Phishing attempts can be highly destructive and difficult to detect. According to IBM, phishing is the most common method of breaching a company’s secure network, and this type of data breach takes on average 250 days to identify. As these malicious cyber attacks become more advanced and more ubiquitous, teaching your employees how to spot phishing attempts is your best line of defense. In this article, we will discuss the most common types of phishing attempts, so you can better equip your staff with strategies for safety – knowledge is power!
Phishing: An Overview
Throughout the day, employees receive dozens if not hundreds of emails while trying to do their work. Help your team stay vigilant by providing them with essential information about phishing:
- Phishing attempts are carried out by cybercriminals who pretend to be legitimate people or organizations.
- Criminals often spoof legitimate email addresses, phone numbers, websites to appear authentic, tricking victims into divulging their private information.
- Attackers encourage victims to provide personal information like usernames, passwords, social security numbers, banking information, and credit card numbers.
- According to Verizon, 95% of phishing attacks come through email.
- According to Symantec, 65% of phishing criminals commit “spear phishing,” meaning they target specific individuals
Common Types of Phishing Attacks
Deceptive phishing is a very common style of phishing attack. Typically, a cybercriminal will impersonate someone or something legitimate in order to retrieve personal information, login credentials, and other sensitive data that allows them to take advantage of their victims. Usually, deceptive phishing attackers try to con recipients into logging into a fake website or making a payment to their account. Deceptive phishing attacks can be difficult to detect, but the sender’s email address, generic greetings, and poorly worded content are all hallmarks of this type of threat.
Spear phishing is similar to deceptive phishing – in these attacks, criminals try to trick individuals or companies into divulging personal information through pretending to be legitimate email senders. Unlike deceptive phishing, however, spear phishing attacks use personalized information to target individual victims. They might research a victim’s online presence to better understand their shopping habits, their family members, their children’s school locations, and other concerning details that they then leverage to create a false sense of security for the victim. Recipients are much more likely to open emails that have their name, position, and contact information in the subject line, so employees must always have their guard up.
Business Email Compromise
Business email compromise phishing attacks can pose dangerous threats to a company’s security and cause significant monetary damages. Some cybercriminals gain entry into secure networks by masquerading as a company’s CEO. They use their assumed identity to contact employees who have access to funds for billing, and they convince those employees to send funds into a fake account.
Whaling, another common type of business email compromise, targets CEOs and other executives. Criminals pretend to be vendors, asking CEOs and executives to make payments, divulge proprietary information, update their login credentials, and/or open attachments that deliver malware to their devices. This allows criminals direct access to the company’s data and, in some cases, funds.
Vishing, otherwise known as “voice phishing,” encompasses phishing attempts that occur via phone. Criminals who use vishing often pretend to be legitimate organizations like the IRS, the FBI, or even the local power company, and they can easily mimic the company’s caller ID or phone number. They call their victims and request that they share personal or financial information that ultimately compromises their security. Sometimes messages are recorded, but sometimes the criminal on the other end of the phone is live – they usually try to create fear and cultivate a sense of urgency to convince victims to hand over money, information, or both.
Smishing, otherwise known as “SMS phishing,” encompasses phishing attacks that happen via text message. Usually, attackers send a text message pretending to be a legitimate organization. For example, some attackers try to convince victims that they’ve won a prize, while others may try to convince recipients that they’ve missed a package delivery. The text messages ask victims to log onto a malicious website, which either steals their information or injects malware onto their device and into their network.
While angler phishing is one of the newer styles of phishing attack, it has rapidly risen in popularity over the last few years. With angler phishing, attackers find their targets on social media. They look for users who post complaints on pages of well-known retailers, banks, and other entities with an online presence. The attacker then impersonates a customer service associate from that organization to “assist” the person with their complaint – in reality, the criminal encourages their victim to give up personal information and/or credentials.
How to Prevent Phishing
According to Proofpoint, more than 80% of organizations were victimized by a phishing attack in 2021. While spam filters and other technological aids can help prevent some phishing attacks, it is more than likely that phishing emails will find their way into your employees’ inboxes. If you handle your IT security in-house, be sure to set aside time to train your employees on how to avoid being duped by phishing attempts. Key guidance should include:
- Promptly installing updates for security software on all devices
- Creating passwords that are challenging to guess
- Not reusing passwords for different accounts
- Looking carefully at a sender’s email address
- Never sending money to new accounts without thorough validation
- Refraining from opening links/attachments in unsolicited emails and text messages
Do you need help training your team or safeguarding your company’s data? If you are looking for a Managed IT Services provider to help keep your company poised to prevent successful phishing attacks and other harmful cyberthreats, contact Qnectus today.