Let’s face it, phishing attacks aren’t slowing down. PhishLabs reported that phishing activity increased by 40% in 2018.
These attacks were directed at a variety of companies, including financial service organizations, online and mail service providers, cloud/file hosting firms, and even online and email service providers. All businesses are at risk from phishing attacks.
It is therefore essential that companies are aware of phishing and how they can protect themselves against it.
This is also the point of this article. Do not delay, just start exploring right away!
What is Phishing?
Phishing is, in essence, a scam that tricks people to give away their sensitive information such as passwords, usernames, bank account information and credit card numbers. The goal of phishing is to steal money and gain confidential information.
Malspam is a malicious email or text message sent to phishing victims. It impersonates a friend, relative, bank or government official. They will find a message asking them to visit a website or take immediate action or face some sort of consequence if they do not open the email.
Clicking the link will take them to an impersonation of a legitimate site. Then, they are asked to log in using their username and password. If they refuse to comply, their sign-on information is sent to attackers who steal identities, take bank accounts and sell private information to the black market.
Phishing is not as complex as other online threats. Adam Kujawa, Malwarebytes Labs Director, said that phishing is “the simplest type of cyberattack, but, at the same, the most deadly and effective.” This is because it targets the most powerful and vulnerable computer on Earth: the human brain.
What does phishing do to your business?
Phishing can have far more serious consequences than you might think. The majority of phishing attacks do not attempt to steal money from businesses. They are actually trying to steal data, which is much more valuable.
An IBM report estimates that a data breach could cost as much as $3.86 million on average. But a mere figure is not enough to convey the severity of a phishing attack. Let’s take a look at it.
Reputational damage
An organization’s reputation is immediately damaged after a data breach is announced.
Headlines such as “7.5 Million Adobe Creative Cloud accounts exposed by the public” or “Cyber thieves took dara upon 145 million eBay customers through hacking 3 corporate employees” are now mainstream news stories, no matter how powerful a company’s PR department may be.
It can take years, or even decades, for these reports to fade from our minds. They can impact the public’s opinion for as long as they are lingering.
Intellectual property issues
In fact, intellectual property theft is just as devastating. Phishing can lead to the theft of trade secrets, customer lists and formulas. A single stolen patent or design can cost a company millions of dollars in research and development.
Customers are losing their business
The backlash is not limited to intellectual property and reputational damage.
Customers are often anxious when they hear about a data breach. After a highly publicized phishing attack on Equifax US credit reporting agency, nearly 40% of customers stated that they don’t trust Equifax with any financial information.
Similar to the 2015 data breach, nearly 157,000 TalkTalk customers were able to access their accounts, including bank account details, sort codes, and the names of more than 15,000 customers. It was obvious what the result was: customers fled in their thousands and the company lost around PS60m just in 2016. As you can see, the ramifications will not stop for many years.
Loss of company’s value
Data breaches can not only impact consumer confidence but also investor confidence.
An Comparitech study showed that share prices of breached companies fell to a low point almost 14 days after a breach. Average share prices fall by 7.27%, while the NASDAQ underperforms them by -4.18%.
Direct costs
It is well documented that phishing attacks have a direct financial cost. According to the FBI’s 2018 Internet Crime Report, costs are:
- BEC (business email compromise) attacks have cost US businesses more than $1.2 Billion.
- Organizations have lost more than $100 million due to direct deposit phishing. This is an attack on employee portal credentials and salary.
- Spear phishing attacks that used gift card scams to defraud victims cost the US $70 millions.
Fines for violations of regulations
Since decades, financial penalties have been in effect for data mishandling and misuse. GDPR (General Data Protection Regulation) can impose penalties of up to EUR20 million or 4% on the annual global turnover, whichever is greater.
Additionally, you may be subject to fines from regulatory agencies like the Payment Card Industry Data Security Standard(PCI DSS), or the Health Insurance Portability and Accountability Act(HIPAA). The cost of investigating the incident and paying the victims of stolen data adequate compensation can reach the millions.
Disruption in the business
It doesn’t matter how small or large a breach is, it will always cause business disruption.
