Although scammers have been around for far longer than the internet, the advent of cyberspace has presented crafty criminals with a unique set of opportunities to take advantage of technology users. These attempts to trick users into giving cybercriminals what they want are called phishing attacks, and they’re on the rise.
Phishing attacks are a type of social engineering attack and come in many forms, which we’ll examine more thoroughly later in this article. Generally, a phishing attack involves a fraudster pretending to be someone they’re not and making a request for information from their target.
Most people are familiar with phishing attacks — phony emails, scam phone calls, or desperate Facebook messages asking for money have become somewhat expected and accepted these days. However, phishing attacks are getting more sophisticated, and are targeting enterprises with far more to lose than the average individual.
While a phishing attack targeting an individual to steal personal sensitive information like credit card numbers or bank account information can be devastating for the victim, a phishing attack that targets a large organization has the potential to affect hundreds — if not thousands — of people, from employees to customers.
Cybercriminals who want to gain access to your organization’s systems to execute a cyberattack know that your employees are probably the weakest link in your security defense system. And phishing attacks are a relatively easy way for them to bypass other security measures you might have in place.
Phishing attacks also have an extremely low barrier to entry. It takes little to no money to execute a phishing attack and send it to millions of users. Even if just one person falls victim to the scam, the return on the hacker’s initial investment will be huge.
Recent research confirms that phishing attacks play a dominant role in the digital threat landscape. Verizon’s 2020 Data Breach Investigations Report shows that phishing was the second largest cybersecurity threat involved in security incidents, and the largest cyber threat involved in data breaches. In fact, more than 22 percent of data breaches involved phishing in some way.
A report from Google reveals a similar trend. According to their research, phishing websites grew from 149,195 in January of 2020 to 522,495 — a 350 percent increase in just two months. This rise in phishing attacks poses a significant threat to all organizations, and the best way to avoid phishing attempts is by being able to recognize them before you become a victim of a successful attack.
From stealing sensitive information to interrupting operations, successful phishing attacks can give cybercriminals exactly what they need to do damage to your business. And although technology has evolved to meet the rapidly growing threat with a variety of tools that are designed to catch and stop phishing attacks before they reach you, threat actors are always working to find new ways to infiltrate your systems.
Time and time again, phishing has proven to be the cheapest, easiest, and most effective way to do exactly that. For these reasons, it’s likely that phishing isn’t going anywhere any time soon.
If you want to keep your sensitive information safe, it’s important that your organization and its employees know how to spot some of the most common types of phishing attacks so you can prevent them.
Common Types of Phishing Attacks
There are a number of ways that cybercriminals can execute a phishing attack. Which vector they choose, the tactics they use, and the end goal for the attack will vary, depending on the context. However, there are some general red flags you should be aware of when trying to identify a phishing attack.
For each of the different types of phishing attacks we include, we’ll also provide suggestions for identifying these attacks as well as some things you can do to prevent them.
Email Phishing Attacks
Email phishing attacks are the most common type of phishing attack. Typically, this method of attack involves a cybercriminal impersonating a legitimate identity or organization and then sending a mass email to as many email addresses as they can get hold of.
Sometimes, an email phishing attack can originate from a legitimate email account. When someone’s login credentials become compromised, it’s possible for a threat actor to use their email account to execute a phishing attack on another employee or acquaintance. Other times, an email phishing attack will look like it came from a legitimate source upon first glance, but is actually from a fraudulent account.
For example, you might receive an email that looks like it came from a company like PayPal. This email might instruct you to click on a link to rectify a discrepancy with your account. When you click on the link, it may take you to a spoofed page, or a fake website, that looks exactly like the PayPal homepage where you enter your login credentials.
Some phishing emails skip the link altogether and ask you to download an attachment straight from the email itself. This attachment could contain malware like ransomware or a virus that could infect your computer and spread to your entire system. As a rule, you should avoid downloading email attachments unless you are 100 percent certain that it came from a verified sender.
Although you might assume that the success of a successful email phishing attack hinges on how closely the attack email resembles a piece of official correspondence, some hackers intentionally create emails that seem fake to filter out any recipients who are too smart to be tricked. This method actually weeds out the targets who are less likely to fall victim to a scam, making it easier for threat actors to focus their efforts on those who are more gullible.
