What Is Phishing? Types of Attacks and Prevention Tips
Phishing is a cyber attack that aims to persuade potential victims into revealing sensitive information such as passwords or credit card numbers. Cybercriminals do this by pretending to be someone they’re not and displaying a sense of urgency.
How Does Phishing Work?
Phishing is a dangerous and effective method of hacking. Phishing works by cybercriminals sending messages to people or companies containing a malicious link or attachment. The goal is to get their targets to click on the link, which can download malware or lead them to an illegitimate website to steal their personal information. Phishing attacks can be perpetrated in several ways, depending on the attacker and the information they’re attempting to secure.
Over the years, phishing has become far more sophisticated. It’s estimated that around 32% of all breaches involve phishing and around 64% of organizations report phishing attempts at least once in their history.
The challenge with phishing is that it can be difficult to spot as methods become more sophisticated, especially with the introduction of AI. You may have opened a phishing email once and not even realized it because cybercriminals rely on social engineering to convince unsuspecting victims to open suspicious attachments.
Commonly Used Phishing Techniques
Social engineering
Social engineering is an attack that manipulates the victim into quick action with deceiving information. One example is preying on the fear that the IRS is filing a case against the victim. This type of phishing scam is most common during tax season. The phishing message contains an urgent call to action such as “act now or the IRS will fine you,” which leads the victim into providing the cybercriminal with sensitive information.
Other more sophisticated examples include things like an illegitimate message from a colleague or superior at work, or a message containing confirmed recipient information. These examples can lead to many types of information being compromised.
Link mimicking
Link mimicking is often used in tandem with social engineering. Using an IRS scam as an example, the victim is manipulated into believing they owe the IRS money. They click the provided link. At first glance, the link will seem legitimate, perhaps even containing what appears to be the correct URL for the IRS website. Once clicked, however, the user is redirected to an illegitimate website where their information is requested. When the victim enters their information, the cybercriminal will know what it is, which they can then use for their own malicious purposes.
What Happens When You Click on a Phishing Link?
A phishing link can either redirect the victim to an illegitimate website, download a malicious attachment or install malware on the device or network.
A phishing attack might disrupt an organization’s entire network by hijacking it or stealing information. An attack can force an organization to shut down its online services for an indefinite period of time, causing significant losses in revenue and further damage from the malware. Additionally, there are regulatory fines that businesses can face and impacts on the business’s reputation following a breach.
A phishing attack is also dangerous to everyday people, causing financial losses or resulting in stolen identities.
Email Phishing Attacks
Email phishing attacks are among the most common and versatile phishing attacks, and often among the most effective. Email phishing attacks often depend on social engineering to manipulate users into clicking malicious links or downloading malware.
Types of Email Phishing
Spear Phishing
A spear-phishing attack is a targeted phishing attack that leverages personal information for maximum damage. The attacker already knows things like the victim’s phone number, address, full name and possibly even their Social Security number, then leverages that information to make phishing attachments or links feel more legitimate.
Whale Phishing
A whaling attack is similar to spear phishing, except that the target is a “whale,” or high-profile target instead of an everyday person or small business network. The goal is to gain access to high-level data, internal systems or classified information.
Clone Phishing
In a clone phishing attack, cybercriminals clone and resend legitimate emails that now contain malware or malicious links in an attempt to trick recipients into clicking on them.
Other Types of Phishing Attacks
Smishing
Smishing is the same as email phishing, except that it’s perpetrated via SMS messages. A victim receives a similar message to a phishing email in a text message, with a link to follow or attachment to download.
Vishing
Vishing is a more sophisticated and sometimes more effective method of phishing, since it involves an actual person speaking on the other end of the phone. The goal of the attacker is to obtain information, typically credit card information, for financial gain. Elderly people are more prone to fall for this type of attack.
Social or Angler Phishing
Angler phishing involves the attacker posing as a legitimate customer service representative and convincing victims to hand over personal information.
Malvertising
Malvertising is when cybercriminals pay legitimate advertisers to display ads on their websites or social media pages. When a user clicks on the malvertisement, they are navigated to malicious sites where malware is downloaded onto their devices.
How To Protect Yourself Against Phishing Attacks
Use a password manager
A password manager can protect you against phishing attacks by helping you create, manage and securely store your passwords. Password managers like Keeper Password Manager provide a built-in warning about phishing sites. If your saved login information isn’t showing up on the website you visit, you’re probably on the wrong site. Additionally, the integrated password generator feature helps you create strong, random passwords to replace compromised ones and limit the possibility of credential stuffing.
Don’t click unsolicited links or attachments
If you receive unsolicited links and attachments through email, text message or other messaging platforms, do not click on them. These links and attachments may contain malware that will be able to steal your sensitive information or can be used to spy on you.
If you’re not sure about a link being safe, hover your mouse over the link to see the full website address or use a tool like Google Transparency Report.
Use an email scanner
An email scanner is a tool that scans email attachments for potential malware. Investing in an email scanner will help protect you from email phishing attempts.
How To Protect Your Business Against Phishing Attacks
Employee education
Educate employees on the dangers of phishing, the various types of phishing and how to prevent an attack. You can also run random phishing tests to keep your team vigilant.
Use a business password manager
Using a password management solution for your business ensures that your organization’s passwords are stored safely and available only to the right people. Keeper Security, for example, provides role-specific access features and shared folders to restrict who can view certain credentials and records. Our robust business features also include password auditing and reporting, which give helpful updates on team password hygiene and make it easier to enforce password policies.
Use antivirus software
Antivirus software detects, isolates and deletes malware that’s been downloaded onto employee devices. It can also scan emails, specific files or pathways on devices for malware and other viruses. There are plenty of free and enterprise-level antivirus programs available online.
