While there are numerous cyber threats facing businesses today, phishing attacks are among the most harmful. Given the ease with which phishing attacks can be deployed, it’s not surprising that threat actors continue to leverage phishing emails, despite there being more complex forms of attacks available to them.
In fact, according to the FBI’s Internet Crime Complaint Center (IC3) report, there were 323,972 phishing victims in the US in 2021 alone. Another report by Verizon found that approximately 36% of all data breaches are as a result of phishing. Unfortunately, these statistics show just how prevalent phishing attacks are.
In this post, we’ll guide you through everything you need to know about phishing attacks, including how to safeguard your business from phishing threats.
What is a Phishing Attack?
Phishing attacks are a form of email-based cyber attack in which the threat actor poses as a trusted individual or organization to dupe victims into sharing confidential information. These attacks enable attackers to access valuable data and online accounts, compromise connected systems, and in some instances, hijack entire networks until a ransom is paid. Because of how easy it is to send mass emails, phishing attacks have become one of the most popular types of social engineering attacks.
6 Types of Phishing Attacks
One of the most frustrating aspects of phishing attacks is that many people fall victim despite being aware of what phishing is and how it works. With a better understanding of the different types of phishing attacks, your employees stand a better chance of spotting these attempts and avoiding them. Here’s a look at the common types of phishing attacks:
1. Email Phishing
Most often, phishing attacks are sent by email. Threat actors send emails to unsuspecting users impersonating a known individual or brand to persuade victims to click a malicious link or attachment.
To identify email phishing:
- Look for any discrepancies such as misspellings or a sender email address with a faulty domain
- Countercheck brand logos to ascertain that they are not fake
- Avoid emails that only have images, as they could be hiding malicious codes
2. Spear Phishing
While spear-phishing also uses email, it employs a more targeted approach. Threat actors start by using open source intelligence to gather information from published or public sources such as company websites. They then target specific individuals within that organization using real names, job descriptions, and other details to trick the recipient into thinking that the email is legitimate.
To identify spear-phishing:
- Look out for abnormal requests from unexpected senders
- Be wary of attachments that require that you key in your credentials
3. Whaling/CEO Fraud
Whaling attacks are usually even more targeted, aiming to trick senior executives into divulging sensitive information. While whaling attacks have the same end-game as other phishing attacks, this technique tends to be subtler. Whaling emails may ask the recipient to review a document or transfer money.
To identify whaling:
- Question any requests that are out of the ordinary. If an executive team member has never made contact with you by email before, be wary of taking the action requested.
- Avoid interacting with any “official requests” that are sent to your personal email address.
Vishing (voice-phishing) occurs when a threat actor calls a victim’s phone number and creates a sense of urgency that drives the person into taking an action. These calls are often robotic and pre-recorded.
To identify vishing:
- Be wary of calls that come from unusual locations or blocked numbers
- Keep in mind that these calls often coincide with events or seasons that are stressful
- End calls that request sensitive data
Smishing attacks (SMS-phishing) involve text messages that request the recipient to take actions that are out of the ordinary. The texts may include an attachment or link that, when clicked, will harvest sensitive data or install malware on the user’s device.
To identify smishing:
- Check if the SMS originates from unusual area codes
- Ignore links to claim a prize or delivery from unexpected sources
6. Angler Phishing
Angler phishing is a relatively new form of attack. Angler phishing is when a threat actor uses direct messages or notifications on a social media platform to entice a victim into taking a given action.
To identify angler phishing:
- Look out for abnormal direct messages from people who rarely use this feature
- Be wary of notifications that indicate you have been tagged in a post (such notifications may include links that direct recipients to malicious sites).
Examples of Common Phishing Attacks
Threat actors use three primary mechanisms in phishing attacks to steal information. They include:
Malicious Web Links
Emails containing malicious web links will direct users to imposter websites. Malicious web links can be disguised to resemble trusted links and are usually embedded in images in an email. For example, an email may appear to be from your company’s help desk asking employees to reset their passwords, only to redirect them to a page that steals their data.
Fraudulent Data Entry Forms
These emails urge users to fill in sensitive information such as passwords, phone numbers, credit card numbers, and so on. Upon the users submitting such information, the threat actor can use them for their own personal benefit. A common example is an email that claims to be from a tax collection agency and asks the recipient to fill in a form to claim a refund.
Malicious attachments resemble legitimate file attachments but are, in fact, infected with software that can compromise your devices and the files. One approach is to send an email that appears to be from a courier or well-known online retailer. The message will usually urge the recipient to print out a copy of an attached postal receipt and take it to collect a parcel that couldn’t be delivered. The attachment will typically contain a virus that infects the recipient’s devices.
How to Prevent Phishing Attacks
Here are some of the measures that businesses and employees should take to avoid falling victim to phishing scams:
1. Install Security Software
Your first line of defense against phishing attacks is to install security software. Antivirus software, firewalls, and spam filters offer effective protection against phishing attacks. You can also deploy web filters to prevent your employees from accessing malicious websites. Additionally, you should ensure that you keep your software up to date with the latest security patches to minimize your chances of falling victim to a phishing scam.
2. Schedule Regular Backups
Ensure that you regularly back up your data to keep it safe from threat actors. Crucial data should be backed up at least once every week, preferably once every day. Additionally, you should ensure that your backups are easily recoverable in case of an emergency or breach.
3. Enforce Password Policies
Establish policies that enforce password expiration as well as rules that mandate which types of passwords are allowed. Employee passwords shouldn’t be too short and should include numbers and special characters to make them more difficult to hack. Additionally, you should change your password regularly to ensure that your accounts remain secure.
4. Provide Cybersecurity Training
Most data breach events occur as a result of human error. Providing cybersecurity training to your employees helps you build a human firewall. That said, the training should be ongoing and should cover things like how to identify phishing attacks and what to do upon spotting a possible attack.
5. Use Multi-Factor Authentication
Multi-factor authentication requires that a user keys in two or more credentials to gain access to business accounts. Installing multi-factor authentication ensures that even if a threat actor compromises a user’s credentials, they won’t be able to access your accounts.
6. Don’t Open Emails Coming From Unknown Senders
Your employees should avoid messages from unknown senders. Institute policies that require them to forward suspicious-looking emails rather than respond to them. They should also be encouraged to call the sender directly when in doubt of the sender’s identity.
7. Don’t Provide Personal Information, Open Suspicious Attachments, or Click on Suspicious Links
Don’t provide confidential information unless you have verified the email sender’s identity by directly contacting them. Also, employees shouldn’t click on links in suspicious emails or open attachments even if they appear to have come from a trustworthy source.
Enhance Your Cybersecurity With Electric
Electric offers robust cybersecurity solutions that protect your business at the network, application, and device levels. We work with your business to alleviate the cybersecurity workload of your internal teams and improve the lines of defense that secure your most valuable assets. Contact us to learn more about strengthening your cybersecurity.