What is Phishing? How to Protect Yourself from Phishing?
Let’s face the truth: Phishing attacks don’t show any sign of slowing down. In its 2019 Phishing Trends and Intelligence Report, PhishLabs found that total phishing volume increased by 40.9% throughout 2018.
These attacks targeted a number of companies, especially financial services organizations, online and email service providers, and cloud/ file hosting firms. The growth of phishing attacks undeniably poses a significant threat to all businesses.
Therefore, it’s essential that all companies know what phishing is and how to protect themselves from phishing.
And that’s also the purpose of this article. Don’t hold off; just explore right now!
Table of content
- What is phishing?
- How does phishing affect your business?
- 7 common types of phishing attacks
- How to spot a phishing attack
- How to protect yourself from phishing
- The bottom line
What is phishing?
Phishing, by definition, is a type of scam that tricks people into giving away sensitive information, such as usernames, passwords, bank account information, credit card numbers, network credentials, and many more. The goal is often to steal money or gain confidential information.
Typically, phishing victims receive a malspam (malicious email) or a text message that imitates a person or organization they trust, like a relative, coworker, bank, or government office. When they open the email or text, they’ll find a message that requires them to go to a website and take immediate actions or risk some sorts of consequences.
If they take the bait and click the link, they are sent to an imitation of a legitimate website. They’re then asked to log in with their username and password credentials. In case they are gullible enough to comply, the sign-on information goes to attackers, who use it to steal identities, pilfer bank accounts, and sell private information on the black market.
Unlike other online threats, phishing doesn’t require particularly complicated technical expertise. According to Adam Kujawa, Director of Malwarebytes Labs, “Phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective.” The reason is so easy-to-understand, it attacks the most potent and vulnerable computer on the planet: the human mind.
How does phishing affect your business?
The consequences of phishing can be much more severe than you think. More often than not, though, the culprits behind phishing attacks are not attempting to steal money from businesses at all. Instead, they are trying to steal something much more valuable: data.
According to an IBM report, a data breach can cost up to $3.86 million in average. However, a figure alone is not sufficient to communicate the consequences of a phishing attack. Therefore, let’s break it down.
Following the announcement of a data breach, an organization’s reputation immediately takes a hit.
Headlines like “7.5 million Adobe Creative Cloud accounts exposed to the public” and “Cyber thieves took dara on 145 million eBay customers by hacking 3 corporate employees” become mainstream news stories - no matter how formidable that company’s PR department might be.
The reports can take years - even, decades - to fade from memory. As long as they linger, they impact public opinion.
Intellectual property issues
Intellectual property theft, in fact, is no less devastating. Phishing attacks can compromise trade secrets, customer lists, recipes, formulas, and research. For firms in manufacturing, food, pharmaceuticals, or technology, a single stolen design or patent amounts to millions in wasted research investment.
Loss of customers
Reputational damage and intellectual property are really just the beginning of the backlash.
News of a data breach actually makes customers nervous. In November 2017, only two months after a high-profile phishing attack at US credit reporting agency Equifax, as many as 40% of customers said they didn’t trust Equifax with their financial information at all.
Similarly, the 2015 data breach exposed the accounts of nearly 157,000 TalkTalk customers accessed, including bank account details and sort codes of over 15,000 customers. The consequence was easy to realize - customers left in their thousands, and the company’s loss was around £60m in 2016 alone. The ramifications, as you can imagine, will continue for years to come.
Loss of company value
Data breaches not only affect consumer confidence, but they impact investor confidence as well.
A study of Comparitech showed that breached companies’ share prices hit a low point nearly 14 market days following a breach. On average, share prices fall 7.27% and underperform the NASDAQ by -4.18%.
The direct monetary costs from phishing attacks are well documented and reported. In terms of costs, according to the FBI’s 2018 Internet Crime Report:
- Business email compromise (BEC) attacks cost businesses in the US more than $1.2 billion.
- Direct deposit phishing, an attack that steals employee portal credentials and their salary, cost organizations more than $100 million.
- Gift card scams, a type of spear phishing attack, cost victims in the US $70 million.
Financial penalties for the mishandling or misuse of data have been in place for decades. Under GDPR (General Data Protection Regulation), the penalties can total €20 million or 4% of the annual global turnover - whichever is higher.
In addition, phishing attacks on your business also means paying fines from regulatory bodies like the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA). Investigating the incident and providing adequate compensation to victims of stolen data can run into the millions.
No matter how large or small a breach might be, it inevitably leads to business disruption.
After being infected by a phishing email, the multinational advertising WPP instructed its 130,000 employees to “immediately disconnect and turn off all Windows servers, PCs, and laptops until further notice”.
