How to Protect your Business from Phishing Attacks
Cyber attacks are a constant threat facing organisations and individuals. And a phishing attack is one of cybercriminals’ favourite ways of getting access to confidential information.
In this article, we’re going to cover what phishing is, what types of phishing attacks you should be wary of, and how to train your employees to spot phishing scams.
What is phishing? Why is it called phishing?
Phishing is a type of scam that involves hackers sending communication (usually email) impersonating a trusted sender (banks, your organisation’s CEO) to steal information or lock it (ransomware).
The word “phishing” is analogous to “fishing,” because just like an angler, scammers lure the fish (victims) with bait (emails) for passwords and other data. Hackers use “ph” instead of “f” – and “phishing” was coined around 1996.
What is a phishing attack?
A phishing attack in cyber security is an active attack that usually involves an individual or employee receiving an email scam. The email contains hyperlinks to fake web pages or malware attachments. When the person clicks the link or downloads the attachment, malicious software is installed on the computer. Generally, hackers are trying to access a person’s credentials (username and password) to gain access to accounts, steal data, and even lock the user out of their account.
Phishing attacks are social engineering attacks. As defined by Kaspersky, social engineering is “a manipulation technique that exploits human error to gain private information, access, or valuables.” These hackers lure victims into exposing data because they believe they are communicating with someone they trust – employers, colleagues, corporations such as banks and social media accounts. The cybercriminal manipulates the victim into compromising themselves.
How does a phishing attack work?
Often, hackers employ spoofing techniques in their phishing attacks. This is done by disguising an email address, phone number, URL or sender name by changing one letter, number or symbol. They are relying on the lack of attention to detail to convince you the communication is from a trusted source.
The way this communication is worded will create a sense of urgency – update your details now, don’t get locked out of your account and so forth.
So what happens during a phishing attack?
Let’s say you got an email from a hacker impersonating Facebook (this happened, by the way). The phishing email claims to be from “The Facebook Team” and warns that they’re gonna suspend the user’s account.
The victim opens the email and clicks on the hyperlink. That link redirects them to a fake Facebook page where they are prompted to add in their login information. Once you log in, the cybercriminals have your password. They can now use it to log in to your account and access your data and information, and even lock you out of your account.
If the victim is also an administrator of company Facebook Pages, the hackers also have access to those.
What are the types of phishing attacks?
The 5 most common phishing attacks types are:
Spear Phishing. The most common type of phishing attack, it’s called this way because it targets a specific fish (victim). Also called Business Email Compromise (BEC), this type of attack often impersonates an employee’s manager, let’s say, requesting a login update, or large bank transfer. According to IBM, this is the costliest attack for businesses, with the phishing attack losses at an average of $5.01 million per breach.
Email Phishing. A phishing attack by email works by mass-sending the same message to millions of potential victims, aiming to steal their credentials. Examples of companies are PayPal, Facebook or Amazon.
Is email phishing spam? No. Whereas spam is simply unwanted email, phishing emails are indented for malicious purposes.
Whaling. This type of phishing is aimed at the big fish – the CEO or other high-value targets. It’s a lot of work but has big payoffs.
Smishing is a phishing attack that happens through SMS, also known as SMS phishing. The victim receives a hyperlink that takes them to a malicious web page.
Vishing. A phishing attack by phone, via telephone call where the criminal impersonates a corporation or even family member trying to get victims to disclose sensitive information.
According to Verizon, “96% of phishing attacks arrive by email, 3% are carried out through malicious websites and 1% via phone.”
How do you spot a 2022 phishing email?
From Facebook to Zoom and Gmail, no path is left unexplored by hackers. Hackers have even found their way into Instagram’s Direct Messages and Slack’s communication channels.
One clever phishing attack example sent Zoom users a zoom invite link via email.
The percentage of successful phishing attacks in Australia alone is a staggering 92 (Proofpoint). Detecting phishing attacks and preventing scams should be a priority as part of business IT management.
So what are the signs of a phishing attack and how do you protect your business?
Here are the 5 most common signs of phishing that will help you avoid deceptive communication:
- The messaging sounds too good to be true or creates a sense of urgency: scare tactics (fee is past due),
- Request your private information. If you’re unsure, always double-check with the official parties
- Check the sender’s details for potentially misspelt words: sender name, domain spoof of known brand
- The email is poorly written. Grammar mistakes, spelling errors, impersonalised introduction or overpersonalised, and capitalization are all red flags.
- The email includes attachments or suspicious links: compressed attachments (for example zip or ppt files)
How to protect your business from phishing attacks
As we’ve seen, human error (insider threats) is the most common cause of phishing attacks. But these unintentional threats are damaging to your company – and your customers.
It’s extremely important to train your employees in recognising these types of scams and have a phishing attack response plan into place.
But the rapid changes in the working environments and the cybercrime landscape require not just attention to detail, but setting in place a mitigation of phishing attack countermeasures to fight back against threats.