Phishing attacks are a type of online scam where cyber criminals impersonate legitimate organizations in an attempt to trick and manipulate the target into doing what the scammer wants.
Phishing is one of the oldest types of cyberattacks, dating back to the 1990’s, and it’s still one of the most widespread and used way to breach security. Nearly a third of all security breaches at an organizational level involved phishing, with messages and techniques becoming increasingly sophisticated.
A phishing campaign usually tries to get the victim to do one of two things:
- Hand over sensitive information
- Download malware
The goal of a cyber-attack can range from identify theft, access to banking, selling private information on the dark web, blackmail or espionage
The best way to avoid and protect yourself from an attack is awareness and education. Knowing the different types of attacks, motives and identifying key features can help yourself and employees avoid malicious emails.
There are 3 main types of phishing scams including:
Deceptive Phishing is any attack by which fraudsters impersonate a legitimate company and attempt to steal people’s personal information or login credentials. The top brands attackers commonly use are: Paypal, Microsoft, Facebook, eBay and Amazon.
Spear Phishing is when fraudsters customize their attack emails with a target’s name, position, company, work phone number or other information in an attempt to trick the recipient into taking some action being requested by a known connection.
CEO Fraud or Whaling is targeting an executive in an organization. Fraudsters attempt to isolate an executive and steal their login credentials. With these credentials they are able to perform a CEO scam. CEO scams occur when an email, seemingly addressed from a CEO or other member of senior management, is falsely created by a scammer in order to exploit the trust of employees. The imposter email seeks for the target to wire funds or share confidential information with the scammer.
How to Identify Phishing
With the number of phishing scams increasing, it’s important to be able to spot the tell-tale signs of a fraudulent email and protect your personal and business data, and your tech from malicious viruses and malware.
- Confirming Personal Information
Often you will receive emails disguised to look authentic. They might mimic the style of your current company or an outside business such as a bank or credit card company. These emails may have requests for personal information that you would not usually provide, such as banking information or login credentials. It is important you don’t click on or respond to these emails. Before responding, determine the legitimacy of the email by contacting an organization directly or searching on the internet.
- Fraudulent email and web addresses
Phishing emails often come from an address that appears to be legitimate, but at a closer glance can have some discrepancies. These emails may contain the names of genuine companies and might be made to replicate the company’s personal sites or email accounts. Brand logos and trademarks do not guarantee that an email is real. Hackers can use these images or download them from the internet to mimic an existing company. Even antivirus badges can be inserted into emails to persuade victims into thinking an email is from a legitimate source.
Phishing emails can sometimes contain poor language in the body of the message. Grammatical errors and conflictive sentence structure are common in these fraudulent emails. A legitimate company would have constructed an outbound communication professionally and checked for spelling errors and other mistakes. While poor grammar is a giveaway, not 100% of phishing emails will have sloppy grammar, so it is important to keep on your toes.
Many phishing emails tempt to instill a sense of worry into the recipient. The emails may give a scenario that depends on you entering your credentials to solve it. For example, an email may state that your account will be closed if you don’t enter your personal information and act now. If ever unsure of what an email is asking of you and why, be sure to contact the company through other methods.
If you receive an email from a seemingly random company you do not affiliate with, and the email references something unexpected, the attachment might include some malicious malware or virus. These attachments may contain a URL or trojan horse designed to compromise your system, if opened. Send these emails to your security team instead of attempting to open them yourself.
Here’s a highlighted example of a current phishing scam that focuses on COVID-19
Top 5 Things to avoid falling prey to phishing
- Be wary of subject lines and from addresses
Phishing attacks primarily disguise themselves as trusted organizations and people, preying on individuals’ loyalty and exploiting it. You should be wary of email titles and phrases such as “your account has been locked,” “update your record,” “click to learn more,” “you missed a delivery,” “confirm your account,” “suspended account,” and unwarranted refunds on taxes or purchases. Emails can also be sent from seemingly reliable individuals such as your company’s CFO or CEO. When in doubt, contact the sender or company directly through the official website or the individual in person. Do not click any of these links or attachments.
- Be wary of links
Hover over potential links in emails to verify the legitimacy before clicking on them, as this can prevent navigation to fraudulent sites or links that may contain malware. Hovering lets you see a site’s full URL, and from here you can determine if the website is secure and the correct destination before visiting.
- Anti-phishing toolbars
Some internet browsers can be fitted with anti-phishing toolbars that run checks on sites before you visit and compare them to lists of known phishing sites. This helps prevent you from navigating to fraudulent sites and decreases the risk of downloading any malicious content. Feel free to reach out to us, as we can recommend some great software toolbars for you.
- Verify a site’s security
URLs that begin with “https” and have a closed lock icon near the address bar, are secure websites. These sites allow sensitive information to be entered with little risk.
- Don’t send personal financial information via email
You should only communicate secure information such as usernames, passwords or banking information via a secure website or over the phone. Don’t fill out any forms in emails unless verified as legitimate.