12-minute read time
Social engineering attacks account for a significant proportion of cyberattacks, up to 98 percent. Rather than targeting the systems themselves, these attacks exploit the vulnerabilities of those who use information technology. Amongst the most frequently used tactics employed by cybercriminals today is phishing. Use this Phishing 101 guide to ensure you have the knowledge to keep you and your organization safe.
Table of Contents
-
- What is Phishing?
- A Brief History of Phishing
- What’s the Difference Between Spam and Phishing?
- Why Phishing Attacks are Becoming More Frequent
- What Are the Different Types of Phishing?
- How to Identify a Phishing Email
- What to Do After a Phishing Attack
- An MSP Look at Phishing Email Prevention
- The Data Breach Risks to Your Organization
- Phishing Prevention Best Practices
- Knowledge is Key in Phishing Prevention
What is Phishing?
Phishing is a common social engineering attack that tries to manipulate you into sharing sensitive personal information or installing malicious software onto your computer. This is done by a cybercriminal fraudulently impersonating a known sender – hoping you will unknowingly supply personal information they can use for financial gain.
A cybercriminal’s ability to be exceptionally convincing is what makes this type of attack successful. Once they have the data, they need they can access online accounts, obtain personal data, or even compromise systems.
The most widely known form of phishing is done via email. It has been reported that 90% of cyber-attacks gained access to a company via phishing (CISA, n.d.). Understanding phishing, and how to avoid being phished, is a critical element in your organization’s cybersecurity plan.
A Brief History of Phishing
The origin of phishing started around 1995 and took hold during the popular days of America Online (AOL). Phishers began their attacks on AOL by stealing users’ passwords and employing algorithms designed to create randomized credit card numbers (Phishing, 2022), but this strategy wouldn’t last forever.
Once AOL caught on and implemented security measures to prevent this type of attack, these early hackers moved on to create techniques that continue to be a foundation for phishing attacks. The hackers began impersonating AOL employees, then messaged users via email and AOL Instant Messenger (AIM). During these interactions, they would fool their victims into giving them their account and billing information.
In 2001, phishers became more interested in online payment systems and employed more manipulative techniques to create a false sense of safety for their victims. This often looked like creating HTTPS sites where the cybercriminal would try to get their targets to supply credentials and personal information.
These days, attacks are even more ornate and include:
-
- Conversation hijacking
-
- Gift card phishing campaigns
-
- Vishing scams
-
- Business email compromise
-
- Vendor email compromise
-
- Spoofing company-specific Office 365 sign-in pages
-
- And more…
What’s the Difference Between Spam and Phishing?
Spam mail, also known as junk mail, is often unsolicited commercial advertising – where emails are sent out in bulk to a wholesale recipient list. However, spam can sometimes be a social engineered spoofing attack where the hacker hopes to gain access to your computer. This type of spam can be sent by botnets – which is a network of infected computers.
In essence, spam may contain phishing (e.g., like in a spoofing attack where someone disguises their identity to look like a trusted source). However, the spam you encounter in your email may simply be an innocuous – albeit annoying – unsolicited ad. It’s important to know how to safeguard yourself. Learn how to protect yourself from a malicious phishing attack in the section below called, Phishing Prevention Best Practices.
Why Phishing Attacks are Becoming More Frequent
Phishing attacks can have a devastating impact on both individuals and businesses. While individuals may experience financial fraud, identity theft, or unauthorized purchases, companies that fall prey to these attacks often suffer significant financial losses, damage to their reputation, and a loss of stakeholder trust.
Unfortunately, phishing attacks are becoming increasingly sophisticated and frequent, posing a severe threat to individuals and businesses. Here are a few reasons why they are more prevalent.
Organizational Insight
Organizations that reduce spending on their security posture and fail to provide their employees with adequate training create opportunities for cybercriminals to exploit them.
Constantly Evolving Cybercriminals
It’s important to understand that cybercriminals are constantly evolving and adapting their tactics to exploit any vulnerabilities in your business. Their strategies are continually changing, so you must be prepared to defend against a moving target.
Recently, threat actors have been using website contact forms to target businesses. They pose as legal authorities and claim that the company is not complying with the law, then request that the organization download a “report.” It’s crucial to stay vigilant and aware of these scams to keep your business safe.
