Phishing 101 - What is Phishing?
Phishing 101 Topics
What is Phishing?
Phishing is a type of social engineering where cybercriminals send fraudulent email or text messages designed to trick the user into exposing sensitive personal information or data. According to Avanan’s Global Phish Report, one out of every 99 emails is a phishing attack, and research further indicates that 25% of phishing emails bypass standard email security. Phishing is the most common and prevalent cyber threat, and as more and more sensitive data is stored and accessed online, cybercriminals see more opportunities in phishing. Roughly 90% of data breaches are the result of phishing according to CISCO’s 2021 Cybersecurity Threat Trends report. Cybercrime and phishing attacks costs are expected to rise to $10.5 trillion by 2025.
Phishing rose to prominence in the mid-1990s with the rapid popularity of the internet, and since then, phishing techniques have gotten more sophisticated and realistic. Now, cybercriminals can employ tactics that utilize deep fakes and artificial intelligence, making phishing even harder to detect. Even fake virtual meetings, fake world health organizations’ announcements regarding COVID-19, and fake COVID-19 relief and stimulus packages are new tactics being introduced every day.
Types of Email Phishing
By better understanding the types of email phishing being used, businesses can better protect their business against these ever-evolving tactics. There are many different types of phishing, but the most common tactics are:
Email phishing is phishing in its most recognizable form. The cybercriminal will masquerade as an entity or person and attempt to trick a person into revealing sensitive information or data. Email phishing can also include malicious links with the goal to deploy software on the victim’s infrastructure like ransomware. A common type of email phishing is business compromise email (BEC), typically attacking an employee or someone in the finance department to gain financial information. BEC rose by 14% in 2020 and alarmingly, increased by 80% in some sectors.
Spear phishing is another more sophisticated type of fishing where a cybercriminal has more detailed info about a specific person such as their name, job title, employer name, email address, or specific info about their job role. Spear phishing is typically more convincing and realistic.
Smishing and vishing
In smishing, the attack involves criminals sending text messages, and vishing happens over the phone. A common smishing attack is a fake text message from your bank or a popular retailer like Amazon alerting you to suspicious activity. According to ProofPoint’s State of the Phish, less than 35% of people claim to know what smashing is, which is the main reason it’s causing millions of dollars in losses. The research further goes on to say that smishing has risen 328% in 2020 alone, and COVID-19 was a culprit in this uptick. Also, fake two-factor authentication messages are common in smishing, exposing data for platforms like Amazon, Walmart, banks, social platforms, and more.
Mass phishing campaigns cast a wider net. Emails are sent to the masses from a knock-off corporate entity insisting a password needs to be updated or credit card information is outdated.
In whaling, a malicious attacker goes after a senior executive. Criminals are attempting to imitate senior staff, and they commonly look like a senior leadership officer asking an employee for a favor. These scams can be very convincing because they play on the need to immediately and effectively please your boss. Sometimes, whaling actually attacks the senior leadership themselves.
A relatively new phishing style, angler phishing involves social media with fake URLs, blog posts, cloned websites, or messages. Attackers are attempting to trick social media users into exposing sensitive information or downloading malicious software.
Other types of phishing attacks include pop-up phishing, pharming, evil twin phishing, watering hole phishing, HTTPS phishing, clone phishing, deceptive phishing, man-in-the-middle attacks, and more.
Ambulance chasing phishing
Attackers use a current crisis to drive urgency for victims to take action that will lead to compromising data or information. For example, targets may receive a fraudulent email encouraging them to donate to relief funds for recent natural disasters or the COVID-19 global pandemic. According to Google, it has been reported that cybercriminals have sent an estimated 18 million hoax emails about COVID-19 to Gmail users every day.
Pretexting involves an attacker doing something via a non-email channel, for example voicemail, to set an expectation that they’ll be sending something seemingly legitimate in the near future only to send an email that contains malicious links.
The Rise of Email Phishing Attacks
As you can see, phishing is incredibly prevalent as the number one attack vector for cybercriminals. Cybercriminals have developed several sophisticated, realistic ways to trick users into revealing sensitive information. The financial impact of phishing attacks has quadrupled over the last six years with enterprise organizations losing roughly $1,500 per employee. Additionally, the rise of remote work has allowed even more data to be transmitted over email, offering criminals even more chances to trick and infiltrate emails.