How to Spot Email Phishing Attacks
If your first instinct is that an email is fake or attempting a scam — you’re probably right. The first step to identifying an email phishing attack is to check the legitimacy of the email address itself.
You should also try to verify the claims within the email directly with the source. For instance, going directly to the PayPal homepage in your browser as opposed to clicking on the link in the email.
Once you’re there, you should always make sure that the site you’re visiting is secured with a digital certificate. If a site has a padlock icon next to the site name, that means that any information sent between your browser and the website is sent securely, and can’t be intercepted and read by someone else while the information is in transit.
Another easy way to tell if an email is part of a phishing scam is to examine the content. Most of the time, email phishing attacks will use threats or a sense of urgency to scare users into doing what they want. Phishing emails often contain generic salutations, grammar mistakes, and spelling errors scattered throughout.
You should always closely examine brand logos, as well. While some email filters can spot stolen logos via HTML attributes, malicious actors will often alter the HTML attribute of the logo so it goes undetected. The most popular way to do this is by slightly changing the color of the logo.
How to Prevent Email Phishing Attacks
These days, there are tools available to help individuals and organizations stop phishing emails before they even reach your inbox. Some of these tools are already built into your email platform and may be too effective. For instance, if you’ve ever found an important email in your junk folder, it was probably sent there because it looked like spam.
However, even with tools in place to stop phishing emails, it’s likely that some will still get through to you or your employees. The best way to prevent your employees from opening phishing emails is to provide security awareness training. Training your employees to spot and delete phishing emails is the most effective way to stop email phishing attacks from taking place.
Spear Phishing Attacks
Although this form of phishing attack also uses email, it’s different from most email phishing attacks in that it’s a targeted attack on a specific person as opposed to a large number of random recipients.
To execute a spear phishing attack, cybercriminals will typically already have information about their target, including their name, place of employment, job title, email address, and specific information about their job role. This means that the threat actor has probably carefully selected and then spied on their victim before executing the attack.
Spear phishing emails are often more personalized in order to trick the victim into thinking they’re from a reputable sender. These types of attacks are usually executed to gain access to a specific person’s login credentials because they have access to sensitive information.
For example, an employee at your company might receive an email that looks like it came from another employee. Maybe this email contains an attachment that appears to be an internal financial report that leads the user to a fake Microsoft Office 365 login page. The fake login page might even have the user’s username already pre-entered on the page, further adding to its disguise. Once the user enters their password, the hacker has successfully stolen their credentials and can use them to login to the real Microsoft Office 365 and access all of the data that user has permission to see.
These types of emails are often less obvious, and require even further scrutiny and inspection than typical email phishing attacks.
How to Spot Spear Phishing Attacks
Most of the advice we gave to spot an email phishing attack rings true for this type of attack as well. Always go directly to the website or software as opposed to downloading attachments or clicking on links. In this case, if you know the supposed sender, you might try giving them a call before you do anything drastic, especially if the request involves something to do with finances.
How to Prevent Spear Phishing Attacks
Again, we recommend following the same directions we provided to prevent email phishing attacks — employ tools that are designed to help filter out phony emails before they reach your inbox and make sure that all of your employees receive regular security awareness training so they can identify phishing attacks before they become a victim.
You should also always practice the principle of least privilege so that your employees only have access to the information they need in order to carry out their specific duties. Similarly, require employees to regularly change and use only strong passwords, and make sure they aren’t repeating passwords for multiple accounts.
Whaling Attacks
As the name suggests, this type of phishing attack is targeted at the “big fish” of your company — senior executives, board members, or even celebrities who might have access to more sensitive data than lower-level employees. Whaling attacks are often executed via email as well, which often use a high-pressure situation to hook their victims.
Although whaling attacks have the same end goal as any other type of phishing attack, the techniques threat actors use tend to be a lot more subtle. In these attacks, fake links and malicious URLs aren’t typically as useful, as criminals are often imitating senior staff.
One increasingly common variety of whaling attack involves bogus tax returns, as tax forms are highly valued by cybercriminals because they contain a host of useful information about their victims: names, addresses, Social Security numbers and bank account information.