Cheap Tools for Phishing Attacks
It may be alarming to learn that cybercriminals can easily obtain inexpensive phishing tools through the dark web. This accessibility allows individuals with little to no technical knowledge to become hackers.
Remote/Hybrid Workforce
Remote/hybrid work models adapted since the pandemic created new cybersecurity challenges due to dispersed workforces and mobile endpoints, leading to an increase in phishing attacks. Learn how to protect remote employees from phishing.
Why Are the Different Types of Phishing?
To recap, phishing attacks are attempts by cybercriminals to obtain personal information about you that they can use for financial gain – such as banking information, login credentials, social security numbers, etc. These communications appear to come from reputable sources, are often very convincing, and use manipulation tactics.
Let’s look at some of the varieties of phishing you might encounter:
Spear Phishing
Imagine going actual spear fishing. What would it take to catch a big fish? It would take precision, patience, and practice. It’s the same for spear phishing attacks. Cybercriminals seek out individuals in a certain category but are lower in profile than victims of whaling (see section below for more details).
In spear phishing, attackers spend more time researching and crafting their plans than the traditional method because they need to be convincing for this higher tier target. They could be spending days or weeks creating emails that are so convincing that they appear to be from a known and trustworthy source.
Whale Phishing
You might be asking yourself, “Whaling? Whale phishing? What exactly is that?” As its name might suggest, whaling is a form of spear phishing that seeks out big targets – like those found in upper management. These targets have the potential to yield giant results when successfully executed – so cybercriminals plan these attacks well in advance and coordinate them with other attack methods to ensure the greatest success rate.
Vishing Phishing
Cybercriminals have gotten more creative over time – looking to attack people where they spend a lot of time. Vishing, smishing and angler phishing (covered in the next sections) are examples of this type of approach.
Vishing, specifically, occurs when attackers try to gather valuable sensitive information in a phone call. This approach can often be quite convincing – particularly if they use the names of large known organizations victims have worked with – paired with urgency and fear tactics.
Smishing Phishing
As previously noted, smishing attacks are a cybercriminals way of trying to gather your sensitive information through a channel other than email. In this case, they conduct their assault through a text message.
A popular example of this is a cybercriminal sending you a SMS message pretending to be a bank. The message claims a security issue requires your immediate attention and directs you to a link to your bank’s login page. Although the page may appear legitimate, it is a fake page that records your keystrokes. If you enter your login information, the attackers can use it to gain unauthorized access to your bank account.
Artificial Intelligence (AI) Phishbait
The use of AI is on the rise, with many individuals incorporating AI chatbots such as ChatGPT and Google Bard into their daily routines. Unfortunately, cybercriminals are exploiting this trend and using it as an opportunity to steal your data.
One example is a scheme in which attackers develop bogus social media ads offering free downloads of AI products. When you click on the ad, you’re instructed to download a fake file – which is malware. The malware is used to access sensitive data, such as your login credentials and credit card numbers.
QR Code Phishing
Cybercriminals use QR codes in their messaging to disguise their malicious intent. When a code is scanned, you may be directed to a site containing malware or prompted to input sensitive information. This method is growing in popularity. Learn more about QR code phishing.
Clone Phishing
Many organizations rely on email to communicate important information to their customers. Sometimes, they send an email that’s missing content so organizations often send a follow up email with the missing details. In a clone phishing scam, cybercriminals imitate these follow up emails to manipulate you.
To do this, the attackers gain access to a legitimate email at the organization and then clone a previous email that was sent. They add text claiming that the original email was missing an attachment with urgent information, which encourages recipients to download the attachment. However, this attachment contains malware that allows the cybercriminals to steal sensitive information once downloaded. It’s important to be cautious and avoid downloading attachments from suspicious emails, even if they appear to be follow-up messages from legitimate organizations.
Angler Phishing
Angler phishing uses social media to make their strikes against their victims. They start by creating fake customer service accounts on platforms like Facebook and Twitter.
Attackers generally lay in wait for social media users to come to them when they go looking for help from a legitimate account – which makes this is a slow-moving attack. When their victims engage with them, thinking they’re a trusted organization, they unknowingly give away their sensitive information to a cybercriminal.
