Phishing is a type of cyber-crime, in fact it's one of the most common types of cyber-crime organisations encounter, costing, on average, just under £3M per successful attack.
Phishing works by targeting individuals, or entire organisations, via email, telephone, or text message and posing as a legitimate person/business requesting users to click on links to perform some type of action.
Phishing attacks often ask users to 'confirm' and share personal data such as passwords or credit card information, but the links contained in these types of attacks can also download malicious software, such as ransomware, onto the unsuspecting users' computer.
Common features of phishing
Depending on how sophisticated the scammer is, phishing can take many forms and appear to be from a myriad of legitimate-looking senders. However, there are common characteristics to look out for when spotting phishing attacks:
Congratulations! - Often phishing scams are wrapped up the disguise of a lucrative deal or offer intended to grab people's attention and make them feel excited and/or lucky. You may have 'won' a competition or else be offered the chance to invest in a wonderful (but totally fictitious) product. Remember, if it seems too-good-to-be-true, it probably is.
Urgency - Phishing scammers don't want to give you time to think, it's one of the reasons people at work are more likely to fall for these types of attack – their thoughts are on other important tasks. Cyber-criminals want you to act fast, so if you encounter an email pushing a sense of urgency or insisting you do something 'immediately', it's best to think twice. Legitimate organisations are unlikely to give you little time to act.
Links – If you've received a message asking you to click on a hyperlink, you can hover over it to view the actual URL it points to. Double check if this URL seems legitimate (is it misspelled? Does it seem to lead to a completely different website from where the source purports to be?). When in doubt, do not click! Visit the source directly and contact their customer team.
Attachments - if you spot an unexpected or strangely uncontextual attachment in an email, do not open and delete it immediately. Very often these files contain malware or viruses that automatically download to your device.
Beware the sender – Keep an eye on the sender's name; if you recognise it, ask yourself whether the tone of the email seems unexpected or out of character. If you're in doubt, contact the person separately and check whether the message is real. If the sender is unknown to you, it's ok to be suspicious about why they would contact you and how they got your details. If you're unsure, it's always best practice to forward the email to your IT department or contact the source directly yourself.
Common types of phishing to look out for
Whilst the goal of any phishing scam is to steal personal/sensitive data, there are many different types of phishing your employees should be aware of:
Not news to many of us, most phishing attacks are sent by email. Here, cyber-criminals register fake domains that impersonate genuine people or organisations, sending hundreds of thousands of generic requests to individuals, hoping just 1 or 2 will succeed in scamming somebody. Usually, the fake domain involves character substitution, e.g., using 'r' and 'n' next to each other to create 'rn' instead of 'm'. Alternatively, the criminal may use the impersonated person or organisation's name in part of the fake email address, hoping it will con a distracted recipient into thinking the address is legitimate.
Spear phishing is a type of email phishing, but it involves targeting only one specific person or group of people (hence the 'spear' symbolism). Cyber-criminals who engage in spear phishing will already have some, or all, of the following information about the victim: name, workplace, job title, email address, information about their job role, social media account information and posts, friends list. This type of information-gathering is a form of social engineering and it works because it allows cyber-criminals to launch more targeted phishing attacks that look and feel more personal and therefore, more genuine. An example of spear phishing would be an email from your 'manager' asking you to click a link and complete a genuine-sounding task.
Whaling attacks are an even more targeted form of email phishing and are designed to go after the 'big fish', e.g. senior management or the 'C-suite'. Crafted with a solid understanding of business language/tone, whaling is a type of fraud designed to encourage victims to perform a business-related action, e.g. transfer funds or file tax information. Similar to other phishing attacks, whaling is often accompanied by a sense of urgency and preys upon the fact that their target will be busy and stressed-out by the request.
Smishing and vishing
In the instance of both smishing and vishing, telephones replace emails as the vehicle of attack. Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation. A common vishing scam, for example, involves a fraudster posing as a bank or credit card representative and informing the victim that their account has been breached. The criminal will then ask the victim to provide payment card details to 'verify' their identity or to transfer money into a 'secure' account - of course, this account really belongs to the criminal.
Referring to the 'hook' aspect of real fishing, angler phishing is a specific type of phishing attack that exists on social media. Using social platforms, attacks are launched from realistic-looking corporate social media accounts that, in actual fact, exist to post malicious URLS to cloned websites, and which propagate fake posts, tweets, and products. These accounts may also contact followers, urging them to divulge sensitive information or click links to download malware under the guise of a 'competition' or similar corporate marketing that mentions specific users.
How effective is your phishing awareness training? It's easy to find out with our new phishing simulator tool! Click HERE to find out more.