After being infected with a phishing message, WPP, a multinational advertising company, instructed its 130,000 employees to immediately disconnect and shut down all Windows servers, computers, and laptops until further notice.
The company eventually was able to resume normal service after several weeks.
7 types of common phishing attacks
1. Phishing scams that are deceptive
The most common type of phishing attack is deceptive phishing. This scam involves attackers pretending to be from a legitimate company in order to steal login credentials or personal data. These emails use threats and urgency to scare people into complying with the fraudsters’ demands.
A PayPal scammer could send an attack email instructing recipients to click on a link that will correct any discrepancies in their accounts. The link then redirects to a fake PayPal login page, which collects victim login credentials and sends them on to the attackers.
A deceptive phishing attack’s success is determined by how closely the email looks like official correspondence from the victim company.
2. Phishing is a serious problem
Instead of spamming thousands of people with massive email blasts, spear phishing attacks target individuals within an organization.
Cybercriminals use social media and company websites as a way to find victims. This information includes the victim’s full name, address, email address, job title, and details about their job. They can fool the recipient into thinking they know the sender once they have a deep understanding of the target.
The ultimate goal of deceptive phishing is to trick the victim into clicking on malicious URLs or email attachments so they can give their personal information. It is not surprising that spear phishing is a common practice on social media channels such as LinkedIn, where attackers have access to multiple data sources to create targeted attacks emails.
3. Whale watching
Whaling attacks are different from other forms of phishing because they have a high-level target. Whaling attacks are designed to steal sensitive information. They typically target senior management. The stolen information is more valuable than regular employees because it is high-value.
Whaling is a phishing attack that aims to imitate senior staff members. However, it has a subtler goal. As criminals attempt to imitate senior staff, tricks such as malicious URLs or fake links won’t work here.
Scams involving fake tax returns are a popular form of whaling. As they contain valuable information such as names, addresses, bank information, and Social Security numbers, tax forms are highly sought after by attackers.
4. Phishing by clone
Clone Phishing is a technique that takes advantage of legitimate messages the victim might have received in order to create a fake version.
The email was sent from an address that is similar to the legitimate person or organization. The message body appears the same as the last message. The only difference is that the malicious attachment or link in the email has been replaced by the legitimate one. To explain why the victim is receiving the same message, the attacker might say that they are trying to send the original or updated version.
5. Vishing
We have not yet discussed phishing attacks that only use email to communicate. Phishing attackers use email as a common tool. Fraudsters may also use other media to carry out their attacks. Consider vishing, for example.
Vishing is also known as voice phishing. These phishing scams are done over the telephone. It is the most common phishing type, but it also follows the same pattern. To convince victims to reveal sensitive information, attackers will make them feel rushed.
The call will usually be made via a fake ID so that it appears like it is coming from a trusted source. One common vishing scam is when a criminal pretends to be a fraud investigator from the bank (or the card company), and tells the victim that their account was compromised. After gaining the victim’s trust they will request personal information, such as passwords, pin, login details and PIN. The victim may also be asked to transfer money into a secure account. This means that the criminal’s account is protected.
6. Smishing
Smishing or SMS Phishing is when criminals send text messages to an individual’s number. They usually trick users into clicking on malicious links or giving out personal information.
Nokia, for example, warned customers in February 2019 that smishing campaigns were being used by digital hackers to pose as Finnish multinational telecommunications. They sent messages telling users they had won money and a car. They then requested that recipients send money to register their prize.
7. Pharming
This type of phishing uses cache poisoning against DNS, which is a naming system used by the Internet to convert alphabetical website addresses (such as www.mageplaza.com) to numerical IP addresses in order to locate visitors to computer services or devices.
Under a pharming attack, a pharmer could target a DNS server and alter the IP address associated with an alphabetical website. An attacker can then redirect victims to any malicious website they choose. Even if the victim enters the correct site name, this is still possible.
How to recognize a phishing attack
It is now much more difficult to spot phishing attacks than ever. This is because cybercriminals have improved their techniques and are more sophisticated in their attack methods. The phishing emails we get in our inbox every day are more personalized and written with the same logos as brands we trust.