Phishing consequences are severe, too; the cost to contain malware, productivity losses, and the cost to contain credentials all cause a flurry of expenses that contribute to damages for the average business. Also, the main reason phishing is so relevant is simple — it works.
Phishing vs. Spear Phishing
The two most popular methods of phishing are email phishing and spear phishing. These two types of attacks have a lot in common (like coercive language or a sense of urgency), they’re delivered via email, hackers are after some type of sensitive information, and they rely on impersonation.
However, a key difference between the two resides in how targeted the message is. Email phishing is often low-effort and not tailored to every victim. Hackers are casting a wide net in hopes of landing a handful of victims. On the other hand, spear phishing is highly targeted and only sent to one person or organization. This type of attack requires much more effort but is more rewarding when it’s successful.
Additionally, spear phishing can target something more sensitive than simple login information. Cybercriminals might be after trade secrets or customer data they could sell for a large sum of money. According to Symantec’s Internet Security Threat Report, 65% of targeted attacks are spear phishing, and intelligence gathering was the main goal in 95% of those cases.
To protect your organization from spear phishing, email scanning and detection help prevent and block attacks. However, as Stanford Research reported, 88% of data breaches are caused by human error, and the best tool is employee security awareness training. Educating team members to be the first line of defense is the most effective technique, helping them expand their awareness to reduce threats. Empower employees to be a part of the solution instead of the problem.
Phishing Email Examples
The best way to protect against phishing emails is through education and familiarizing yourself and your staff about how to identify phishing email tactics. Below are a few phishing email examples:
Email Phishing Example:
Typically found in high-volume spam emails to hundreds or thousands of people, email phishing generally includes malicious links or attachments.
Sender: HR Department
Subject Line: Sign Updated Employee Handbook
“Effective today there is a new employee handbook that requires your signature. 20% of employees have acknowledged the handbook, and we’re looking to get to 100% by Friday! Please click the link below to sign.
Often, an email like this will appear like it’s from a trusted entity like the HR department, but the actual email address does not match the domain. The attacker will claim the target needs to sign a new employee handbook, and the link will be a malicious link that will lead them to a screen to input sensitive information, or it will download malicious software onto their device.
Spear Phishing Example:
In these targeted attacks, cybercriminals play on the authority of trusted organizations like Microsoft Teams, Google Business Suite, Slack, Amazon, or your bank to trick you into revealing sensitive information.
Sender: Google Business
Subject Line: Your Boss Requested Information
“Hi FIRST NAME,
Your boss, NAME, is requesting you update your information in your organization’s directory.
Click here to update your credentials.”
In this spear phishing example, the cybercriminal has a wide depth of knowledge about the employee and the organization, which unfortunately makes it quite effective. Often playing on the authority of a boss or leadership, an employee might feel a sense of urgency and duty to quickly complete the request.
Other common phishing tactics include hyperlinks with a malicious site when you hover over the link, fake credit card websites, malicious attachments, and more.
Common Indicators of a Phishing Attempt
What should employees look for when staying proactively alert about phishing scams? With ineffective security awareness training, employees can search for these common indicators of a phishing attempt.
- Grammar errors and misspelled words
- An unusual request or ask
- An odd sense of urgency
- Links don’t match the domain
- The sender’s name looks odd or doesn’t match the organization’s name
- An ask for sensitive information
To report phishing emails, an email security solution can make it easy for employees to report suspicious emails and quickly get confirmation if it is a malicious phishing email or safe. Inbox detection and response is helpful in empowering employees to immediately report fraudulent-looking emails right from their inbox.
How to Protect Your Business From Phishing
There are a few ways to protect your business from phishing. Employee Security Awareness Training is a basic level of defense that is highly effective in educating team members. This makes employees a part of the defense strategy and reinforces good security habits.
Next, Managed Inbox Detection and Response from TPx puts employees in the driver’s seat and provides professional evaluation and handling of suspicious emails reported by users — right from the inbox.
It’s critical for businesses to invest in phishing protection solutions to proactively prevent them from becoming a statistic. End-user security is crucial because no employee is immune to attacks. According to a recent Terranova report, almost 20% of all employees are likely to click on phishing email links, and a staggering 67% enter their credentials on a phishing website.
It only takes one email to drastically affect your organization, and a single employee can cause hundreds of thousands of dollars in damages. Investing in TPx’s End-User Security boosts overall company protections and secures thousands of critical, sensitive data points from cybercriminals.
Start protecting your organization from phishing attacks
"*" indicates required fields