Phishing, the fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information – is a specific and a pervasive form of social engineering.Increasingly, alongside its more sophisticated but more focused cousin, the Business Email Compromise - phishing has become the most popular and potent cybersecurity attack vector; and business communications at large have become the hacking community’s chosen medium for phishing attacks. In fact, according to Proofpoint's 2022 State of the Phish Report, a whopping 83% of organizations said they had suffered successful phishing attacks last year. Of them, 54% ended in a customer or client data breach. Bulk phishing was the most common type of phishing attack.
So how do we defend ourselves, our colleagues, clients, and other stakeholders from these cunning attacks? The best approach is to understand the nature and objective of these attacks and become familiar with the practices, tell-tale signs, and techniques used by the threat actors.
The Goal: The goal of phishing via social engineering is to trick the victim into believing that the message they receive from the phishing perpetrator contains something they want or need — a request from their bank, for instance, or a note from someone within their company — and to click a link or download an attachment. The attacker's primary goal is to compromise systems to obtain usernames, passwords, and other account and/or financial data.
In fact, with the right phishing network in place, some information gathering, and the proper bait, attackers can gain access to just about any company or organization — even government agencies — and inflict devastating damage.
The Patterns: The way phishing scams operate is pretty straightforward. Once a victim has fallen for the ploy and unsuspectingly entered their personal information on a forged site or in response to an email, the attacker then uses that information for personal gain.
Phishing is not only highly common, but it’s arguably the most damaging and high-profile cybersecurity threat facing organizations today.
- Click effectiveness has risen 3x in 2021 when phone calls were added, netting clicks from 53.2% of victims. Source: IBM Threat Intelligence Index 2022
- Phishing emerged as the top infection vector in 2021. Source: IBM Threat Intelligence Index 2022
- The continuous rise and fall of COVID-19 made information about variants and vaccines one of the top social engineering strategies in 2021. Source: Proofpint Human Factor Report 2022
- 77% of organizations saw bulk phishing attacks, and 66% dealt with spear phishing attacks. Source: Proofpoint State of the Phish 2022
- 83% of survey respondents said their organization experienced a successful email-based phishing attack in 2021, up 57% from 2022. Source: Proofpoint State of the Phish 2022
What to do: There are three common phishing vectors that you need to keep an eye out for:
From business executives to internet surfers at home, anyone who opens an unknown email and trusts its content is vulnerable to this classic manipulation tactic. Researchers at Symantec suggest that almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day. Most people simply don't have the time to carefully analyze every message that lands in their inbox and that's exactly what phishers are hoping to exploit in various ways.
How do you discern a real email versus a phishing scam? The best way to fight back is by staying educated on the signs, and by being vigilant. Make sure you check the URL for legitimacy. Hover over the link to see if it might be fake, and if it seems even remotely questionable, don’t click on it.
Cloud Storage Phishing
Cloud service providers such as Amazon, Google, and Dropbox have recently become the target of phishing scammers. Generally, the scammers send victims attachments requesting that the user log into their cloud provider through a dummy portal, capturing private login information in the process.
Many of the phishing campaigns targeting cloud storage providers contain lures (information to make phishing content appear more legitimate) saying that a document or picture has been shared with the victim and encourage them to sign into their account to view it. Being that many of us trust the cloud implicitly with our personal data, be sure to remain alert when an unknown attachment comes through.
More and more phishing scammers are shifting their focus towards attacking users through their smartphones, since mobile applications have become ideal vectors for attack.
Mobile phishing is an emerging threat in today’s connected world. In a mobile phishing attack, an attacker usually sends an SMS message containing links to phishing web pages or applications which, if visited, ask for credentials. These attacks, referred to as “smishing”, can also be initiated via email messages loaded in the browser of mobile devices.
It’s easy, really: unsuspecting users just download forged applications loaded with malware, and crooks then actively capture personal information and trick users into divulging passwords. Make sure you protect yourself by always reading app reviews before initiating downloads, keep security settings strict, and consider adopting a reliable mobile security solution immediately.
How to Avoid Becoming a Victim of Phishing
Phishing has been around practically since the inception of the Internet, and it won’t go away anytime soon. It is necessary for you to become familiar with the best ways to avoid phishing scams.
Here are some tips to learn how to guard against them:
- Stay informed about phishing techniques. New phishing scams are being developed all the time. If you aren’t staying on top of these new phishing techniques, you could inadvertently become a victim. Keep your eyes peeled for news about the latest phishing scams. By finding out about them as early as possible, you will be at a much lower risk of getting snared.
- Do not click on links, download files, or open attachments in emails from unknown senders. It is best to open attachments only when you are expecting them and know exactly what they contain, even if you know the sender.
- Never email personal or financial information, even if you are close with the recipient. You never know who may gain access to your email account, or to the person’s account to whom you are emailing.
- Never enter personal information in a pop-up screen. It's never a good idea.
- Keep your browser updated. Security patches are routinely released for popular browsers. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, put a stop to that habit. The minute an update is available, download and install it.
- Install an anti-phishing toolbar. Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you to it. This is just one more layer of protection against phishing scams, and it is completely free.
Nobody wants to fall prey to a phishing scam. There’s a good reason that such scams will continue, though: they're successful enough for cybercriminals to make massive profits. Fortunately, there are ways to avoid becoming a victim.
Protect your staff against cyber threats with Align Cybersecurity™ Security Awareness Training.
Align Cybersecurity offers tailored, nimble and advanced cybersecurity solutions encompassing Vulnerability Assessments / Penetration Testing, Cybersecurity Risk Management as a Service (Align Risk CSR), Customized Cybersecurity Programs, Third Party Management, Managed Threat Protection (Align Guardian), Cybersecurity Training and more.