishing attack. The cost of phishing is significant. In 2018, the FBI’s Internet Crime Complaint Center reported that companies around the globe lost $12.0 billion due to business e-mails being compromised. The cost goes beyond just dollars and cents. Phishing attacks lead to decreased productivity, loss of confidential data, and damage to company reputation. Deloitte reports that 1 in 3 consumers will drop a company like a hot potato after they experience a cyber security breach.
However, there are steps you can take to reduce your chances of becoming a phishing victim.
- Trust your gut – If something seems too good to be true, then it likely is. Be suspicious, not trusting. Legitimate organizations will never send emails asking you to provide personal information over the web. A quick Google search with the subject or text from a suspicious email will often identify if it is a known phishing scam.
- Double check URLs – Before you click or enter personal information double check URLs. It is very common for a link in an email to say one thing but the URL is totally different. Mouseover a link first to see if it is legitimate.
- Look for URL redirects – Make sure you are going to the URL you expect and not a different website with a virtually identical design.
- Don’t trust urgent/scary emails – Attackers are generally trying to create a sense of urgency or fear. Question emails that are telling you to “Act Now” or “Pay Now”. According to KnowBe4 in Q1 of 2019 35% of phishing emails started with the subject line – “Password check required immediately.”
- Watch for questionable attachments – Attachments are one of the most common ways to distribute malware. If it looks even remotely suspicious don’t trust it.
- Don’t share personal info on social media – Avoid sharing personal information such as your birthday, phone number, or address on any publicly accessible social media platforms.
- Educate, educate, educate – Knowledge is understanding. Regular training on new threats and what to look for are key to preventing a phishing attack.
- Protect your data – Regularly backup all of your important data at both the organizational and individual level. For instance, implement an easy to use endpoint backup and protection solution like Data Deposit Box. Try it for free here.