Barrel Phishing
Phishing techniques are always growing and adapting. Barrel phishing, also known as double-barrel phishing, is growing in popularity.
In a barrel attack, phishers use two separate phishing emails to gain your trust. The first email is often used to lure you into that false sense of security that it’s coming from a trusted source by having a conversation with you. This email may not have any malicious intent beyond the deception.
The email that follows, though, is often an aggressive email that has persuasive messaging and malicious content (e.g., links) geared toward making you do what they ask. In eliciting an emotional response, they get you to do things you might not otherwise do – thereby putting your business at risk.
How to Identify a Phishing Email
Humans are the first line of defense against phishing. After all, these tactics have been curated specifically to elicit emotional reactions and/or to appear to be from a legitimate source. To protect yourself from the damages a phishing attack can cause, look for the following:
-
- Email contains grammatical errors or poor language
-
- You receive an email from someone you don’t know
-
- The sender tries to get you to send money to a strange account
-
- You receive an email that asks you to change your password or login information
-
- You suddenly notice new messages that you never sent or messages you didn’t receive
-
- You receive an unexpected email that asks you to click on a link that leads to a website you don’t own (FightCybercrime, n.d.).
Keep in mind that cybercriminals often deploy emotions to coerce you into an action – such as clicking on a link or opening an attachment. They try to elicit fear, urgency, greed, or curiosity. So, if a suspicious email is trying to evoke emotion, ask yourself why.
Receive more exclusive IT and cybersecurity tips and
insight by subscribing to our email list.
For easy-to-understand information on how to identify common scams visit Scam Spotter.
What to Do After a Phishing Attack
If you or your organization finds yourself in the vulnerable position of having been the victim of a phishing attack, there are some immediate actions you should take. Follow these five steps to help mitigate the damage that can happen to your business:
-
- Change your passwords on all email accounts.
- If someone sent money, contact your financial institution. Request a recall or reversal as well as a Hold Harmless Letter or Letter of Indemnity.
- Scan your computers for malware. If present, you will need to address that issue.
- Consider placing a fraud alert on your credit reports to help prevent the cybercriminals from opening new accounts in your business’ name.
- Report the business email compromise (BEC) with the FBI to prevent others from getting scammed (Federal Bureau of Investigation, n.d.).
Check out these other places you can file reports (Phishing, n.d.).
An MSP Look at Phishing Email Prevention
If you invest in cybersecurity services from an experienced Managed Service Provider (MSP), then you can rest assured that you have a team of experts on your side ready to help you mitigate phishing risks.
The most effective way to keep your business protected from the risks of phishing is…to be proactive. The measures the Aligned team implement include:
Training and simulated phishing campaigns
Simulated phishing campaigns are designed to improve employee’s response to these attacks. Training and testing are a crucial part of your organization’s cyber resilience – because people are your first line of defense.
Enabling MFA on your accounts
Multi-factor authentication (MFA) helps keep your organization safe by using a password and at least one more factor to allow access to systems and/or applications. That means, even if a cybercriminal has your password, they won’t be able to access your account because they can’t authenticate using your other factors. MFA can protect against:
-
- Phishing
-
- Spear phishing
-
- Keyloggers
-
- Credential stuffing
-
- Brute force and reverse brute force attacks
-
- Man-in-the-middle (MITM) attacks
Email identifier tags
Implementing the use of email tags (e.g., [External]) will provide you with insight into the messages source. Seeing this tag does not mean it is a scam, but rather affords you the opportunity to consider whether it is from a known sender.
IP address allowlist
An allowlist is a security list created by your MSP which gives access to pre-approved programs, IPs, or email addresses. That means that anything not on the list does not get access to system resources.
Implementing conditional access controls
According to Microsoft (2022), conditional access is the protection of regulated content in a system by requiring certain criteria to be met before granting access to the content. For instance, you can use conditional access policies to ensure that each system has the most updated version of antivirus and patches installed before the user can access Microsoft 365.
Identify suspicious file names
Threat actors try to lure their victims into downloading files from emails that can do tons of damage to an organization. They are often deceiving and hide the true intention of the file with long names or hidden file extensions.