These emails are sophisticated and convincing, but there are still signs that could indicate a phishing email.
An incorrect URL
In suspicious emails, the URL validity is something you should first consider. You can view the entire hyperlinked address by hovering over the link. It may seem legitimate. However, if the URL does not match the address, it could be an indicator that the message is fake.
The email requests personal information
Trustworthy companies will never ask for customer information, such as their account number, PIN, or security questions. These emails requesting information should not be received by a trustworthy company and should be deleted immediately.
Grammatical and spelling errors
In reality, cybercriminals are not known for their grammar and spelling. Trustworthy companies will send emails to customers to verify that the grammar and spelling are correct. An email that contains spelling errors or poor grammar may not be from an official company and could indicate a phishing message.
Use of threatening language or urgent language
One common tactic used in phishing is to create a sense or urgency to get people to click on a link. Attackers often threaten your security and demand that you take immediate action to correct the situation.
Subject lines that include “your account suspended” or “unauthorized login attempt” should be avoided. You can verify the legitimacy of the request by calling the company’s official number or visiting their website.
A suspicious attachment
If you receive an email from a company with an attachment, be sure to raise an alarm. An attachment could contain malware or trojans, which can infect your computer or network. Even if the attachment appears to be genuine, it’s a good idea to always scan it with antivirus software.
It’s too good to be true
It is very likely that a scam email will inform you that you won a competition in which you did not participate or ask you to click on a link to claim a prize. It is very common for an offer to seem too good to be true.
How to avoid phishing
Phishing prevention can be done using multiple methods. These are some of the best ways to prevent phishing:
Never click on suspicious links
Many of us are interested in the news about lottery wins, digital products or software free downloads, deadlines, impending collection of expensive items, and donations to charities. These usually come from completely random and unknown sources.
You should pay extra attention to emails that offer unrealistic rewards or threats, and unusual language (e.g. exclamations, bold letters, underlines etc.). You can verify the authenticity of the email by contacting the company using their publicly available contact information.
Avoid open and public networks
Public networks often transmit data that is not encrypted. This gives attackers the opportunity to access sensitive information such as account usernames, passwords, purchase transaction details, and other browsing activities.
Stick to as few public Wi Fi networks as you can. You’ll be more likely to find a network that doesn’t respect your browsing and data.
Verify the security of a website
You should always verify that a site is secure and safe before you submit any information. This can be done by looking at the URL. If it starts with “https”, instead of “http”, this means that the site is secured by an SSL certificate. (S stands for secure).
SSC certificates guarantee that your data is safe as it passes from your browser to the site’s server. A small padlock icon should also be visible near the address bar to indicate that the site is secure.
Use two-step authentication
Two-step authentication can be used to provide additional security for your online accounts. Two-step authentication is most commonly used to log into accounts. This involves entering your password and then receiving a text code on your phone. This will make it more difficult for hackers to gain access to your account.
Be cautious about what you post online
The Internet and social networks have changed the way we communicate on a daily basis. Cybercriminals have used this sharing culture to create profiles of potential victims and make their phishing attempts more targeted.
Social media sites are being used by hackers to gain personal information, such as job title, location, email, and social activity. Hackers can launch highly targeted and personal phishing attacks by gaining access to this data.
You can reduce the chance of being phished by thinking more carefully about what you publish online. Use enhanced privacy options to limit access to people you don’t know and create strong passwords on your social media accounts.
Staff education
Even though companies have the best security systems, they are not protected if hackers can bypass them and get to employees to steal sensitive information.
Hackers are targeting employees as they see them as the weakest link in any company’s defenses. It is therefore essential to train staff members and give them regular training on how they can help prevent cyber-attacks.
Anti-virus software should be installed
Antivirus software is the best way to protect your computer from viruses and prevent unauthorized users access. You should also ensure that your software is up-to-date. Hackers cannot access your network via vulnerabilities in outdated or older programs.
The bottom line
Businesses can quickly identify phishing and prevent it by using the guide. However, they won’t always be able to spot every phish. Phishing is constantly changing to adapt new techniques and forms.
It is important that companies conduct regular security awareness training so that their employees and executives can keep up with the latest developments in phishing.