In the past year, 83% of all cyberattacks in the UK were phishing attacks. Unfortunately, if these lead to a data breach or ransomware attack, this can be devastating for businesses, and they often result in a loss of customers. The phishing methods that cybercriminals use are becoming more complex, so it is important to understand these methods to be able to spot them before your business falls victim to a cyberattack.
WHAT IS A PHISHING ATTACK?
A phishing attack is a form of social engineering attack, and one of the most common attack vectors in general.
An attacker sends a fraudulent email disguised to be from a trusted source, with the goal of tricking the victim into clicking a malicious link or downloading a malicious file. Some phishing attempts may be sent out in bulk and be easily spotted through poor spelling and punctuation or if it is sent from an unknown email address.
However, threat actors may do significant research before crafting a phishing email to tailor it to the victim. This may include making it look like the email is from a vendor or customer, or including information highly relevant to the target in order to gain their trust, making it more likely for them to open a link or download a file. Hackers can also spoof the email address to make it seem as though the email is sent from a trusted sender.
WHAT ARE THE 5 DIFFERENT TYPES OF PHISHING ATTACKS?
1) BULK PHISHING
Bulk phishing is the most common form of a phishing attack. This is where a cybercriminal sends a large number of fraudulent emails to employees and individuals. Although they are not tailored to the victim, they can be effective as if enough emails are sent, eventually, someone will open one.
Examples of bulk phishing attempts include emails relating to:
- Winning a prize
- Issues with the user’s account
- Emails stating that a password has expired and needs to be changed.
Some of these can easily be spotted due to poor grammar, spelling and design of the email, however, others are nearly indistinguishable from an official email. You should always check where an email has come from and look for different spellings of the email address or URLs in the text. If you are ever in doubt, it is always safer to not open an email.
2) SPEAR PHISHING
Spear phishing is an attack where the cybercriminal has researched their target and found personal information to be able to tailor the attack to them. This is typically more successful than bulk phishing as when an email contains personal information it lowers the target’s guard, making them more likely to open a malicious link or file.
Examples of a spear-phishing email attempt include:
- The victim’s name
- The victim’s place of work
- Imitating a supplier or third-party technical support requiring the user to send their password for security purposes.
Spear phishing attempts can be difficult to spot, however, you should always verify suspicious requests in person if possible and never share your password with others.
Whaling is a form of spear phishing where the attacker targets a company’s executives in order to steal login credentials. This can be devastating for a company, as an executive’s account often has high-level access to the network along with employee and customer data.
Threat actors may also use a spear-phishing attack to gain access to an employee’s email account then use their account to phish the executive as they are more likely to trust an email from an employee than an unknown individual.
It is important for an entire company to be aware and educated about cybersecurity, especially executives, and there should be policies and software in place to avoid high-level employees being phished.
Vishing, also known as voice phishing, are attacks performed over the phone or VoIP. These are often messages imitating a bank or technical support asking for account information for security purposes.
These can be detected as fraudulent as a company will never ask for personal information over the phone. Another method of detecting if a call is fraudulent is by checking to make sure the number that has been called is listed on the official company website and not a known scam phone number.
Smishing, or SMS phishing, are attacks using phone text messaging to mislead or deceive a victim. These can be particularly effective as text messages are more likely to be read and responded to, rather than emails. It is important to apply the same level of scrutiny to phone calls and text messages that you would an email, as it is just as dangerous of an attack vector.
WHAT CAN YOU DO?
Phishing has been a common cyber threat for a long period of time, and it is unlikely to stop anytime soon. Especially as cybercriminals are constantly changing their methods to be more complex and difficult to identify.
It is important that all employees are aware of phishing methods to avoid being a victim of an attack. However, it only takes one employee opening a malicious link or file to have a company-wide data breach. It is in a company’s best interest to have software that uses AI to block phishing attacks before they even land in your inbox.
We offer protection from phishing attacks along with a suite of email protection tools that will ensure that your company’s data stays secure, and you do not lose customers due to a cyberattack.
If you want to find out more on how to protect your business, contact us today.