How to Spot Whaling Attacks
Whaling attacks are difficult to spot because they often appear the most legitimate. When successful, whaling attacks usually yield the highest return for cybercriminals, as their victims have the most access to the most sensitive information within your company.
Again, make sure you verify the sender before taking any action that could result in a breach. Check the legitimacy of the sender’s email address closely, and try reaching out to them directly if you have any question at all about the action they’ve requested of you.
How to Prevent Whaling Attacks
Include your executives in security awareness training so they are more equipped to spot whaling attacks. Afterall, the culture of security begins at the top, and if your executives understand the importance of practicing secure email habits, then your employees will follow suit.
Fortunately, whaling attacks are far less common than the standard run-of-the-mill phishing attacks. However, your executives should be prepared to identify these types of attacks even if they never experience one.
Clone Phishing
A clone phishing attack takes place when a cybercriminal creates a malicious replica of a recent message you’ve already received and then re-sends it from a seemingly credible source. Most of the time, victims of clone phishing attacks will first receive a legitimate email from a company and then receive what appears to be the same message shortly after.
In the cloned email, the links or attachments from the original email will be replaced with malicious ones and are accompanied by the excuse of re-sending the message due to issues with the links or attachments in the previous email.
How to Spot Clone Phishing Attacks
If you receive two identical emails from what appears to be the same sender back to back, it’s probably a clone phishing attack. Closely examine the two emails next to each other to try to determine which one is legitimate, but avoid clicking any links or downloading any attachments from either of the emails and visit the site of the sender directly, instead.
How to Prevent Clone Phishing Attacks
The same means of identifying other types of email phishing attacks also apply here. First, check the email address of the senders to see which one is likely fake. Then, visit the website of the supposed sender directly as opposed to clicking any links in either of the emails.
As always, employee training is the best way you can prevent any type of email phishing attacks. The better your employees are at spotting fake emails, the less likely they are to fall victim to any types of phishing attack.
Smishing Attacks
Smishing — or SMS phishing — attacks use text messages to target their victims in lieu of email. However, these types of attacks operate much in the same way as email phishing attacks: threat actors send texts from what appears to be a legitimate source that contain malicious links.
These links might be disguised as a coupon code or an offer to win some sort of prize and take the victim to a spoofed webpage that is opened in their smartphone’s browser. Typically, these types of attacks have the same goal as email phishing attacks — to steal login credentials or financial information from users.
How to Spot Smishing Attacks
Smishing attacks will often contain many of the same errors that email phishing attacks contain. Grammatical errors, spelling mistakes, or text lingo (eg. LOL) are all common indicators that a text message is not legitimate. Similarly, a smishing attack will likely originate from a phone number that you do not recognize.
How to Prevent Smishing Attacks
Generally, if you receive a text from an unknown number, you should not open it. If you do open it, do not click on any links that have been delivered to you via text. Again, we recommend visiting the site of the supposed sender directly.
To prevent cybercriminals from getting access to your phone number in order to execute a smishing attack, do your best to keep your phone number private. Entering your phone number on other websites, even if they’re secure, can lead to cybercriminals getting hold of that information and inundating your phone with smishing attacks.
Vishing Attacks
This type of phishing attack also relies on the use of a phone as the vehicle of attack. Vishing, also known as voice phishing, is a phishing attack that’s done with a phone call. Typically, this type of phishing attack relays an automated voice message from what is meant to seem like a legitimate institution, such as a bank or a government entity.
Most people who have a phone have received some sort of vishing attack. It has become such a regular occurrence, that most people have become wary of giving out personally identifiable information over the phone.
Although this is good practice, it can also lead many people to be overly suspicious when they do receive a call that is in fact legitimate. But determining the legitimacy of a vishing attack can be rather tricky.
How to Spot Vishing Attacks
The first step to spotting a vishing attack is to inspect the phone number where the call originated. A phone number that is strikingly similar to your own phone number is probably spoofed to look more legitimate. If you aren’t familiar with the number, the best advice is to ignore the call and let it go to voicemail.