Eventually, it took the company weeks to resume normal service.
7 common types of phishing attacks
1. Deceptive phishing
Deceptive phishing is by far the most popular type of phishing attack. In this type of scam, attackers impersonate a legitimate company in an attempt to steal personal data or login credentials. Those emails generally use threats and a sense of urgency to scare users into doing what the fraudsters want.
For example, PayPal scammers could send out an attack email that instructs recipients to click on a link to rectify discrepancies with their accounts. Then, the link redirects to a fake PayPal login page that collects a victim’s login credentials and sends them to the attackers.
The success of a deceptive phishing attack relies on how closely the email resembles a piece of official correspondence from the abused company.
2. Spear phishing
Instead of using spam-like tactics to blast thousands of people in massive email campaigns, spear phishing attacks target specific individuals within an organization.
Cybercriminals often turn to social media and company websites to research their victims. Information that is utilized includes full name, place of employment, job title, email address, and specific information about their job role. Once they have a profound understanding of their target, they can trick the recipient into believing that they are acquainted with the sender.
The ultimate goal is the same as deceptive phishing: trick the victim into clicking on a malicious email attachment or URL so that they can hand over their personal data. Given the amount of information needed to create a convincing attack attempt, it comes as no surprise that spear phishing is commonplace on social media channels like LinkedIn where attackers can make use of multiple data sources to craft a targeted attack email.
What distinguishes whaling attacks from other types of phishing is the high-level choice of target. A whaling attack attempts to steal sensitive information and is typically targeted at senior management. As the victim is considered high-value, the stolen information will be much more valuable than what a regular employee may offer.
Although the goal of whaling is the same as any other type of phishing attacks, the technique tends to be much subtler. Tricks such as malicious URLs and fake links aren’t useful in this case, as criminals are attempting to imitate senior staff.
Instead, scams involving bogus tax returns are an increasingly popular variety of whaling. Tax forms are highly valued by attackers as they contain a host of useful information, including names, addresses, bank account information, and Social Security numbers.
4. Clone phishing
The idea behind clone phishing is to take advantage of legitimate messages that the victim may have already received and create a fake version of it.
The email is actually sent from an address resembling the legitimate individual or organization, and the message’s body looks the same as the previous message. The only difference is that the link or attachment in the message has been swapped out with a malicious one. The attacker may say something to explain why the victim receives the “same” message again, for instance, to resend the original or an updated version.
Until now, we have discussed phishing attacks that rely solely on email as a means of communication. Undoubtedly, email is a popular tool among phishing attackers. Even so, fraudsters sometimes turn to other media to perpetrate their attacks. Take vishing as an example.
Vishing, or voice phishing, refers to phishing scams that take place over the phone. Among all the phishing types, it has the most human interaction but follows the same pattern of deception. Attackers will create a sense of urgency to convince a victim to divulge sensitive information.
The call will typically be made through a spoofed ID, so it looks like it comes from a trustworthy source. A common vishing scam involves a criminal posing as a fraud investigator (either from the bank or the card company) telling the victim that their account has been breached. Once they’ve gained the victim’s trust, they will ask for personal information such as login details, PIN, and passwords. Or the victim will be required to transfer money into a “secure” account, which means the criminal’s account.
Smishing, or SMS phishing, involves criminals sending text messages to an individual’s phone number and usually tricks users into clicking on a malicious link or handing over personal information.
For example, in February 2019, Nokia warned its customers to be careful with a smishing campaign in which digital hackers posed as the Finnish multinational telecommunications and sent out messages informing users that they had won money or a car. The fraudsters then asked recipients to send over money as a registration payment for their prize.
This type of phishing leverages cache poisoning against the domain name system (DNS), which is a naming system that the Internet applies to convert alphabetical website names, such as “www.mageplaza.com”, to numerical IP addresses to locate direct visitors to computer services and devices.
A pharmer can target a DNS server under a pharming attack and change the IP address associated with an alphabetical website name. This means an attacker can redirect users to a malicious website of their choice. That is the case even if the victim enters the correct site name.
How to spot a phishing attack
Spotting a phishing attack has become a lot harder than it used to be as cybercriminals have honed their skills and been more sophisticated in their attack methods. Phishing emails that we receive in our inbox everyday are increasingly well personalized, written, and contain the same logos and language of brands we know and trust.
Despite the sophistication and convincing nature of these emails, there are still some signs that may alert us to a phishing email.
A mismatched URL
One of the first things to consider in a suspicious email is the validity of a URL. Try hovering your mouse over the link without clicking on it, you can see the full hyperlinked address appear. Although it seems perfectly legitimate, if the URL doesn’t match the address displayed, it is an indication that the message is fake and likely to be a phishing email.
