Phishing may sound like an amusing and harmless pursuit but it’s actually not funny and very dangerous. This online scam and its variations cause enormous damage. According to Verizon’s 2020 Data Breach Investigations report it was the most common breach of security. In Proofpoint’s 2020 State of the Phish report it’s recorded that 65% of organizations in the United States were impacted by phishing scams in 2019. To stop these scams you need to know the signs, so let’s take a look at what they are.
The Telltale Signs of a Phishing Attack
Though they manifest in different forms, phishing attacks all have some of the same characteristics. The common denominator is that the target receives a message that seems to be a perfectly legitimate communication from a trusted source. It might be a client, a business you’re likely to have dealings with or a business prospect. It’s all designed to encourage recipients to open it without a second thought. The email either contains concealed malware or it directs the unsuspecting recipient to a website that spreads malicious code. This is the simple basis for a variety of scams.
Types of Phishing Attack
Business Email Compromise Attacks
This type of phishing scam involves the cybercriminal posing as a trusted figure in order to persuade the target to transfer money to an account that the scammer has access to. Typically the email is written in such a way as to convince the recipient that they must act as a matter of urgency, generating a sense of panic that encourages them to abandon their normal sense of caution. These online scams can net the thieves tens of thousands of dollars.
Another technique used by cybercriminals involves duplicating a genuine email that will look familiar to the intended victim. This reassures the recipient, who has no obvious cause to suspect that they’re in a scammer’s sights. A legitimate link in the email will be switched off and when you click you’ll be directed to a spoof site that explains why you received the duplicate email in the first place.
Although email is most commonly used for phishing scams, the con has been adapted for SMS messages. This is often successful because people may know about email phishing but they’re not expecting text messages to be used to reel them in. It’s also a fact that people tend to read and reply more often to texts than to emails. One study showed that 98% of people read texts and 45% responded to them. For email, the figures were much lower – 20% of people read them and only 6% replied. Smishing has proved successful because mobile devices are often not as well protected by security software as desktop and laptop computers.
This is a phishing scam that takes the con to a new level. Many phishing scams rely on a generic message. In spear phishing, the online scam is tailored specifically to an individual. These take research and planning and, because of the time and effort they require, they are typically directed towards targets who are assessed as high value or high reward. Because they are so cunningly personalized they also have a higher chance of being successful and are doubly dangerous.
Voice Phishing (Vishing)
Vishing uses the telephone to get victims to reveal private and confidential information that can be used for cybercriminal purposes. The caller will pose as a representative of a business or financial institution in order to extract the information they want.
Whaling, as the name suggests, is a phishing attack that targets the biggest fish. (Yes, we know that whales aren’t actually fish, but you get the picture.) The attack focuses on the biggest person in an organization, and that’s the boss. The logic is that the bigger the fish in the organization, the more access they have to resources and the information that the scammers want. It makes sense that the higher up they aim, the larger the potential theft can be.
The target in a whaling attack isn’t necessarily the CEO. Staff may receive an email purporting to be from the CEO or high-ranking individual in the organization. The recipient is instructed to send money, or log into a system, or supply crucial information that the cybercriminals can use. There’s a lot of this around, and your staff need to be alert to the possibility that the sender isn’t necessarily for real. These attacks are sophisticated, and scammers go to considerable lengths to research their victims so that their messages seem authentic.
Phishing is a Major Threat
Due diligence is essential to avoid phishing attacks, and will help fend off most of them. Make sure your staff know how to recognize a potential online scam. Quikteks can help to defend your organization against malware and cybercrime. Call us on (973) 882-4644 for advice on your business security.