As stated, most vishing attacks use pre-recorded or automated messages. If you do answer the call and you are immediately greeted by a recording, it’s likely that the call is fake. However, if you aren’t sure if the call is legitimate or not, the best way to be sure is to look up the phone number of the institution that’s claiming to be behind the call, and call them yourself.
If you answer the call and it’s a real person on the other line, you should be wary of giving out any information they don’t already have. For example, if someone calls and says that your credit card information has been compromised but they don’t have the credit card number itself, they are likely hoping that you will give them all the information they need to steal your credit card number themselves.
How to Prevent Vishing Attacks
The best way to prevent a vishing attack is by simply not answering your phone. If the attacker leaves a message with a return number, check the legitimacy of the number before you dial. Even better, look up the number of the supposed institution and call them yourself.
These days, many smartphones have call filters that alert you when a caller is suspected of spam. However, these filters don’t work all the time, so it’s up to you to determine whether a call is legitimate or not and whether you should divulge your personal information via phone call.
Evil Twin Phishing
This type of phishing attack involves a threat actor setting up what appears to be a legitimate WiFi network that lures users to a phishing site when they connect to it. The malicious WiFi network might closely resemble the WiFi network your employees usually connect to, and will prompt users to enter their login credentials when they sign on to the network.
Once the hacker has this information, they can use it to log into the real WiFi network themself, take control of it, monitor unencrypted traffic, and find ways to steal sensitive information and data.
Another form of evil twin phishing occurs when a malicious actor sets up evil twin access points in areas that are serviced by public WiFi — for instance, in a coffee shop. By ensuring that the signal of the evil twin is stronger than the authorized network, the malicious actor can trick users into choosing the network with the stronger connection over the legitimate offering.
How to Spot Evil Twin Phishing Attacks
Always double check to make sure you’ve selected the correct WiFi network when logging into a device. Similarly, if you’re in a public place, you should check with the establishment what the name of the official hotspot is to prevent you from making incorrect assumptions and choose a malicious WiFi network.
As a general rule, you should always disable the “auto connect” or “auto join” functions for saved hotspots for all of your wireless devices. You should also manually disconnect from a hotspot every couple of hours and manually connect to your desired hotspot and type in the password to confirm the connection.
How to Prevent Evil Twin Phishing Attacks
To prevent others from connecting to a malicious WiFi network that’s impersonating your own WiFi network, you should clearly advertise the name of the wireless network you provide in a prominent location.
Rather than providing open WiFi, you should protect your hotspot with a Personal Security Key (PSK) and create a system to provide the key to any customers or employees who might need to use it. You can also look for hotspots that are impersonating your official ones using your own mobile device, and alert customers and employees if necessary.
Social Media Phishing
As social media becomes more ubiquitous, it’s unsurprising that it would be used by malicious actors for financial gain. Attackers often use social networking sites like Facebook, Twitter and Instagram to obtain victims’ sensitive data or lure them into clicking on malicious links.
To execute social media phishing attacks, threat actors might create a fake account impersonating someone the victim knows to lead them into their trap. Or, they may even impersonate a well-known brand’s customer service account to prey on victims who reach out to the brand for support.
With the proliferation of social media contests that result in a prize, many hackers are taking advantage of these campaigns and creating fake accounts that impersonate the account conducting the contest. For example, if you enter a contest that randomly selects a winner from the comments section of a post, you might receive a direct message from an account that looks like the account that posted the contest. This message might say “you won!” and request additional information, like credit card information, so you can collect your prize.
Most of the time, the original account that posted the contest is made aware of fake accounts pretending to be the official poster, and can warn users not to provide any personal information to claim their prize. However, sometimes these accounts can slip through the cracks, even if they are reported as false.
How to Spot Social Media Phishing Attacks
In many cases, if you receive a message from someone you know that doesn’t sound like them, their account has probably been hacked. One of the most common ways that social media phishing attacks get users to click on malicious links is by luring them with something outrageous like, “OMG… did you see this video? I can’t believe you did this!” with a link to the supposed video.
Alerting a user that their account has been hacked is the best way to prevent these types of social media phishing attacks from reaching the masses. You can also block users who appear to be fraudulent so their messages never reach you to begin with.
