Introduction to Phishing Attacks
Phishing attacks are some of the most common cyberattacks in existence. Almost a third of data breaches involved phishing in 2019, and 88% of organizations experienced a phishing attack that year.
Cybercriminals use phishing because it is a versatile and easy attack method. Phishing messages can carry malware, trick users into revealing their login credentials, or convince the recipient to take other damaging actions, such as sending money to an attacker. Understanding the scope of the phishing threat and best practices for protecting against phishing can dramatically reduce vulnerability to cyberattacks.
Types of Phishing Attacks
Phishing attacks come in a variety of different forms. While most people focus on email when they think about phishing, it is far from the only medium used by phishers. In addition to email, phishing can come in the form of text messages (SMS), over the phone, via business communications platforms, and on social media.
Email-Based Phishing Attacks
Email is the most commonly used medium for phishing attacks. Everyone has probably gotten at least one phishing email in their life, and many get at least one a day. If you take a look at your spam folder, there is probably at least one example.
Within the category of email-based phishing attacks, there are a few different types. General phishing attacks take a “quantity over quality” approach. These emails are sent to large number of people with a pretext that is widely applicable (such as pretending to be from a bank or a major brand like Amazon or Apple). This generalized approach means that these emails are often easier to spot, but the sheer number of emails sent means that even a low success rate results in a large number of successful attacks.
However, not all phishing emails take this approach. Spear phishing emails are designed to appeal to a particular person or a small group of people. These emails are much more personalized and look more realistic, improving their probability of success. A common type of spear phishing attack is called whaling or business email compromise (BEC).
Whaling/Business Email Compromise (BEC)
Whaling and BEC attacks take advantage of power structures within an organization. If the CEO – or another high-ranking executive or manager – instructs someone to do something, it is likely that they will comply without questions.
BEC emails are designed to appear to come from someone high up in the recipient’s organization. It’s possible to spoof the display name in an email, and BEC attackers can use lookalike domains to make their email addresses seem legitimate (such as cornpany.com instead of company.com). These emails are commonly designed to convince an employee to send money to an account controlled by the cybercriminal.
Traditionally, phishing attacks have primarily come via email. However, as people increasingly use their phones as their primary means of connecting to the Internet, phishers have followed this trend.
The use of SMS messages for texting provides a number of advantages to a phisher. One is that people check their messages often and are not used to thinking of a text as a potential phish. A text message containing a malicious link is more likely to pass through the recipient’s mental filters and get clicked on.
SMS-based phishing (or smishing) also takes advantage of the features of smartphones and texting. Since text messages are designed to have a limited length, the use of link shortening services does not look suspicious, making it easier for an attacker to conceal a malicious URL. Additionally, the practice of hovering over a link before clicking to check its validity – a common technique taught in cybersecurity awareness training – isn’t possible on a smartphone. These features make smishing easier and potentially more successful than their email-based counterparts.
You’ve probably experienced many phone-based phishing attacks whether you realize it or not. Telemarketing scams designed to get you to hand over your credit card information or other personal data are classic examples of phone-based phishing attacks.
Voice phishing or vishing is an increasingly common and dangerous attack vector. With the advent of deep fake technology, it is possible for a cybercriminal to use artificial intelligence (AI) to generate a perfect replica of a person’s voice. This technique has already been successfully used to defraud a company of $243,000 by impersonating a CEO’s voice to convince a subordinate to perform a bank transfer.
Phishing Over Corporate Communications Platforms
With the COVID-19 pandemic, people are increasingly using and trusting online business collaboration platforms like Slack, Zoom, Google Drive, etc. While these are useful tools for conducting business remotely, they also are a potential vector for phishing attacks.
Like email, it is possible to send links and documents via these platforms. The belief that these platforms are trusted and only accessible internally to the organization leads people to trust anything that they receive there. As a result, a cybercriminal can abuse a single set of stolen login credentials to dramatically expand their access to the corporate network and systems.
Phishing On Social Media
The rise of social media has created an “always on” culture. Most people are constantly connected to their social media accounts and check their messages on these platforms without thinking twice.
The use of social media on corporate devices opens up the organization to additional phishing risks. These platforms are likely less secure than corporate accounts (weaker passwords, no content scanning, etc.) yet can also be used to carry malicious links and attachments.
Protecting Against Phishing Attacks
The threat of phishing is everywhere. Any platform that can be used to send messages and/or documents can potentially be abused by a cybercriminal as part of a phishing campaign.
Phishing attacks are designed to trick users into taking actions that are not in their best interests; however, they can often be detected and defeated by following anti-phishing best practices such as:
- Verify Message Sender: If a message asks you to take a potentially damaging action (clicking a link, entering credentials, sending money, etc.), verify that the message comes from its alleged sender.
- Check Links: Before clicking a link, verify that it goes to where it claims by hovering over it and checking the destination URL. Better yet, don’t click on links in emails and browse to the target site directly in your browser.
- Be Cautious of Attachments: Attached files can carry all sorts of malicious content. Never open a file that you’re not expecting or haven’t verified out-of-band (i.e. by calling the sender).
- Don’t Enter Credentials: Phishing messages commonly try to trick people into entering their credentials into a fake, attacker-controlled website. Never click on a link and enter credentials, and consider using a password manager (which won’t fall for fake and lookalike sites).
Phishing attacks are a favorite attack vector of cybercriminals because they are easy to perform and often successful. Taking a few extra seconds to verify a message before trusting it can save you and your organization from an expensive cyberattack.