Phishing is an online scam where cyber criminals send messages that appear legitimate to get the recipient to click a link and enter confidential information. Once a phishing link is clicked, the criminals can steal personal information, gain access to a computer network, or download malware.
Phishing is a serious cybersecurity issue; 65% of U.S. organizations experienced a successful phishing attack last year and only 49% of U.S. workers can answer the question, “What is phishing?” correctly. (ProofPoint, 2020) Phishing is going mobile – 87% of phishing attacks on mobile devices use social media apps, games, and messaging as the attack method of choice. (Wandera, 2020)
As the awareness of phishing increases and its effectiveness decreases, hackers have developed increasingly sophisticated and personalized phishing attacks.
This guide to phishing is meant to illustrate the many ways cyber criminals attempt to access your information so that you, and your business, can remain cyber safe.
Spear Phishing is a targeted attempt to steal information from a specific person. Spear Phishing uses information specific to the target to appear legitimate, often gathered from social media or “About Us” sections of company websites.
Real World Example: An email is sent to the parent of a youth soccer team’s player from a cyber criminal posing as the coach of the soccer team. The email is personalized and advises that the soccer game had been cancelled and the recipient should view the attached file for the updated schedule.
In a Whaling phishing attempt, the unknowing target is typically a member of a business’s senior leadership team. Whaling emails used spoofed “From:” fields to trick other employees of the company into sending sensitive data.
Real World Example: An email is sent to the HR department of a large technology company that appears to come from the company CEO asking for salary information, social security numbers, and home addresses of dozens of employees. The HR team, believing the email was legitimate, proceeded to unknowingly send the required confidential information to the cyber criminal.
Phishing attempts that happen on the phone are known as Vishing attacks. The scam attempts to create a sense of urgency and panic, making the victim want to act quickly and without thinking. Vishing attacks use spoofed caller ID numbers to add to the believability of the scam.
Real World Example: A call appears to come from a local bank. The caller says they have noticed fraudulent activity on the potential victim’s account and need to verify account information to prevent further fraud. The criminal will ask for account numbers and passwords to “verify” the account.
Smishing uses SMS text messages to target victims.
Real World Example: A text is sent from a parcel delivery company with a tracking number and link to “choose delivery preferences.” Clicking the link takes the user to a fake Amazon site which asks for a user name and password to claim a free gift card “reward” for taking a customer satisfaction survey.
Zombie Phishing is when a hacker gains access to a legitimate email account, resurrects an old email conversation, and adds a phishing link.
Real World Example: A months-old email thread between two company employees appears in the victim’s inbox, with a message like “Message truncated, click to view entire message.” The link takes the user to a fake company webmail portal and when the user logs in, the cyber criminal has gained network access.
Evil Twin phishing uses Wi-Fi to accomplish its goals with a wireless access point that looks like a legitimate one. Once an unsuspecting user logs onto the Evil Twin Wi-Fi, the criminal can gather personal or business information without the user’s knowledge.
Real World Example: A victim sets up his laptop in a coffee shop and logs into the “Starbuck5” Wi-Fi, not noticing that the business name was misspelled.
Search Phishing uses legitimate keywords in search engines to offer unbelievable sales or discounts on popular products. This scam uses fake webpages as the phishing link.
Real World Example: A search for a popular portable music player returns a link to an incredible sale on the product. When the link is clicked, the victim is taken to a fake web site that asks for a credit card or bank account to create an account. A different version of this scam creates a fake warning in your web browser saying your computer has been infected with malware, with a link to download software to “fix” it, or to download an updated version of your web browser.
Social media offers cyber criminals a whole new way to exploit people with Angler Phishing, which uses social media posts with links to cloned websites that look legitimate, and malicious links in tweets and instant messaging.
Real World Example: A bank customer tweets about the bank’s lackluster service. A fake bank customer service account DMs the customer and offers immediate assistance; all the user must do is click the enclosed link, which downloads malware, or asks for personal bank account information.
While not a phishing attack per se, another way to hide phishing links is by using a link shortening tool, like Bitly or Ow.ly.
Cyber criminals also buy domains that sound or look like popular websites, hoping you click the link, not noticing the misspelling or wrong URL. One of the best examples is hackers using the domain arnazon.com, which looks very much like amazon.com because when placed together, rn looks very much like m.
The Bottom Line
Why is the awareness of phishing tactics important? Phishing attacks account for more than 80% of reported cybersecurity incidents (Verizon, 2019) and attackers use phishing as an entry point for almost one-third of all cyber-attacks (IBM, 2019). Knowing the various ways cyber criminals attempt to gain access to your account logins and passwords, download malicious software to your computers and network devices, and ultimately separate you (or your business) from your hard-earned money, can help keep your cyber secure, and the online world a safer place.
Phishing Tips to Keep You Safe
Think, don’t click! Slow down and really examine a suspicious email or text. Some red flags to look for:
- Bad Spelling. If there are obvious spelling mistakes or grammar errors, delete the message
- Hover Over It! Even though a link may appear to be real, hover over it to reveal the link’s actual destination.
- Greetings! If the salutation is “valued customer” or “Hello, friend!” and not your name, chances are good it is a phishing attempt.
- Request for Information. Your bank already has your information, so there is no need for them to ask you for it.
- Threats. “Your account has been suspended” or “Payment required” are red flags.
- Attachments. Never open an attachment from someone you don’t know, or that you aren’t expecting.
- Email Address. If the email address is from an email service and not a legitimate business email address, take no action.
Fortress Security Risk Management is a global data protection company that helps organizations dramatically minimize their risk of disruption from unforeseen events like cyber-attacks. Our goal is to help every client achieve the highest degree of security and the least amount of risk their organization can afford, or what we call, SecurityCertaintySM.
Feel free to use and distribute the accompanying infographic, “Let’s Go Phishing! A Guide to Phishing Attacks” to raise awareness of phishing with your co-workers, colleagues, friends, or family.