Phishing, a form of social engineering, is the most prevalent and persuasive attack vector used to steal confidential data, account passwords, credit card numbers and more.
We'll explore the various phishing forms, its devastating effects and actionable guidance to improve your team's cyber defenses in today's post.
Cybercriminals often masquerade themselves as a trusted source during a phishing scam to trick a victim into clicking on a malicious URL or downloading an attachment by conveying urgency in their messaging. Ultimately, this leads to compromised systems, data leaks, reputational damage and other calamitous outcomes.
Phishing is not only profoundly common, but it’s arguably the most destructive and high-profile cybersecurity threat facing organizations today.
- The 2020 Verizon Data Breach Investigations Report (DBIR) reported that internal actors caused 32% of data breaches, aka employees, for some industries.
- The same DBIR study found that phishing attacks continue to dupe users. Further, employee error, such as not implementing access controls on databases, leads to increased vulnerabilities and data leaks.
- Phishing emails are the #1 delivery vehicle for ransomware.
- Symantec 2019 Internet Security Threat Report (ISTR) found that formjacking attacks compromise 4,800 websites each month.
- Last year, the FBI received 467,361 internet crime complaints, which it estimates resulted in over $3.5 billion in losses, per the agency's 2019 Internet Crime Report.
- From C-level executives to individual contributors, anyone who opens an unknown email and trusts its content is vulnerable to this manipulation tactic.
Researchers at Symantec proposed that nearly one in every 2,000 of those emails is a phishing scam, implying that roughly 135 million phishing attacks are attempted daily. Most people don't have the time to scrutinize every message that lands in their inbox carefully, and that's precisely what phishers are hoping to exploit.
Let's examine some of the most common email scams:
Business Email Compromise (BEC)
- Various forms of lucrative BEC attacks enable threat actors to breach business email accounts more efficiently and rapidly. One method is CEO fraud, where an attacker has successfully compromised the CEO’s inbox and can send out emails from the legitimate email address. Another scenario involves a fake address that spoofs the CEO's email.
- Whaling demands a concerted effort; however, the high return level makes whaling attractive to scammers. Whaling attacks targets senior-level executive in an effort to capture sensitive information through the use of sophisticated, personalized language.
- Cybercriminals duplicate a legitimate email in a clone phishing attack and then incorporate nefarious links or attachments into the updated version while mirroring the original sender's information.
- A highly targeted attack personalized to the individual victim by addressing the person by their name or title. In a spear-phishing scam, hackers pretend to be CEOs, CFOs, or department leads and contact a specific group of employees, such as assistants. These messages appear urgent and use persuasive writing to ask the respondent to send highly confidential files or critical business information.
Mobile PhishingIn today’s connected world, scammers have shifted their focus towards smartphones as ideal attack vehicles. Examples of mobile phishing attacks include:
- Vishing is a subset of mobile phishing, whereas criminals typically use a spoofed ID to make a phone call, so it appears it's from a trustworthy source.
- During a smishing scam, attackers send an SMS message containing links to phishing web pages or applications that ask for credentials if visited. If you haven't yet, check out our article "Scam Alert: Criminals Cloning Hedge Fund Websites" to learn more about phishing websites.
- Attacks can also be initiated via email messages loaded in the browser of mobile devices. Unbeknownst to unsuspecting users, they download forged applications loaded with malware, and then crooks actively capture personal information and trick users into divulging passwords.
Tips to Avoid Phishing Scams
Social engineering is a psychological tool that takes advantage of patterns of human behavior. To help you outwit a cybercriminal, consider the following list of practical guidance:
- Stay informed about phishing techniques to mitigate the risk of getting snared. New phishing scams are emerging daily, so to avoid falling into a hacker's trap, consider staying abreast of the latest attack vectors.
- Look out for spelling and grammatical errors — frequent mistakes spotted in phishing communications. If you come across poor grammar in an email, there is a high probability it did not come from the official organization it is claiming to be.
- Speak with a Cybersecurity and Risk Management Specialist. Discover potential solutions for your organization, and learn about the differences between traditional and next-generation Cybersecurity Services.
- Do not click on links, download files, or open attachments in emails from unknown senders. It is best to open attachments only when you are expecting them, are certain the sender is credible and are confident in the message's content. Additionally, make sure you check the URL's legitimacy by hovering first, and if it seems even remotely questionable, don’t click on it.
- Never email personal or financial information, even if you are close to the recipient. You never know who may gain access to your email account or the person’s account to whom you are emailing.
- Be vigilant and avoid clicking on links to accept a prize you won for a competition you didn't participate in. Freebies and complimentary swag are attractive, so bad actors frequently use these ploys to trick people.
- Keep your browser updated. Security patches are routinely released for popular browsers in response to the security loopholes that phishers and other hackers exploit. If you habitually ignore messages about updating your browser, put a stop to that habit.
- Smartphone security best practices go a long way. To protect yourself, business accounts and personal information, always read app reviews before initiating downloads, keep smartphone security settings strict and consider adopting a reliable mobile security solution immediately.
Align Cybersecurity Services offer tailored, elegant and advanced cybersecurity solutions, encompassing Vulnerability Assessments / Penetration Testing, Cybersecurity Risk Management as a Service (Align Risk CSR), Customized Cybersecurity Programs, Third Party Management, Managed Threat Protection (Align Guardian), Cybersecurity Training and more.
This article has been updated and was originally written in 2018.