While most in the business world are cognizant of the term “phishing”, chances are only a few deeply understand the cyberattack strategy and the extent to which it can impact individuals and organizations. According to the Cybersecurity threat trends report for 2021 by CISCO, 90% of data breaches in that year were caused by phishing attacks (source: Must-Know Phishing Statistics: Updated 2022).
What is Phishing?
Phishing is a form of cybercrime that targets people via email, telephone, or text messages that appear authentic. Phishing prompts the victims to click on a specific website or link and thereby share sensitive information, under the impression that they are interacting with a legitimate institution. It typically lures people into sharing their personal information such as credit card details, social security numbers, and login credentials on a scam website. In some cases, the hackers may also trick individuals into installing malware on their machines. The motive of phishing attacks may either be financial gain or the desire to target a specific organization.
Types of Phishing Scams
- Deceptive Phishing
It is the most popular type of phishing attack, where the attacker attempts to obtain confidential information from their targets by impersonating an authentic organization. This information may then be used to steal money or plan further attacks. An example of deceptive phishing is a fake email that asks you to click on a link for account verification. - Spear Phishing
This mode of phishing attacks specific individuals instead of a group of people. With spear phishing, the communication with the individuals is carried out in a customized manner to seem more authentic. The attackers achieve this by doing extensive research on their targets on social media platforms and other websites. Spear phishing helps hackers infiltrate an organization before conducting a targeted attack. - Whaling
Whaling refers to the targeted phishing attack conducted against the high-level executives of an organization. The attack is carried out by doing extensive research on the target before seizing the opportunity to steal their login credentials. Whaling is considered a much more dangerous form of phishing as it targets top executives who have access to critical company data. - Pharming
Pharming is a form of phishing where users are taken to a malicious website under the impression that it is an authentic one. However, with pharming, the targets are not even required to click on a particular link to be redirected to the fraudulent site. The attack in this case is carried out by infiltrating the target’s computer or the website’s DNS server and then redirecting the user to the malicious site even when the correct URL is typed in. - Clone Phishing
Here, the attacker accesses an email sent from a legitimate source and alters it slightly by adding a link to a malicious page. This email is then sent to multiple people. When a user clicks on the attachment in the email, it gets forwarded to people in the contact list of that user. - Voice Phishing
Also known as “vishing”, voice phishing involves making fraudulent phone calls to obtain sensitive information from individuals. In this case, the hacker tricks the employee during the call by disguising themselves as a company representative or a support staff. Voice phishing is usually carried out to obtain credit card details and other confidential information from the target.
Common Characteristics of Phishing Emails
- Eye-catching
A common feature of phishing emails is the use of lucrative offers or statements that immediately grab the attention of the user. These include emails claiming they have won a lottery or a grand prize. - Quick Action
Phishing scams generally ask you to act quickly, stating that you are running out of time and only have a limited time to respond. By creating this sense of urgency, cybercriminals trick users into hastily revealing personal information or clicking malicious links. - Hyperlinks
Caution must be exercised before clicking on any links or hyperlinks. Apart from the displayed URL, hovering over it helps view the actual URL to which you will be directed. This could either lead to a completely different website or one with a misspelled URL – that opens a scam site. - Attachments
Phishing emails may also contain attachments that carry ransomware or viruses in them. So, make sure all attachments are thoroughly examined before opening them. It is best not to click on those that seem suspicious or unexpected. - Unusual Sender
If an email appears suspicious or unusual, it is best not to open it. This applies to emails that may seem to be from someone familiar and otherwise.
Dangers of Phishing Attacks
The usual goal of a phishing attempt is to either obtain sensitive data such as login or credit card details or to trick the user into installing malware. If the attacker manages to obtain your credentials, they can log in to your account and change the password to lock you out. Depending on the account that has been compromised, the hacker can then take a number of actions such as ordering items from your shopping account or stealing money from your bank account. They can also seize your business account and gather crucial information, putting the organization in jeopardy. The attacker can cause further damage if the user follows the practice of using the same password for multiple accounts as it then opens up the opportunity to simultaneously access all those accounts.
How to Prevent Phishing Attacks?
The CISCO Cybersecurity report for 2021 suggests that 86% of organizations had at least one employee clicking on a phishing link (source: Must-Know Phishing Statistics: Updated 2022). There are a few practices that every user needs to follow in order to prevent being a victim of a phishing attack.
- Do Not Disclose Crucial Information
Exercising prudence while browsing the internet can help curb phishing significantly. Make sure you do not type in personal information and verification details to websites that are unfamiliar before checking it with the company.
- Verify URLs
It is very common for website links and hyperlinks to carry a different URL during a phishing attack. Hovering over the hyperlinks and URLs helps detect the real URL which could lead to a scam website.
- Update Browser Settings
Users can prevent the opening of malicious websites by changing the browser settings to block fraudulent sites. This helps automatically block those websites that enable phishing scams.
- Change Passwords
While this is the most basic rule, regular updation of passwords strengthens your system’s security. Ensure that you do not use the same password for multiple accounts as this makes it easier to crack them.
- Use Spam Filters
Spam filters help block spam emails in your system. The filter scans the source of the message, the software through which the message was sent, and the body of the message to decide whether it is spam or not.
- User Awareness
Apart from the above steps, it is imperative to educate users about the dangers of phishing and how one can protect oneself from it. Everyone associated with the organization from employees to high-level executives must be trained to recognize a phishing attempt and ways to avoid it.
Since the communication seems legitimate, as is the goal during a phishing attack, users must constantly stay vigilant and ensure they don’t disclose any crucial information before verifying the source a second time. No matter how smart a hacker is, they can only do as much damage as the user allows them.