Phishing is one of the oldest forms of cyberattacks, and despite its age, it is still widespread to this day. A 2019 report by multinational firm Deloitte, for example, revealed that 76% of businesses had reported being victims of phishing attacks.
Further, the Deloitte report noted that businesses had lost a total of $12 billion to email-based scams, with the average loss per business being $3.92 million. Moreover, the FBI’s 2019 Internet Crime Report showed that companies and individuals in the United States lost over $3.5 billion, with phishing scams taking the most significant chunk of the total sum.
With the total loss attributed to this cyberattack, it is evident why it persists and why cyber attackers have found new and more elaborate ways of propagating the vice.
Phishing attacks are becoming more and more sophisticated. This article will detail what phishing is, what types of phishing attacks are most common, and how to recognise fraudulent emails by their common features and how to avoid this type of cyberattacks.
What is phishing?
Phishing is a form of cyberattack aimed at stealing user data such as log-in credentials (i.e., usernames, passwords, personal identification numbers), credit card numbers, social security numbers, names, addresses, and other sensitive information.
The attackers, who often masquerade as trusted company representatives, use phone calls, emails, and social media to reach their target and dupe them into opening emails or messages, creating a gateway to steal the data. For this reason, this type of cyber attack is also referred to as a phishing scam.
Notably, it is a widespread type of data breach. So much so that it was ranked the top source of data breaches for the second year running in 2020 by Enterprise Verizon’s 2020 Data Breach Investigations Report (DBIR). This ranking, which was published in DBIR’s ‘Top threat action varieties in breaches’ list, meant that it held a higher threat status than hacking, physical theft, and different malware attacks such as trojans, password dumpers, and ransomware.
What are examples of phishing attacks?
The threat of phishing as a cyber attack emanates from the fact that attackers can carry it out in many different ways. In its simplest form, cybercriminals may not even require computers. All they need to do is manipulate a company or a person into doing something they should not, in what is referred to as social engineering.
Attackers identify the victim, gain their trust, and provide motivation for subsequent steps that ultimately end in the victim revealing sensitive information. This aspect of phishing scams makes them dangerous because the attackers do not need to go through the painstaking process of identifying errors in code or vulnerabilities in entire software packages. Social engineering focuses on ensuring a human being makes a mistake, which is, in turn, very hard to identify, unlike an issue with a program.
With this in mind, here are the most common types of phishing attacks:
Email phishing is the most common type of phishing. The DBIR observed that 96% of all phishing scams were sent via emails, with 3% arriving via websites and 1% through phone calls or SMSs.
The attackers usually send out thousands of emails to different recipients hoping that a small percentage will fall for their phishing scam. Indeed, the figures provided above show that people do fall victim, and this is all because of the various elements that the scammers include in their scam, as you will soon see in phishing email examples.
Recognizing the widespread nature of email phishing attacks, some businesses, particularly those in the financial sector, usually send disclaimers as part of their official emails. In such communications, they note that their official emails will always include the recipient’s name. This is mainly because phishing emails use generic salutations. After all, the attackers target multiple people and do not have access to the real company’s customer database.
Spear phishing emails target a specific individual. The emails contain the victim’s real name, job title, personal information, and employer.
Attackers who engage in CEO fraud impersonate a company’s CEO or manager and send emails to other, often junior, employees within that organization.
Whaling is the inverse of CEO fraud, in that the scammers pretend to be junior employees in a given company. They then send emails or messages to the management team to trick them into revealing sensitive information.
Smishing is a phishing attack delivered via an SMS.
Vishing occurs when an attacker calls the victim’s phone intending to trick them into revealing sensitive information.
Clone phishing entails making a replica but a malicious version of a message that the victim has already received. The message, sent via a genuine-looking email address, contains attachments or links to malicious sites. When downloaded or clicked on, these sites open the computer or a company’s computer network to unauthorized data extraction.
Common features of phishing emails
Phishing emails, the most commonly used type of phishing attack, are often effective because scammers have identified common features that lead to high open rates. Knowing these features can help identify email fraud.
Firstly, the attackers ensure that the emails are sent from a spoofed email, i.e., an address that closely resembles a genuine company’s email. They do this by deleting a letter from the business’s official domain and substituting it with another or by including an organization’s name in a fake email address’ username section. To an unsuspecting eye, such doctored email addresses easily pass off as genuine.
Scammers then often follow this or similar flow:
- Creating a sense of urgency to disorient the recipients
- Purporting to be running lucrative promotions (to capture attention)
- Including a hyperlink
- Sending the phishing email with an attachment that contains ransomware, viruses, or other types of malware.
Notably, merely downloading the attachment infects the victim’s computer and, depending on the virus, makes the computer a gateway for the attackers to gain access to vital company data.
How to avoid phishing
Scammers accomplish phishing attacks by exploiting some loopholes regarding the company’s operations. For instance, some businesses do not train their employees on promoting the company’s security. Some also do not have measures in place to protect their computing infrastructure. In this regard, the best way to avoid phishing is by taking these actions:
- Conduct training sessions to help recognise the signs of a phishing attack
- Update all systems and software to ensure that they are using the latest updates and security patches
- Install antivirus and anti-malware software
- Encrypt all sensitive information such that if a data breach were to occur, the information would be inaccessible to the scammers
- Use web filters to block suspicious websites and spam filters to block phishing emails
While the statistics support the widespread nature of phishing scams, all is not lost as it is possible to avoid phishing attacks. With the proper training and tools, organizations can easily spot phishing attacks and stop the potential data breach.
As you have learned, phishing is a type of cyberattack that is often carried out by sending out emails, messages, or calling the victim to extract sensitive personal information.
There are different types of phishing, but emails are the most common. They often contain features that help identify suspicious emails, such as hyperlinks that lead to a phishing site or attachments.
If you are interested in cybersecurity, find out how proxies can help protect your brand and intellectual property in our article Proxies for Cybersecurity Solutions.