Phishing is the most common cybersecurity threat businesses face. According to the FBI, phishing attempts more than doubled from 2019 to 2020, from 114,702 reported incidents to 241,324.
The trend over the last half a decade shows that phishing is not going away. In fact, it’s only becoming more common. Compared to 2016, phishing was 11 times more common in 2020.
If you want to keep your business safe, education and enablement are key for defense. Phishing success relies on deception, but employees can be trained to spot suspicious activity. To start, they need to understand what phishing is and the strategies that “phishers” use.
What is phishing?
Phishing is a form of fraud. The fraudster will pretend to be a member of the target organization, or they’ll pretend to be a reputable person or organization known to your employees. They will impersonate influential people via SMS or email to try to gain trust and access to important information.
There are two main ways “phishers” attack their victims.
First, they will try to trick their victims into giving them the information they want. They normally seek sensitive information they can use to access financial accounts. Alternatively, they may send malware or malicious attachments for your employees to open. Either way, the pattern is:
- Target the individual or group
- Set the bait, normally in the form of fake, official-looking messages or documents
- Hook the target with malware or follow-up communication
- Use malware or newly-established trust to attack the network and access important information
What are the different types of phishing attacks?
The process is similar for all types of phishing attacks, but cyber criminals use several different avenues to conduct their attacks.
Email phishing is one of the oldest and simplest methods. The criminal simply sends out emails to their targets, trying to convince them to perform an action. That action can be to either divulge information directly or to download malware.
This simple strategy is normally employed en-masse. Standard email phishing involves sending out an email to many different recipients under the assumption that a few of them will take the bait.
Spear phishing is a newer and more refined form of phishing. The “spear phisher” targets a specific individual or small group within an organization. The targeted individuals or groups are generally decision-makers that the criminals know have access to more sensitive information.
The targeting systems employed by spear phishers are normally based on job titles and access granted to employees based on their title or department.
To get this information, the criminal needs to be more thoughtful than a normal email phisher. They need to gain a better understanding of an organization and gather information on its systems and employees, often making use of publicised information such as news, as well as any insider information or leaked documents.
Whaling, as the name suggests, means going for the biggest fish.
Whaling is a form of spear phishing where criminals exclusively target high-value individuals. They often go after senior executives, board members, and other top-level employees.
Methods commonly used by phishing attacks
After the phisher has chosen their target, they then need to choose their attack method. They generally employ one of several methods.
Spoofing refers to the act of pretending to be someone in a position of authority.
The attacker will normally impersonate a senior figure at an organization and use their authority to access information. They will normally perform background research, such as starting with lower-level phishing actions, to gain the intelligence they need to accurately impersonate their target. In some cases, the attacker will have insider information, obtained either by being an employee or working alongside one.
The difference between spoofing and other forms of phishing is that a spoofing attempt is ongoing. The attacker will continuously send messages impersonating the authority figure.
Some phishing attacks involve sending employees an email containing a malicious URL. The email itself will normally appear quite innocent, perhaps as a routine update. The explanation for the link might be a Microsoft Office document, and the document will be made to appear legitimate.
The problem is the attacker would have inserted a trojan into the download that the URL links to, which can compromise the information on the recipient’s system.
Sometimes, the attacker will send an attachment with an official-looking email. However, the documents they attach can include macros that execute scripts that include malware.
Tax form requests
This is a very common attack method during tax season. The phisher will pretend to be from the company’s HR department. That way, they can send a harmless-looking email asking employees to send their tax forms. The phisher can then use all the sensitive information they’ve stolen, including employee social security numbers, to commit tax fraud.
Steps that can be taken to prevent phishing attacks
All of these types of phishing attacks and their methods lead to the same list of negative potential consequences:
- Loss of important data
- Fines for not protecting customer data
- Reputational damage
- Severe interruption to business
There are a few things you can do to train your employees to minimize these risks. It would take a thorough training course to make your staff highly proficient at threat detection. However, there are few simple steps you can start with.
1. Block file type attachments
Some file types are much riskier than others. If your business does not regularly send certain file types, it can be beneficial to block attachments containing them, particularly high-risk file types such as:
These compacted file types can be used to conceal elaborate malware.
2. Provide a simple method for flagging suspicious emails
One simple process you can implement is to create a procedure for detecting and flagging any suspicious emails. By having your employees send any suspicious-looking emails to a professional, you have a streamlined security process for proactively identifying and blocking threats before they affect your business.
3. Treat links in work emails with caution
Sending links by email can be a useful way to share resources. However, links included in emails should always be treated with caution, especially when included in an email from an unknown sender.
Instruct your staff to only share necessary, work-related URLs. Tell them to treat any links that aren’t work-related, from unknown senders, or that otherwise appear suspicious, with caution. This reduces the possibility of falling victim to one of the most common phishing attack methods.
Take action now
You can start implementing these security measures, and many more, right now. You can’t be too careful with anti-phishing measures. It’s too common a cybersecurity threat to ignore. The best way to avoid phishing attacks is to prepare your employees with the tools and knowledge they need to avoid security threats in the first place.
If you’re unsure of which next steps to take, you can consult with our cybersecurity professionals to learn which actions are required to safeguard your business against this growing threat.