Phishing is a social engineering attack focused on extracting sensitive information. It can use multiple platforms, including text messages, emails, and even phone calls. The spoof messages disguise themselves as coming from a trustworthy source; so, recipients let their guard down and provide access to critical information.
Imagine this scenario. You receive an email from your insurance company notifying you about a premium reduction. It asks you to verify your personal information and asks you to click a link. When you do, you go to a website where you provide your account number. And bam, you are now the victim of a phishing scam.
Netflix users, for example, encountered a phishing attack in 2018. The message informed users that the company was having trouble accessing billing information. It asked customers to update their payment method by clicking on a link. Unfortunately, that link took users to a website hosted by cybercriminals.
Netflix isn’t alone. Phishing scams impersonate many well-known companies like Apple, PayPal, Facebook, Microsoft, Amazon, and eBay.
Brand name recognition is one of the reasons cyber-attacks using phishing are so successful. Reports show that 97% of users are unable to recognize a sophisticated phishing email. Nearly 40% of trained users even fail phishing tests.
Victims are often unable to identify a phishing attack. That results in users opening 30% of phishing emails. Another 12% of users click on the link or attachment.
Phishing Is a Major Threat
Statistics show that 91% of information security breaches start with phishing scams. And that is precisely what makes them so compelling, their success rate. Last year, 65% of U.S. organizations suffered a successful phishing attack. Moreover, phishing sites are prevalent. Google registered more than 2.1 million sites as of January 17, 2021.
Phishing attacks are often industry focused. For small and medium-sized companies, healthcare, education, manufacturing, construction, and business services face the highest risk.
For small businesses, the losses can be staggering. Business-email-compromise (BEC) can lead to losses in the $50,000 to $100,000 range. Losses are rarely less than $10,000. On a larger scale, the FBI’s Internet Complaint Center reported more than $1.7 billion in losses stemming from BEC complaints.
Types of Phishing Attacks
A new phishing site pops up every 20 seconds. Not surprisingly, cybercriminals have come up with new forms of phishing; so, its definition has to expand a bit. Some phishing attacks target mass users, for example, people with a PayPal account. Some are even more crafty and directed at a specific user.
Here is a breakdown of some of the top phishing attacks:
Spear Phishing: As the name suggests, spear phishing targets an individual, business, or organization. Scammers take the time to research the target. Amazon customers who made a purchase received an email with the subject line “Your Amazon.com order has been dispatched.” It had an order code after it. The email included an attachment that, if opened, exposed consumers to potential ransomware.
Whaling: Whaling attacks target C-suite professionals within an industry or company. It opens the door to more valuable information than a standard employee. The message might indicate the company is facing a legal subpoena, customer complaint, or company issue. It asks the CEO to click for more information and provide sensitive information about their company.
Clone Phishing: One of the more difficult scams to detect, clone phishing creates an identical version of an email that a victim has already received. It uses a nearly matching address and message. The main difference is the link or attachment included. Clicking on either will take the user to the website or malware. The attacker may also create a cloned website with a spoof domain.
Pop-up Phishing: This cyber-attack uses a pop-up ad to trick the user into installing malware on their computer or purchasing antivirus protection. The pop-up may indicate the computer is infected, and the pop-up software will fix the issue.
Vishing: Vishing starts with a phone call. The caller will indicate they are from a support company or government agency. They then try to gain access to critical data like credit card information or login credentials.
Smishing: Text or an SMS message serve as the medium here. The victim is supposed to click a link or call a number. Similar to a phishing attack, it may inform the victim that their bank account is compromised. The victim needs to contact someone immediately to resolve the issue.
How to Identify a Phishing Attack
Protect your company by training your staff on how to detect a phishing attack.
Start by examining the subject line of any email. It will often include a sense of urgency to instill panic. For example, it might state that your account has is compromised.
Phishing emails often use a subject line featuring one of these words to help create a sense of urgency:
Next, look at the greeting. More often than not, phishing emails will not include your name. Instead, it will use Dear Sir or Dear Account Holder. Some attackers will remove the salutation altogether, making it even harder to identify an attack.
Other tip-offs to review include:
Bank Requests: Financial institutions never ask for your social security number, account number, or PIN via email. As a general rule, never provide these pieces of information with an email request. Legitimate companies never request sensitive information through email.
From Field: Check the domain of the sender to see if the address looks legitimate.
Hyperlinks: Suspicious links are a dead giveaway. You can hover over the link to learn more about where it will take you. If it looks unfamiliar or has misspellings, never click on it. Never click on an email that only provides a hyperlink.
Attachments: Be particularly wary of Windows executables. Seventy-four percent of phishing emails use Windows files, followed by script files at 11%. If you are uncertain, scan the attachment using antivirus software.
Spelling: Hackers prey on uneducated users. Keep an eye for spelling and grammar mistakes.
Footer: Check for issues with the copyright date or a location that fails to correspond with the company.
Our IT Company Can Help
We deliver award-winning cybersecurity services to SMBs in Harrisburg, Lancaster, York, Lebanon, Carlisle, Reading, and Allentown. We start with security awareness by educating your employees with cyber awareness training.
We take an aggressive approach to phishing and cyber-attacks in general that includes SPAM filtering, antivirus software, web filters, encryption, and more. If you are serious about working with a cybersecurity company near you, get in touch by calling 717-914-102 or using our contact us form. We can help you eliminate the worries through our managed or co-managed IT.