Phishing is a cyber attack that aims to persuade potential victims into revealing sensitive information such as passwords or credit card numbers. Cybercriminals do this by pretending to be someone they’re not and displaying a sense of urgency.
How Does Phishing Work?
Phishing is a dangerous and effective method of hacking. Phishing works by cybercriminals sending messages to people or companies containing a malicious link or attachment. The goal is to get their targets to click on the link, which can download malware or lead them to an illegitimate website to steal their personal information. Phishing attacks can be perpetrated in several ways, depending on the attacker and the information they’re attempting to secure.
Over the years, phishing has become far more sophisticated. It’s estimated that around 32% of all breaches involve phishing and around 64% of organizations report phishing attempts at least once in their history.
The challenge with phishing is that it can be difficult to spot as methods become more sophisticated, especially with the introduction of AI. You may have opened a phishing email once and not even realized it because cybercriminals rely on social engineering to convince unsuspecting victims to open suspicious attachments.
Commonly Used Phishing Techniques
| Social engineering Social engineering is an attack that manipulates the victim into quick action with deceiving information. One example is preying on the fear that the IRS is filing a case against the victim. This type of phishing scam is most common during tax season. The phishing message contains an urgent call to action such as “act now or the IRS will fine you,” which leads the victim into providing the cybercriminal with sensitive information. Other more sophisticated examples include things like an illegitimate message from a colleague or superior at work, or a message containing confirmed recipient information. These examples can lead to many types of information being compromised. |
Link mimicking Link mimicking is often used in tandem with social engineering. Using an IRS scam as an example, the victim is manipulated into believing they owe the IRS money. They click the provided link. At first glance, the link will seem legitimate, perhaps even containing what appears to be the correct URL for the IRS website. Once clicked, however, the user is redirected to an illegitimate website where their information is requested. When the victim enters their information, the cybercriminal will know what it is, which they can then use for their own malicious purposes. |
What Happens When You Click on a Phishing Link?
A phishing link can either redirect the victim to an illegitimate website, download a malicious attachment or install malware on the device or network. A phishing attack might disrupt an organization’s entire network by hijacking it or stealing information. An attack can force an organization to shut down its online services for an indefinite period of time, causing significant losses in revenue and further damage from the malware. Additionally, there are regulatory fines that businesses can face and impacts on the business’s reputation following a breach. A phishing attack is also dangerous to everyday people, causing financial losses or resulting in stolen identities.
Email Phishing Attacks
Email phishing attacks are among the most common and versatile phishing attacks, and often among the most effective. Email phishing attacks often depend on social engineering to manipulate users into clicking malicious links or downloading malware.
Types of Email Phishing
| Spear Phishing A spear-phishing attack is a targeted phishing attack that leverages personal information for maximum damage. The attacker already knows things like the victim’s phone number, address, full name and possibly even their Social Security number, then leverages that information to make phishing attachments or links feel more legitimate. |
Whale Phishing Like spear phishing, whaling (or CEO fraud) targets high-level executives or individuals in positions of power within an organisation. These attacks often use a sense of urgency or fear to prompt the victim to take immediate action, such as transferring money or sending sensitive information. |
| Clone Phishing In a clone phishing attack, cybercriminals clone and resend legitimate emails that now contain malware or malicious links in an attempt to trick recipients into clicking on them. |
Other Types of Phishing Attacks
| Smishing Smishing is the same as email phishing, except that it’s perpetrated via SMS messages. A victim receives a similar message to a phishing email in a text message, with a link to follow or attachment to download. |
Vishing Vishing is a more sophisticated and sometimes more effective method of phishing, since it involves an actual person speaking on the other end of the phone. The goal of the attacker is to obtain information, typically credit card information, for financial gain. Elderly people are more prone to fall for this type of attack. |
| Social or Angler Phishing Angler phishing involves the attacker posing as a legitimate customer service representative and convincing victims to hand over personal information. |
Malvertising Malvertising is when cybercriminals pay legitimate advertisers to display ads on their websites or social media pages. When a user clicks on the malvertisement, they are navigated to malicious sites where malware is downloaded onto their devices. |
How To Protect Yourself Against Phishing Attacks
| Use an email scanner An email scanner is a tool that scans email attachments for potential malware. Investing in an email scanner will help protect you from email phishing attempts. |
Don’t click unsolicited links or attachments If you receive unsolicited links and attachments through email, text message or other messaging platforms, do not click on them. These links and attachments may contain malware that will be able to steal your sensitive information or can be used to spy on you. If you’re not sure about a link being safe, hover your mouse over the link to see the full website address or use a tool like Google Transparency Report. |
How To Protect Your Business Against Phishing Attacks
| Employee education Educate employees on the dangers of phishing, the various types of phishing and how to prevent an attack. You can also run random phishing tests to keep your team vigilant. |
Use antivirus software Antivirus software detects, isolates and deletes malware that’s been downloaded onto employee devices. It can also scan emails, specific files or pathways on devices for malware and other viruses. There are plenty of free and enterprise-level antivirus programs available online. |
Steps to take if you respond to a phishing email
If you suspect that you’ve responded to a phishing email, you’ll need to act quickly to mitigate the damage. Here are some steps you should take:
| 1. Change your passwords First, change your passwords immediately. You should change passwords regularly and follow password best practices anyway, even if you haven’t been targeted by a phishing attack. Passwords should be complex, unique and difficult to guess. Avoid using the same password for multiple accounts. And don’t share your passwords with anyone. |
2. Report the incident Next, inform your IT department or email provider about the phishing email. Do this as soon as possible. Swift reporting of an incident helps security teams identify the source of the email and take the steps needed to prevent further attacks. |
| 3. Enable two-factor authentication (2FA) This is another crucial step toward protecting yourself against phishing attacks. 2FA adds an extra layer of security, requiring a second form of authentication, such as a fingerprint or a one-time password, in addition to your username and password. That makes it more difficult for cyber criminals to access your accounts—even if they have your login credentials. |
4. Monitor your accounts Checking for malware is a must after responding to a phishing email. Malware is malicious software designed to damage or disable computer systems, steal sensitive information, or spy on user activity. Cyber criminals often use phishing emails to distribute malware. That’s why it’s essential to scan your device for viruses or other malicious software. |
| 5. Contact the company or organisation If you responded to a phishing email that appeared to be from a trusted source, contact the company or organisation to alert them. They may be able to take steps to prevent other customers or employees from falling victim to the same scam. |
6. Educate yourself Learn more about the different types of phishing attacks and how to spot them. Look out for telltale signs like grammatical errors, suspicious links and requests for sensitive information. Knowing what phishing tactics attackers commonly use will help you avoid being tricked by them in the future. |