The email asks for personal information
A reputable and trustworthy company will never send out an email asking for customers’ private information such as account number, PIN, password, or security questions. If you receive an email requesting these pieces of information, it is likely to be a phishing email and should be deleted immediately.
Poor spelling and grammar
Cybercriminals, in reality, are not renowned for their spelling and grammar. Whenever trustworthy companies send out emails to customers, they are generally proofed by copywriters to ensure the spelling and grammar are correct. If you identify any spelling mistakes or poor grammar within an email, chances are it doesn’t come from an official organization and can indicate a phishing email.
The use of threatening or urgent language
A common phishing tactic is to promote urgency or a sense of fear to rush someone into clicking on a link. Attackers will often use threats that your security has been compromised and that urgent action is required to remedy the situation.
Be aware of subject lines that contain “your account has been suspended” or your account had an “unauthorised login attempt”. If you are not sure if the request is legitimate, contact the company directly via their official telephone number or website.
A suspicious attachment
Alarm bells should be ringing if you see an email from a company that contains an attachment, especially when it relates to something unexpected. The attachment might contain a malicious URL or trojan, leading to installing malware or viruses on your network or PC. Even if you suppose that attachment is genuine, it is good practice always to scan it first using antivirus software.
It’s “too good to be true”
If an email informs you that you have won a competition you didn’t participate, or a request to click on a link to receive a prize, it is highly likely to be a phishing email. If an offer seems too appealing to be true, it usually is!
How to protect yourself from phishing
Phishing prevention is rarely a single course of action and is best implemented using a combination of methods. So, some common best practices to protect yourself from phishing include:
Never click on suspicious links
Most of us are curious about the news of lottery wins, free downloads of software or other digital products, urgent deadlines, pending collections of expensive items, donations to charities, etc. These typically originate from entirely random and unknown sources.
Therefore, put in extra scrutiny on an email that provides unrealistic rewards or threats and abnormal language (e.g., too many exclamations, bold letters, underlines, etc.). To verify its authenticity, contact the company directly using the contact information they make publicly available.
Avoid using open and public networks
Data sent via public networks is often not encrypted, and this provides opportunities for attackers to sniff out important information, such as account usernames, passwords, purchase transactions, and other browsing activities.
So, stick to as few public Wi-Fi networks as possible. The more networks you sign up to, the more likely that you’ll stumble across one that isn’t treating your data and browsing as carefully as it should be.
Verify the security of a site
Before providing any information on a website, you should always check if that site is safe and secure. The best method to do this is to look at the URL. In case it begins with a “https” instead of “http”, it means that the site has been secured using an SSL Certificate (S stands for secure).
SSC certificates ensure that your data is secure as it is passed from your browser to the website’s server. Besides, there should be a small padlock icon near the address bar which also indicates the site is secure.
Use two-step authentication
Two-step authentication is widely used to add a layer of security to your online accounts. The most popular form of two-step authentication when logging into an account is the process of entering your password and receiving a code via text on your phone that requires you to enter. This method will make it harder for attackers to access your account.
Be careful what you post online
The Internet and social media channels have transformed how we communicate with each other on a daily basis. Nevertheless, this sharing culture has provided cybercriminals with a simple way to profile potential victims, making sure their phishing attempts are more targeted and harder to identify.
Attackers are taking advantage of social media sites to access personal information such as age, job title, location, email address, and social activities. By accessing these personal data, hackers can launch a highly targeted and personalized phishing attack.
To reduce your chance of falling into a phishing trap, think more carefully about what you post online, use enhanced privacy options, restrict access to anyone you don’t know, and create strong passwords for your social media accounts.
Even though companies may have the most robust security defense systems in place, it offers little protection if attackers can bypass these traditional technological defenses and get straight to an employee to trick them into providing sensitive information.
As a matter of fact, hackers are increasingly targeting what they perceive as the weakest link in a company’s defenses - its employees! Therefore, it’s essential to educate staff and provide regular training courses on what they should be taking into account and how they can play their role in preventing a cyber-attack.
Install anti-virus software
Anti-virus software is undoubtedly the first line of defense in detecting your Pc threats and blocking unauthorized users from gaining access. It is also necessary to make sure that your software is updated regularly, and hackers are unable to access your network through vulnerabilities in older and outdated programs.
The bottom line
Using the guide above, businesses can more quickly understand what phishing is and how to prevent it. Even so, that doesn’t always mean they will be able to spot each and every phish. Phishing is, in fact, constantly evolving to adopt new forms and techniques.
With that in mind, it is imperative that businesses conduct security awareness training on an ongoing basis so that their executives and staff can stay on top of phishing’s evolution.