Phishing attacks are a type of cyber attack that has been around since the internet’s inception. Though you might think no one would ever fall for a phishing attack, obviously some people fall for it, or else scammers would stop trying.
In fact, phishing is actually the most common type of cyber attack, with 3.4 billion phishing emails sent daily.
Since everyone with a device is at risk of being phished, it’s crucial for you to know how to spot one and not fall for it.
What is Phishing?
Phishing, pronounced like “fishing,” is a social engineering attack that depends on human emotion and deceit instead of technical vulnerabilities to “bait” or trick victims. The attacker pretends to be a trustworthy, legitimate individual or organization, like your bank, insurance company, government entity, police department, retailer or credit card company (remember those old Nigerian prince emails?). The attacker then sends a message to the victim with the hope that they will complete an action, such as:
- Reveal sensitive information or login credentials
- Download malware via a link, attachment or PDF
- Grant access to an account
- Send money, gift cards, money orders or other forms of untraceable payments
Phishing messages can come in many forms, including emails, texts, phone calls or social media messages. They rely on trust and urgency to bait the victim into acting quickly, and they hide the deception behind a seemingly innocuous request, like logging into your account to verify or update your credentials and installing a new application. Some phishers will create a fake login page that will fool the victim into believing it’s real.
If a hacker gains an opening in your company, it can be disastrous. They can sell the stolen credentials, hack into other employees’ accounts, steal company or client data, set up botnets or install ransomware, viruses and keylogging.
8 Types of Phishing Attacks
The different types of phishing depend on where the message comes from and the complexity of the message. For example, some phishing attacks only use a few lines of compelling text, while others will create an “official” message with a logo and everything. Some phishers will research and create a relevant message specific to the recipient so they have a higher chance of opening it; hackers can gather information about a victim from social media, professional profiles on LinkedIn, company websites, online publications and even internet activity.
- Email phishing: this is the most common example of phishing. It entails sending a message to one or several victims via email to ensnare as many as possible. The idea is that out of thousands of potential victims, some will always take the bait.
- Spear phishing: a more sophisticated version, this uses highly targeted, customized messages to trick specific victims, often valuable people with high levels of access into the organization.
- Whaling: this is when the attacker creates an entire campaign around a high-profile “big fish” like C-level executives or board members, as these people can often authorize financial transactions or transfer sensitive data. Phishers will impersonate other senior management and use their authority to convince the victim.
- Clone phishing: rather than posing as a user or organization with a specific request, the phisher copies a legitimate email previously sent by the trusted organization and then uses link manipulation to replace the real link with a fraudulent one.
- SMiShing: this is when phishing messages are sent via texts or SMS. The scammer will pretend to be someone you know or a service you use.
- Vishing: voice phishing is when a scammer calls the victim and impersonates a reputable person or business.
- Quishing: this is when a phisher uses QR codes that direct victims to malicious websites.
- Angler phishing: phishers will impersonate customer service reps and contact the victim.
Anatomy of a Phishing Message
Several components make up a phishing message, which can make it easy to spot a phishing attack.
- The message will use urgent, intense language or scare tactics, as well as time-sensitive calls to action. An example would be telling the victim they will miss out on a reward if they don’t act now or that their account has been breached and they need to verify it. The idea is to fluster the victim and push them into taking action before they can study the message or verify it’s real. Some phishers will pose as a boss because workers are less likely to confirm their boss sent the message; who wants to access their boss of sending a scammy message?
- Phishers want their sender address to look like it comes from a legitimate entity, but they are often easy to detect as fake. First, see if it comes from a public email like Gmail or Yahoo or if it’s a corporate one; even Google doesn’t send emails from a Gmail account. If the address contains special characters or is misspelled, that’s a sure sign. Some scammers might try “Arnazon” instead of “Amazon” since the “rn” look like an “m.” Also, if the email address claims to be from Amazon but a link in the email doesn’t go to Amazon, it’s safe to say it’s probably a scam.
- Legitimate businesses will never ask for personal information like your credit card number, SSN or password via email, text or social media messages. You should also be wary of unusual requests, like if you receive a message claiming to be from your company and it’s asking that you download a new application when that is normally done internally.
- A sure sign that you received a phishing message if it’s riddled with grammar, spelling and punctuation errors. Generic greetings like “dear sir or ma’am” are often signs of fake messages. You also wouldn’t expect a family member or friend to be formal and a professional business or government agency to be overly friendly.
- Lastly, suspicious links and attachments are the main giveaways of phishing messages. Link domains are often shortened using bit.ly. Legitimate companies also won’t attack downloadable files in their messages. Instead, they will use SharePoint or Dropbox.
How to Prevent Phishing Messages
Phishing is hard to prevent, as cyber criminals rely on humans and not technological issues; this means you could have the best, most robust cybersecurity compliance, but if one employee clicks on a malicious link, game over. Here are some tips on how to prevent phishing messages from wreaking havoc.
- Two-factor authentication: Enable and enforce two-factor authentication, as it adds an extra layer of security. Even if the hacker gets your credentials, they miss the extra step.
- Password managers: password managers save your login information and can’t be fooled by a shorted URL; if a link takes you to a website that should have your saved credentials but doesn’t, it’s obvious you’re at a fake site. You should always have different passwords for different websites and regularly change your passwords.
- Email authentication protocols: Implement tools like Domain-Based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to verify the authenticate an email’s origin and help prevent phishers from impersonating legitimate domains.
- Ongoing awareness training: it’s unrealistic to think that your IT and security teams will identify all phishing attacks, so you must have your entire company prepared and aware. Create a culture of awareness and vigilance with memos, posters and videos; employees should know the importance of keeping information secure and the consequences if they don’t. Internal phishing simulations can help employees detect and avoid phishing attempts in a safe environment and show how susceptible your organization is. However, you should use simulations to educate and encourage employees, not point fingers and punish.
- If in doubt, don’t click: if you are unsure about a link or attachment, never click on it, even if it’s from someone you know. Always verify the message’s legitimacy before taking action, especially if you weren’t expecting something. If you receive a suspicious link, you can hover over it (don’t click!) and see if the URL is legit. If you think your bank, government or whoever really is trying to reach you, skip the link and login how you usually would. You can always call customer service and confirm they’re looking for you, too.
- Protection software: utilize anti-malware, anti-phishing and other protection software to scan incoming emails, block malicious websites, monitor network activity and block cyber attacks on your device. You should also keep your browser up-to-date and install firewalls.
Thriveon and Preventing Phishing
Thriveon is all about maintaining cybersecurity compliance and avoiding cyber attacks. Our professionally managed cybersecurity services will help your company expand its competitive edge and maintain true compliance standards.
Schedule a meeting with our staff now.
Cybersecurity Checklist: Ensure Your Employee and Customer Data is Safe