Have you ever received an email from your ‘bank’ warning you that your account will be blocked unless you verify your personal information? The problem is that these and all other similar emails are never from your actual bank, landlord, service provider. Instead, this is a tool that is wielded by cyberattacks for carrying out phishing attacks.
By definition: phishing is a type of online fraud which attempts to acquire sensitive personal information and user credentials through deception. Most phishing attacks seek to steal credit card numbers, passwords, bank details, and other confidential information from you. For businesses, a lot is at risk because the naivety of a single employee can lead to critical information being leaked to competitors or individuals with malicious intent.
In this blog post, we dive into phishing, its type, and how you can protect yourself against such threats.
How does phishing work?
For a successful phishing attack, the scammer first sends an email or text message that takes the form of an official notification and/or request for information. These fake notifications can be from banks, e-payment systems, or services. The well-typed notifications encourage you to update/share/enter your personal information because of a system breakdown/loss of data/verification process.
The second step involves the recipient of the phishing email/text clicking on a link. Depending on the type of phishing attack, the link may install malicious software on your computer, ask for a payment, or ask you to enter information. In most cases, the link points to a phishing site that is made to look and feel exactly like the original website (e.g. just like your bank’s website) but all the information you enter is forwarded to the scammer while you are redirected to the original website.
Types of phishing:
There are various forms of phishing that attackers use. The most popularly used ones are:
- Phishing Email: An email that is designed to trick users into entering their credentials or installing dangerous malware on their computers/smartphones.
- Spear Phishing: A type of phishing that is targeted at specific individuals (such as the clerks of an organization) based on their access to information, interests, etc.
- Pop-up Phishing: A phishing attempt in which pop-up ads and notifications are used to trick the user into installing malicious software on their computers (e.g. by notifying that your computer has been hacked and you need to install anti-virus software).
- Clone Phishing: This phishing attack involves tricking recipients by sending them duplicated versions of emails that they have already received in the past.
- Whaling: A sophisticated and advanced type of phishing that is used to target executives (CEOs and CFOs) into giving up their business’ valuable information.
What makes phishing so dangerous:
On the surface, phishing attacks look quite simple but they are as fatal as any other cyberattack. Over time, attackers have made phishing attacks even more advanced. For instance, some phishing emails can easily bypass the ‘Junk’ filters on email providers and even replicate the email address of official websites (such as Microsoft or Google).
Most phishing attacks use social engineering to extract information from you. For instance, the next phishing email you receive might even mention some of your personal information that the scammers have learned about you, leading you to trust the sender even more.
What makes phishing so threatening is the fact that it is almost undetectable by even the most advanced cybersecurity systems and thus, you are left at the mercy of your employees. If your employee willingly (but unknowingly) gives up your business’ information then there is very little you can do to address that threat.
Examples of Phishing Attacks
In the past, phishing attacks have scammed even the most reputed organizations out of millions of dollars. Here are a few examples of such phishing attacks:
- Between 2013 to 2015, Facebook and Google both were scammed for $100 million and more through a well-planned fake invoice fraud. By impersonating an Asian-based manufacturer as a vendor, the attacker was able to successfully send and receive money against several invoices.
- The Crelan Bank of Belgium lost more than $75 million in a whaling attack that scammed the CEO into giving out sensitive information about the bank’s assets.
- In 2017, attackers sent out fake shipping information emails sourcing from United Parcel Service (UPS) to more than 3,000 businesses. Several businesses were infected with dangerous malware because their employees clicked on the links provided in the email.
There are countless other examples of how businesses have been scammed by phishing attacks and even though the loss is not always financial, such attacks can cause significant damage in other forms as well.
Are you in the risk zone?
We have already discussed how phishing attacks target the human element of cybersecurity, rather than the hardware and software itself. The success of phishing is directly proportional to how low user-awareness is about such threats.
As a business, you are in the risk zone for phishing if you lack one or more of the following:
- Comprehensive data and cybersecurity governance policy that highlights the best practices to follow.
- Regular training sessions and user-awareness programs to help employees understand and overcome the various types of phishing.
- Access control policies that limit employees to information that they need, when they need it to minimize damage in case of a breach.
How to protect yourself against phishing attacks:
The good news is that phishing attacks can be avoided by simply ensuring that your employees are well-informed and that your security policies cover the people-side of security too.
Here are a few tips on how to protect your business and yourself against phishing attacks:
- Educate your employees: Host regular security awareness sessions that guide employees on what they should and should not do. In particular, you should advise employees not to: open suspicious emails, click on suspicious links or any links unless the sender is well-known/internal to the organization, send any kind of personal or financial information via email, click on pop-up ads/install software without approval from security.
- Revise your security governance policies to cater to phishing: Make sure that you have all areas covered under your governance policy for phishing including what recovery steps to take in case of a successful attack, how to minimize damages, and recommended practices that employees should follow whenever using the internet/accessing their email.
- Develop a risk mitigation and prevention plan: You must understand and plan for the threats posed by phishing and other types of cyberattacks to your organization. Therefore, you need to develop a risk mitigation plan that addresses the vulnerabilities posed by phishing attacks and addresses them according to their level of severity.
Phishing attacks can be menacing because they target the naivety of humans rather than the complex algorithms of security systems. In the past, phishing attacks have caused massive financial and operational losses to organizations. As a business, it is important to understand how phishing works, its various types, and how you can protect yourselves.
Apvera’s Insight360 is an intelligent cybersecurity platform that has advanced threat intelligence and risk mitigation features. We can help you minimize phishing attacks by providing you with up-to-date information on the latest types of phishing attacks as well as identifying the threats that your business is exposed to.
If you would like to learn more about phishing attacks and how we can help you, please get in touch.