Table of Contents:
Last updated on: September 19, 2022
Phishing is one of the oldest cybercrime threats, having been around since the earliest days of the internet.
Yet, the phishing scam is also one of the biggest cybersecurity threats facing any organization, and it is unique in the fact that it targets people instead of software or hardware.
Meaning, that even if you’ve invested in the most expensive cybersecurity infrastructure, your organization can be at risk if one vulnerable employee is compromised by a phishing scheme. This is one of the key reasons why phishing is so dangerous.
Unfortunately, the danger of phishing has increased both in quality and quantity in recent years. According to the Anti-Phishing Working Group (APWG)’s phishing activity trend report, there will be 1,025,968 phishing attacks by March 2022, a 15% increase from Q4 2021. The sophistication and variety of techniques used in each attack have also increased in recent years.
In this article, we will learn together about what phishing is, how to identify them, and how organizations can protect their employees and customers from phishing attacks more effectively.
By the end of this guide, you’d have learned about:
Let us begin this guide right away.
Phishing is a type of cybercrime in which the perpetrator contacts a target victim (or victims) while posing as a famous person or a legitimate institution to lure this victim into providing confidential, sensitive, and/or valuable information like Personally Identifiable Information (PII), banking details, credit card information, account credentials, and more.
The name “phishing” is analogous to fishing, referring to how the cybercrime “fishes” for credentials, passwords, and other sensitive information from its victims.
The word phishing was first used around 1996 by hackers stealing the then-popular AOL (America Online) accounts. Hackers in the late 1990s tended to use the letter “ph” to replace “f” (i.e., “phreaks”), hence the name “phishing.”
Traditionally phishing was conducted over emails, but now phishing can happen in various different communication mediums from phone calls, text messages, social media comments, social media DMs, blog comments, and more.
The short answer is to monetize stolen information.
As with most other criminal activities (including cybercrimes), the majority of phishing attacks have financial motivations behind them.
There are, however, cases where the motivation is not financial, like personal vendetta or political reasons (i.e., black campaigns) but they are relatively rare.
So, how can cybercriminals make money from phishing? Understanding their monetization techniques may help you in recognizing phishing attempts, and here are a few examples:
Phishing is a form of social engineering, which is the umbrella term used to refer to a broad range of criminal activities achieved through human interactions.
Phishing relies on psychological manipulation to trick its victims into divulging their sensitive information or making security mistakes.
While cybercriminals can use different techniques and schemes in their phishing attacks, typically, they will follow these patterns:
For example:
This is just one example of so many different phishing techniques and schemes performed by cybercriminals on a daily basis. However, we can categorize phishing attacks into several major types, which we will discuss below.
The most basic type of phishing scheme, and as the name suggests, involves the perpetrator sending emails while impersonating a known brand or person.
The email will contain either a link to a malicious website or an attachment containing malware that will infect the recipient’s device.
How to identify:
While cybercriminals are getting more sophisticated in launching email phishing, you can generally look for the following signs:
Spear phishing typically also uses email as the primary communication medium, so it can be considered a variation of email phishing.
The main difference lies in spear phishing’s more targeted approach, typically targeting a single victim (or a small group of victims.)
The perpetrator first conducts thorough research of the target victim to gather information about the victim, for example, from social media, the company’s website, and so on, and then will target this victim with a personalized scheme leveraging the collected information like real names (of the victim’s boss or HRD manager,) work telephone numbers, and so on to gain the victim’s trust.
Ultimately, because the victim believes the identity of the scammer due to the valid information they used, they fall into the perpetrator’s trap.
How to identify:
Identifying a spear phishing attack can be more challenging due to the amount of research conducted by the perpetrator and the seemingly valid information they used. However, look for the following:
Another variation of the spear phishing tactic, whaling or also often called “CEO fraud” involves the perpetrator using open source intelligence (OSINT) techniques to find the name of an organization’s CEO or top-level management member and then impersonate that person using a fake email address.
The perpetrator will then target the company’s employees, asking the recipient for their account credentials, banking information, or even asking the recipient for a money transfer.
How to identify:
Many of us are trained that HTTPS websites are end-to-end encrypted and therefore are safe when it comes to submitting personal information and credentials.
Many scammers, however, leverage this knowledge in their phishing attempts, using HTTPS protocol in the fake website linked in the phishing email.
How to identify:
Short for “Voice Phishing,” and as the name suggests, it is a phishing attempt that happens over a phone call.
Typically the perpetrator will call during a busy time, coinciding with a stressful season, period, or event, claiming to be from an established company and creating a heightened sense of urgency.
The idea is for the call to create a sense of panic, confusing the recipient into making security mistakes and divulging their sensitive information.
How to identify:
Short for “SMS Phishing,” it is a phishing attempt made over text messages (SMSs.)
Typically the perpetrator will send a text message claiming to be from established organizations or companies, and the text message would include a link containing malware and/or that will redirect you to a malicious website.
Since many people tend to view text messages as more personal and “harmless,” smishing may catch its victims off guard.
How to identify:
Angler phishing is a specific type of phishing targeting social media users, mainly involving the perpetrator using fake social media accounts impersonating known companies or individuals.
Angler phishing is especially leveraging the fact that interactions between businesses and customers on social media are becoming more frequent and expected. The perpetrator engages with target victims via notifications and DMs to trick them into making security mistakes.
How to identify:
Pharming is a rather advanced form of phishing, with the name being a portmanteau of “phishing” and “farming.”
A common pharming technique involves the perpetrator hijacking a DNS to redirect users trying to reach a specific website to a fake website instead.
A sophisticated pharming attempt can be very hard to detect.
How to identify:
Above, we’ve learned how to recognize the major types of phishing techniques and the basic steps to protect yourself from them.
In this section, we will also discuss some important best practices to follow in order to protect yourself and your business from various phishing attacks:
1. Educate your employees
Since phishing is basically social engineering, the first line of defense you should have is to ensure your employees have the education and training necessary to recognize phishing attempts and protect their credentials/sensitive information.
Make phishing awareness training a part of your employee onboarding program, and regularly refresh the training to include newer methodologies and trends.
2. Require multi-factor authentication
Requiring multi-factor authentication can mitigate the risk of successful phishing in situations when your employees are tricked into divulging their credentials.
With multi-factor authentication, you’ll require your employees to provide another piece of information besides their password before they can log in to your networks and applications.
The secondary (or more) piece of information can be:
3. Regular backup
Successful phishing attacks may cause malware infection, including ransomware, which may cause you to lose access to certain files/apps and even complete system failure.
To mitigate this risk, keep a backup of your data regularly.
We’d recommend following the 3-2-1 backup principles: 3 copies of your data, on 2 different mediums, 1 of them kept offsite.
Another concern related to phishing is when your domain or brand name is used by cybercriminals as a part of their phishing scheme.
Although it’s not technically your fault, victims of phishing attacks may blame the brand the scammer is impersonating, causing a negative impact on the brand’s reputation.
While 100% prevention of cybercriminals from impersonating your brand can be very difficult if not impossible, there are steps your business can take to mitigate the risk:
While there are many different types of phishing attacks performed by scammers and cybercriminals, all phishing attacks have the following common features:
While there is no single way to avoid phishing attacks, you can use a combination of the above tips to prevent them and mitigate the damage.
It’s also crucial to remember that besides establishing a strong cybersecurity infrastructure and best practices, another crucial element of preventing phishing is education. When it comes to phishing and other social engineering schemes, your organization is only as secure as the least knowledgeable person in it.