Ultimate Guide to Phishing: Defining Phishing and Preventing Scams
Phishing is a dangerous and effective method of hacking perpetrated by amateur and experienced cybercriminals alike. Over the years, phishing has become far more sophisticated, and it’s estimated that around 32% of all breaches involve phishing and around 64% of organizations report phishing attempts at least once in their history.
The challenge with phishing is that it can be difficult to spot as methods become more sophisticated. You may have opened a phishing email once and not even realized it, because cybercriminals are depending more and more on social engineering to convince unsuspecting victims to open suspicious attachments.
Let’s take a deeper dive into the world of phishing and discover what it is, how it works, what kinds of phishing attacks are currently in circulation and how to protect yourself and your business from an attack. This is your ultimate guide to phishing.
What is Phishing?
The textbook definition of phishing is:
"The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers."
Phishing is a sophisticated social engineering attack meant to entice the victim into voluntarily revealing sensitive information and depends on a specific narrative or image to present itself as legitimate.
Let’s look a little closer at how phishing affects small businesses, large corporations, and everyday people so we can better understand why it’s so effective and used so frequently by cybercriminals.
Phishing attacks rose significantly in 2020. The pandemic created the perfect environment of fear, misinformation and unsecured computers and networks, resulting in a cyber crime spike. Around 75% of organizations reported a phishing attack in 2020.
Phishing is most frequently perpetrated via malicious email attachments, often disguised as .PDF files or Word files.
The average data breach costs around $3.92 million, and data breaches occur frequently, with an attack around every 40 seconds in the US. The United States is disproportionately affected by data breaches.
Even the largest companies aren’t entirely safe from phishing; companies like Facebook and Google have suffered massive phishing attacks in recent history, accounting for around $100 million in damages.
How Does Phishing Work?
Phishing attacks can be perpetrated in several ways, depending on the attacker and the information they’re attempting to secure.
Social Engineering A social engineering attack manipulates the victim into quick action with deceiving information. One example is preying on the fear that the IRS is filing a case against the victim. A text message with an urgent call to action (“Act now or the IRS will fine you”) then leads the victim to a malicious site or phone number. Other more sophisticated examples include things like a scammed message from a colleague/higher-up or a message containing confirmed information of the recipient. All these examples can lead to a variety of information being compromised.
Link Mimicking Link mimicking is often used in tandem with social engineering. Using an IRS scam as an example: The victim is manipulated into believing they owe the IRS money. They click the provided link. At first glance, the link will seem legitimate; perhaps even containing the “correct” URL for the IRS website. Once clicked, however, the user is redirected to a fictitious website where their information is requested. These attacks are often perpetrated on the elderly or people with minimal technology skills.
What Happens When You Click on a Phishing Link
A phishing link can either redirect the victim to a fictitious website, download an attachment or install malware/viruses on the device or network.
A phishing attack might disrupt a business’s entire network by hijacking it or stealing information. In the event of an attack, it may force a business to shut down its online services for an indefinite period of time, causing significant losses in revenue and further damage caused by the malware. Additionally, there are regulatory fines that businesses can face and impacts on the business’s reputation in the event of a breach.
A phishing attack is also dangerous to everyday people, causing damages or resulting in stolen identities.
Pharming is a cyberattack that redirects a site’s entire traffic flow to another malicious website. From there, cybercriminals can steal information and manipulate users into giving up credentials or downloading malware.
A data breach is when sensitive company or personal data is exposed via unauthorized entry to a system or application. This can expose things like credit card numbers, addresses, social security numbers, bank routing numbers and more. The largest data breach to date occurred in 2020 on the adult site “CAM4”, exposing a staggering 10 billion records.
Login theft occurs when a cybercriminal obtains login information from the victim via a phishing attack. Login credentials can easily be compromised, especially when nearly 65% of people recycle passwords. Some victims don’t even know their credentials have been compromised until it’s too late and financial or personal damage has been inflicted.
Malware is malicious software that, once downloaded or installed, creates entry points or steals information. Here are some common types of malware that phishing perpetrators may use to infiltrate your system:
Keyloggers are malware that monitor keystrokes to allow cybercriminals to guess passwords and other login information.
Viruses are malicious entities that are copied onto a user’s system and infect certain files. These infections can be used to steal personal information from these files, but require sharing to infect other computers.
