In 2019, the Internet Crime Complaint Center (IC3) recorded 23,775 complaints about business-related email scams and attacks, which resulted in more than $1.7 billion in losses. And with the disruptions in business operations and a drastic increase in remote work due to COVID-19, cyberattacks have only continued their rapid rise; Google alone found an average of 46,000 new phishing websites every week in 2020.
At the same time, phishing represents the highest return on investment of all cybercrimes and continues to grow in use. So what are the different types of phishing attacks, and how can you give your employees the tools and skills they need to keep themselves and your data safe?
What Is Phishing?
Phishing can come in many forms, but it is ultimately the fraudulent practice of using email, text messaging, and voice calls purporting to be reputable to induce unsuspecting individuals to reveal personal information or take action that may compromise the confidentiality, integrity, or availability of data or systems.
More specifically, phishing attacks can include:
- Mass-market: The most common method involving mass messages, usually relying on domain name spoofing or existing trust in a source, such as a prominent organization
- Spear: A phishing attack on a particular victim or organization that uses more precise language or techniques tailored to this smaller audience
- Whaling: A targeted spear phishing attack at a senior executive, administrator, or other important figure because of their access or high-value information or resources
- Email compromise: A blend of mass-market and spear phishing that involves an attacker compromising a real email account and using this access to create and intercept messages, taking advantage of the trusted relationship
- Clone: An attacker creates a replica of a legitimate message, complete with a similar domain name source, body, signature, and attachments or links
- Vishing (voice phishing): Involves a recorded voice call or voice mail from a trusted source asking the victim to provide additional information
- Smishing: A combination of “phishing” and “SMS,” or text messaging, that uses text messaging services to send misleading messages in an attempt to trick victims into believing the source is a trusted organization or person
What Is Pharming?
A combination of “phishing” and “farming,” pharming is a more advanced form of social engineering attack in which a threat actor attempts to lure a victim to a website that looks legitimate. This can even go as far as a cybercriminal replicating a real, existing site in an attempt to trick users into providing sensitive information.
The concept attempts to flip the means of the attack, where a victim is lured to a site and is, therefore, more trusting because they navigated to the site themselves. In even more advanced forms, a user’s traffic can be intercepted and rerouted to a different, malicious website.
How Can Users Protect Themselves?
At least 30 percent of phishing emails bypass existing network perimeter security technologies, such as secure email gateways, making employees your last line of defense standing between you and a cybercriminal.
In other words, there are many ways that a cybercriminal can attempt to exploit users through phishing and pharming attacks. However, there are also a number of tools and techniques that people can use to better protect themselves. Some key prevention methods include:
Provide Employee Awareness Training
Because phishing attacks are constantly evolving, one of the most effective ways to blunt their effectiveness and success rate is by familiarizing yourself and your staff with the common signs that they may be encountering a fraudulent message. Typically, these could include messages with:
- Offers that are too good to be true
- Direct requests for sensitive information
- Generic greetings
- Requests for immediate attention, particularly from your business executives
- Unknown or unusual senders
- Suspicious attachments
- Messages that indicate urgency (i.e. “click here or your account will be disabled in 24 hours)
Awareness training should also include training on what to do if someone encounters a suspicious message, so authorities can continue to fight back against them. At the very least, users should flag the message as spam using their email application and either notify their corporate email administrator or the FTC via the ReportFraud.ftc.gov website.
Update and Patch Your Software
Phishing and pharming attempts usually involve links, attachments, or downloads that take advantage of vulnerabilities in your operating system, email browser, or other applications on your computer.
Reduce the potential attack surface for these attacks to work, even if you do happen to interact with one, by keeping your operating system, browsers, and other critical software updated to the latest version.
Take the Next Step
Fighting back against constantly evolving cyberattacks can be difficult, especially for organizations that lack staff dedicated to cybersecurity. Therefore, do not feel like you and your organization have to go it alone.
Let Axians help your organization reduce the likelihood of becoming a victim by transforming your employees from potential cybersecurity casualties to cybersecurity advocates. If your organization needs help designing and implementing a holistic approach to your cybersecurity, assessing your current posture, and getting help from experts with the experience to help keep your data, organization, and team safe, the team at Axians would love to speak with you.
Until we connect, we invite you to download our free resource, The Ultimate Guide to Performing a Cybersecurity Risk Assessment on Your Business, to get started on enhancing your organization’s security posture.