Always be wary of any unsolicited attachments. Cybercriminals like to disguise executable files (.exe) as innocuous-looking files – like a .JPG or .PDF. Often, the .EXE part of the name is hidden from view. What that means is, once you click on a file you believe is safe, you find yourself running a malicious program and exposing your organization’s valuable assets.
If you click on a suspicious file, your cybersecurity team will receive an email that details the security concern so you can take proper action. Here’s an example of what that message might look like:
The Data Breach Risks to Your Organization
Once your organization has a data breach, everything must be managed very carefully – from cybersecurity actions to addressing your stakeholders’ concerns. Your team, or your MSP, will need to work diligently to restore your cybersecurity. Your productivity will be next to nil until that is complete. During this time, executives must ensure that proper reporting is being done as well as keeping stakeholders informed about the breach.
Not having a risk management plan in place before a breach happens will make this time very challenging – and it’s not the time you should be creating one. Your focus must be on managing your organization’s credibility and getting your team back to being fully operational again. Otherwise, your organization may collapse after the attack – and it happens more often than you might think.
According to Business to Community (2022), 1 in 8 businesses are destroyed by a data breach. Therefore, it is imperative that both large and small organizations have experts mitigating the cyber risks to be successful in today’s digital environment.
The damages due to a successful phishing attack can be detrimental – whether it is a personal or business attack.
However, from a professional perspective, it is everyone’s responsibility to safeguard the system(s) using the most up-to-date best practices. Otherwise, you may find yourself dealing with:
If you discover that you’ve had a data breach due to phishing, it’s going to be crucial that you take the right actions to rebuild trust. Learn the key steps to take if you’ve had a data breach.
Phishing Prevention Best Practices
Cybercriminals target small to medium-sized businesses because SMBs have less expertise, smaller budgets, and less time to defend themselves against cyberattacks. That makes SMBs an easy target. The best way to stay protected is to employ these best practices:
How to Protect Your Business from Phishing
-
- Never share personal information.
-
- Utilize firewalls and antivirus software.
-
- Utilize multi-factor authentication (MFA).
-
- Enforce mandatory password managers. There are great ones available and even some free ones – like LastPass.
-
- Be proactive and stay informed on the latest phishing techniques. This means regular training for all employees – from intern to CEO.
-
- Be cautious whenever you consider clicking on a link. Don’t click on links from random emails or instant messages. Hover over any links you’re unsure of to view the address to verify the site is legitimate before clicking. When in doubt, don’t click. Contact your cybersecurity expert for guidance.
-
- Keep your browser updated to ensure security patches are installed.
-
- Install an anti-phishing toolbar. The toolbar will check sites you are visiting against known phishing sites and alert you if you are heading toward a malicious site.
-
- Keep your systems current on security patches and updates. Learn why security patches are important.
You should also be sure to take advantage of email phishing filters – like Office 365 anti-phishing protection. Just keep in mind that even though phishing filters exist, they can’t stop all the attacks from getting into your inbox. Every person in an organization needs to have attention to detail when engaging with any email.
Another great way to stay protected is by utilizing Endpoint Detection and Response (EDR) – also known as Endpoint Detection and Threat Response (EDTR). This cybersecurity solution continuously watches end-user systems to detect and respond to cyberthreats quickly.
Do you have remote workers? Just because they are removed from your organization, doesn’t mean they’re safe from a malicious attack. Make sure they’re getting the cybersecurity training, antivirus protection, and are using MFA whenever possible. Also ensure that every remote worker’s system stays current with the latest updates and patches. Remote workers can also employ VPN, or virtual private network, for added protection since they are not working behind your robust company firewall on a secure network.
Knowledge is Key in Phishing Prevention
With phishing being one of the most common, and effective, cyber-attacks it is imperative that everyone within your organization has ongoing training. They need to:
-
- Know what phishing is
-
- Understand the risks involved
-
- Be able to identify phishing attempts
-
- Know how to report phishing attempts
-
- Know what actions to take after an attack
This training is crucial to the well-being of your organization. Not preparing for the inevitable attack can lead to devastating effects. Don’t become a statistic. Be proactive and develop a sound cybersecurity plan to protect your small business. If you’re interested in receiving a free cybersecurity consultation from Aligned, contact our representatives today!
Did you find this blog helpful? Get exclusive IT and cybersecurity tips and insight when you subscribe to our email list.