Ransomware locks users out of their systems until a ransom is paid. This ransom payment is often requested in cryptocurrency to exploit anonymity. It has become a huge issue among government agencies and educational institutions. Interestingly enough, this type of malware is even becoming prevalent within the cryptocurrency space, where users are being locked out of exchanges or wallets until ransoms are met.
Worms are like viruses in that they infect computer files to perform malicious actions, except that they don’t require a host/victim action to self-replicate. This means that worms can operate independently of the user. There is no limit to the files they can infect. They can even do things like access your email address book.
Trojan horses are malicious programs disguised as legitimate software. Once downloaded, these open backdoors within your system which allows attackers to steal information or even use your computer in something like a DDoS (Distributed Denial of Service) attack. These attacks can be used to overload servers and perform separate attacks on other systems.
Email Phishing Attacks
Email phishing attacks are among the most common and versatile phishing attacks, and often among the most effective. Email phishing attacks often depend on social engineering to manipulate users into clicking malicious links or downloading malware.
Types of Email Phishing
Email phishing comes in many forms, and each form has its own special uses:
A spear phishing attack depends on personal information for maximum damage. The attacker already knows things like the victim’s phone number, address, full name and even social security number, and leverages that information to make phishing attachments or links feel more legitimate.
A whaling attack is similar to a spear phishing attack, except that the target is a “whale”, or high-profile target instead of the everyday person or small business network. The goal is to receive access to high level data or potentially classified information.
Cybercriminals clone and resend legitimate emails that now contain malware or malicious links in an attempt to trick recipients.
Phishing Email Examples in the News
Phishing emails have made headlines in the last few years. Here are a few examples:
Fake COVID-19 emails
This attack has been common since the onset of the COVID-19 pandemic in March of 2020. Emails tricking users into clicking malicious links for information on vaccines or the latest pandemic statistics wreaked havoc on the elderly and people who weren’t well-informed about the virus.
Fraudulent IRS emails
One of the most common phishing email attacks leverages the power of the IRS to invoke fear in victims.The email typically contains frightening language about how a “lawsuit” is being filed against the victim for back taxes, and offers a link to “pay now”. There have also been an increasing number of refund and COVID-19 relief payment scams.
Other Types of Phishing Attacks
Phishing emails have made headlines in the last few years. Here are a few examples:
Smishing is the same as email phishing, except that it’s perpetrated via SMS messages. A victim receives a similar message to a phishing email in a text message, with a link to follow or attachment to download.
Social or Angler Phishing
Angler phishing involves the attacker posing as a legitimate customer service representative and convincing victims to hand over personal information.
Vishing is a more sophisticated and sometimes more effective method of phishing, since it involves an actual person speaking on the other end of the phone. Recently, several vishing call centers have been exposed in India, with damages topping around $14 million.
Attackers pay legitimate advertisers to display ads on their websites or social media pages, enticing victims to click the links and navigate to malicious sites where malware is downloaded onto their devices.
How to Protect Against Phishing Attacks
Protecting yourself and your business against phishing attacks can mean the difference between financial ruin and better cybersecurity overall. Here are some helpful tips for protecting against these common and effective cyber attacks.
- Don’t click links you don’t expect. If you didn’t expect an email or promotion, don’t click on it or download any files from it.
- Don’t download files you don’t know anything about. If an offer seems too good to be true, it probably is.
- Use an email scanner to scan attachments and emails for potential malware.
- Use a password manager to store and manage passwords safely. Password managers like Keeper provide a built-in warning about phishing sites. If your saved login information isn’t showing up on the website you visit, you’re probably on the wrong site. Also, integrated password generator features help you create strong, random passwords to replace compromised ones and limit the possibility of credential stuffing.
- Employee Education: Educate employees on the dangers of phishing, the various types of phishing and how to prevent an attack. You can also run random phishing tests to keep your team vigilant.
- Use a Business Password Management Platform: Using a password management platform for your business ensures that your business’s passwords are stored safely and available only to the right people. Keeper, for example, provides special role-specific access features and shared folders to restrict who can view specific credentials and records. Our robust business features also include password auditing and reporting which give helpful updates on team password hygiene and make it easier to enforce password policies.
- Use Antivirus Software: Antivirus software can often detect and isolate or delete malware that’s been downloaded onto employee devices. It can also scan emails, specific files, or pathways on devices for malware and other viruses. There are plenty of free and enterprise-level antivirus programs available online.