May 24th, 2022 Read Time: 8 minutes
Jessica Farrelly
Jessica is a content writer with more than 8 years of experience covering SaaS and the tech industry. She has worked with both B2B and B2C publications across North America, Europe, and APAC and currently writes about IT Solutions or Electric.
While there are numerous cyber threats facing businesses today, phishing attacks are among the most harmful. Given the ease with which phishing attacks can be deployed, it’s not surprising that threat actors continue to leverage phishing emails, despite there being more complex forms of attacks available to them.
In fact, according to the FBI’s Internet Crime Complaint Center (IC3) report, there were 323,972 phishing victims in the US in 2021 alone. Another report by Verizon found that approximately 36% of all data breaches are as a result of phishing. Unfortunately, these statistics show just how prevalent phishing attacks are.
In this post, we’ll guide you through everything you need to know about phishing attacks, including how to safeguard your business from phishing threats.
Phishing attacks are a form of email-based cyber attack in which the threat actor poses as a trusted individual or organization to dupe victims into sharing confidential information. These attacks enable attackers to access valuable data and online accounts, compromise connected systems, and in some instances, hijack entire networks until a ransom is paid. Because of how easy it is to send mass emails, phishing attacks have become one of the most popular types of social engineering attacks.
One of the most frustrating aspects of phishing attacks is that many people fall victim despite being aware of what phishing is and how it works. With a better understanding of the different types of phishing attacks, your employees stand a better chance of spotting these attempts and avoiding them. Here’s a look at the common types of phishing attacks:
Most often, phishing attacks are sent by email. Threat actors send emails to unsuspecting users impersonating a known individual or brand to persuade victims to click a malicious link or attachment.
To identify email phishing:
While spear-phishing also uses email, it employs a more targeted approach. Threat actors start by using open source intelligence to gather information from published or public sources such as company websites. They then target specific individuals within that organization using real names, job descriptions, and other details to trick the recipient into thinking that the email is legitimate.
To identify spear-phishing:
Whaling attacks are usually even more targeted, aiming to trick senior executives into divulging sensitive information. While whaling attacks have the same end-game as other phishing attacks, this technique tends to be subtler. Whaling emails may ask the recipient to review a document or transfer money.
To identify whaling:
Vishing (voice-phishing) occurs when a threat actor calls a victim’s phone number and creates a sense of urgency that drives the person into taking an action. These calls are often robotic and pre-recorded.
To identify vishing:
Smishing attacks (SMS-phishing) involve text messages that request the recipient to take actions that are out of the ordinary. The texts may include an attachment or link that, when clicked, will harvest sensitive data or install malware on the user’s device.
To identify smishing:
Angler phishing is a relatively new form of attack. Angler phishing is when a threat actor uses direct messages or notifications on a social media platform to entice a victim into taking a given action.
To identify angler phishing:
Threat actors use three primary mechanisms in phishing attacks to steal information. They include:
Emails containing malicious web links will direct users to imposter websites. Malicious web links can be disguised to resemble trusted links and are usually embedded in images in an email. For example, an email may appear to be from your company’s help desk asking employees to reset their passwords, only to redirect them to a page that steals their data.
These emails urge users to fill in sensitive information such as passwords, phone numbers, credit card numbers, and so on. Upon the users submitting such information, the threat actor can use them for their own personal benefit. A common example is an email that claims to be from a tax collection agency and asks the recipient to fill in a form to claim a refund.
Malicious attachments resemble legitimate file attachments but are, in fact, infected with software that can compromise your devices and the files. One approach is to send an email that appears to be from a courier or well-known online retailer. The message will usually urge the recipient to print out a copy of an attached postal receipt and take it to collect a parcel that couldn’t be delivered. The attachment will typically contain a virus that infects the recipient’s devices.
Here are some of the measures that businesses and employees should take to avoid falling victim to phishing scams:
Your first line of defense against phishing attacks is to install security software. Antivirus software, firewalls, and spam filters offer effective protection against phishing attacks. You can also deploy web filters to prevent your employees from accessing malicious websites. Additionally, you should ensure that you keep your software up to date with the latest security patches to minimize your chances of falling victim to a phishing scam.
Ensure that you regularly back up your data to keep it safe from threat actors. Crucial data should be backed up at least once every week, preferably once every day. Additionally, you should ensure that your backups are easily recoverable in case of an emergency or breach.
Establish policies that enforce password expiration as well as rules that mandate which types of passwords are allowed. Employee passwords shouldn’t be too short and should include numbers and special characters to make them more difficult to hack. Additionally, you should change your password regularly to ensure that your accounts remain secure.
Most data breach events occur as a result of human error. Providing cybersecurity training to your employees helps you build a human firewall. That said, the training should be ongoing and should cover things like how to identify phishing attacks and what to do upon spotting a possible attack.
Multi-factor authentication requires that a user keys in two or more credentials to gain access to business accounts. Installing multi-factor authentication ensures that even if a threat actor compromises a user’s credentials, they won’t be able to access your accounts.
Your employees should avoid messages from unknown senders. Institute policies that require them to forward suspicious-looking emails rather than respond to them. They should also be encouraged to call the sender directly when in doubt of the sender’s identity.
Don’t provide confidential information unless you have verified the email sender’s identity by directly contacting them. Also, employees shouldn’t click on links in suspicious emails or open attachments even if they appear to have come from a trustworthy source.
Electric offers robust cybersecurity solutions that protect your business at the network, application, and device levels. We work with your business to alleviate the cybersecurity workload of your internal teams and improve the lines of defense that secure your most valuable assets. Contact us to learn more about strengthening your cybersecurity.