How to Prevent Social Media Phishing Attacks
The best way to prevent social media phishing attacks is to only accept friend requests from people you actually know. This will help eliminate any fraudulent accounts that are looking for easy targets — ie., people who regularly accept requests from people they don’t know.
You should also always check the legitimacy of any accounts that are supposedly associated with official businesses. Most accounts that have been verified by the social media platforms themselves will have a blue checkmark next to the username. If you receive a message from anyone other than a verified user, this should immediately raise a red flag.
Search Engine Phishing
This type of phishing attack uses search engines to direct users to fraudulent webpages that are indexed on legitimate search engines like Google. These websites typically feature cheap products or incredible deals to lure online shoppers who see the website on a search engine result page.
When the user visits the page, they’re usually prompted to register an account or enter their bank account information to complete a purchase. Once they’ve entered this information, threat actors can turn around and use this data for financial gain or identity theft.
In 2020, Google reported that 40 billion spam pages were detected every day, from spam websites to phishing websites. Additionally, Wandera reported in 2020 that a new phishing site is launched every 20 seconds. This means that three new phishing sites appear on search engines every minute.
How to Spot Search Engine Phishing
Again, you should always check to make sure that the URL you’re visiting is secured with a digital certificate. You should also avoid entering any personally identifiable information on a website unless it provides a secured method for entering such information.
Generally, websites that appear in search engine phishing attacks will be obvious. If the deal seems too good to be true, it probably is. Only making purchases from verifiable websites with reputable brands behind them is a good rule of thumb.
How to Prevent Search Engine Phishing
The best way to prevent this type of phishing attack is to avoid using search engines to find the products you’re looking for. Visit websites directly, and avoid entering any financial or personal information unless you’re absolutely certain that the source is credible.
Pharming Attacks
Pharming — a combination of the words “phishing” and “farming” — occurs when hackers exploit the mechanics of internet browsing to redirect users to malicious websites, often by targeting Domain Name System (DNS) servers.
DNS servers direct website requests to the correct IP address, and hackers who engage in pharming often target these servers to redirect victims to fraudulent websites with fake IP addresses. When a user lands on a website with a corrupted DNS server, their personal data can become vulnerable to theft.
How to Spot Pharming Attacks
Unfortunately, this type of phishing attack is the most difficult to spot because it essentially tricks the system into thinking that the IP address is legitimate, when in fact, it is not. The easiest way to spot a pharming attack is by checking that the url is connected securely by looking for “https” in the web address.
How to Prevent Pharming Attacks
A good place to start is to install and run reputable antivirus and anti-malware security software with browser monitoring to help detect malware threats and protect your devices against threats. You can also enable two-factor authentication on any sites that offer it, and only use a reputable internet service provider or a VPN service that has reputable DNS servers. If you suspect that you’re already a victim of pharming, you can try resetting your computer to reset your DNS entries.
Safeguard Your Business from Phishing Attacks with Reciprocity ZenRisk
The easiest way to prevent phishing attacks is to utilize some of the many security tools available to your organization. However, choosing the right tool can be a daunting task in itself. Fortunately, there are solutions designed to help.
Reciprocity® ZenRisk is an integrated cybersecurity risk management solution designed to provide you with actionable insights to gain the visibility you need to stay ahead of threats and clearly communicate the impact of risk on high-priority business initiatives. Turn the unknown into quantifiable and actionable risk insights with built-in expertise that identifies and maps risks, threats and controls for you, so you can spend less time setting up the application and more time using it.
A single, real-time view of risk and business context allows you to clearly communicate to the board and key stakeholders in a way that’s framed around their priorities, keeping your risk posture in sync with the direction your business is moving. Reciprocity ZenRisk will even notify you automatically of any changes or required actions, so you can be on top of your risk posture like never before.
Plus, Reciprocity ZenRisk is seamlessly integrated with Reciprocity ZenComply so you can leverage your compliance activities to improve your risk posture with the use of AI. Built on the ZenGRC, the Reciprocity product suite gives you the ability to see, understand and take action on your IT and cyber risks.
Now, through a more proactive approach, you can stay ahead of threats like phishing with Reciprocity ZenRisk. Talk to an expert today to learn more about how the Reciprocity Product Suite can help your organization mitigate cybersecurity risk and stay ahead of threats.