What Is Phishing?
Definition of phishing
Phishing is a type of cybercrime in which criminals obtain money, gain an advantage, or implement a desired change by gaining access to information through a request made by email or other forms of communication. Phishing is prevalent in today’s world and is said to cause two-thirds of security breaches annually, making it a significant problem. Phishing emails are received daily in all settings, including personal emails and communications in both small businesses and large corporations.
Common methods used in phishing attacks
Threat actors often send emails, messages, or texts designed to fool unsuspecting people into sharing financial data or personal information. The recipient may believe the communication comes from a trusted source or a person in authority, someone in trouble, or may simply be curious to respond.
Frequently, phishing attempts exploit gullibility, emotional responses, or a lack of awareness about such attacks. They also take advantage of a victim’s inattention to detail.
Examples of phishing scams
There have been many significant cybersecurity incidents that began with phishing attacks.
- During the FBI’s Operation Phish Phry in 2009, 100 people were charged with cybercrimes. The FBI was tipped off when customers received official-looking emails from what appeared to be their financial institutions. In response to the email requests, customers entered their account information and passwords into what turned out to be a fraudulent website, leading to financial devastation for both customers and their financial institutions.
- In 2013, the Target/FMS Scam was a phishing scam that allowed hackers to access 40 million Target customers’ credit card information, compromising 70 million customer records. The phishing email that enabled criminals to deploy malware to the point-of-sale machines was sent to employees of an HVAC company hired by Target, where the malware was likely downloaded by an unsuspecting employee with access to Target’s servers from the phishing email.
- In 2016 an Austrian aerospace parts manufacturer, FACC, with world-renowned clients like Boeing and Airbus, fell victim to a phishing email attack when hackers impersonated the company’s CEO, a Canadian man named Walter Stephen, In the scam, hackers impersonating Stephen instructed an employee to wire $61 million to the criminal’s bank account in China. Upon discovery, the company fired both the CEO and CFO and was sued for damages for failing to implement security controls correctly and for not providing appropriate supervision. The aftermath was significant.
Types of Phishing Attacks
Overview of different types of phishing attacks
There are various types and styles of phishing attacks, which can also occur via text messaging, social media messaging, and voice calls, although by different names. Most phishing scams are designed to scam as many people as possible and are typically low-yield. However, some phishing attacks are more technical and can create broad-reaching problems for specific, targeted individuals and organizations. Examples of these types of attacks include spear phishing, clone phishing, and whaling. Email phishing is the most common type of phishing attack.
Spear phishing and its characteristics
Spear phishing attacks target specific individuals rather than casting a wide net. This type of attack begins with a criminal gaining access to an organization’s internal email, often through ordinary phishing or system vulnerabilities. Attackers research and select a target, create a plan, and then impersonate someone within the organization. Select employees might receive realistic-looking emails from a co-worker or person in authority, or instructions exploiting emotional responses to get them to accomplish a task. These emails may contain subtle discrepancies that the user may not notice due to their emotional response or curiosity. It’s crucial to independently verify any unusual requests that seem out of place.
Clone phishing and how it works
Clone phishing uses ordinary phishing techniques to gain access to original emails with attachments, creating copies of genuine emails from an organization. This allows a threat actor to send attachments that appear like the original but contain malware used to steal sensitive information. These repurposed emails are often sent as urgent “updated” attachments, using this urgency to get the victim to respond. Unlike spear phishing, which specifically targets an organization or individual, clone phishing typically impersonates or duplicates emails in a believable manner.
Recognizing Phishing Emails
Common features of phishing emails
Phishing emails often have common features such as grammatical errors, unusual email addresses or hyperlinks, and suspicious downloads, or can come from an unknown email address. Companies often require specific cybersecurity training to help employees recognize phishing emails.
How to identify suspicious content
If an email directly requests sensitive information, only use approved and secure channels to share that information and only do so if it is advisable and safe. Double-check any unusual requests, and if an email directs you to a website, read the URL in the address bar to ensure it is correct before entering personal information. Emails from known people or organizations that contain unusual characteristics like content, speech, or tone differences that are unexpected should be treated as suspicious. The same applies to emails with calls for urgency, strong emotional statements, or threats. Unsolicited or sudden communications should also be considered immediately suspicious.
Tips to avoid falling for phishing scams
There are simple steps to take to avoid falling for phishing scams.
- Educate yourself by researching how phishing scams work.
- Take a class or consult the cybersecurity or IT team at work.
- Stay informed by reading about famous phishing scams or cybersecurity news. This can provide a wealth of useful information for identifying phishing attacks.
- Follow security principles and adhere to organizational security protocols and controls.
Pay close attention to emails, texts, social media messages, as well as voice calls to determine their origin, the safety of responding to any requests, and other information that may help with identification.
Always verify communications. Did you initiate the conversation, or did the other person? What is the purpose of the communication? Look carefully for oddities, stated urgency, emotional pleas, unusual cadences, grammatical errors, and suspicious links or instructions. Any of these can be an indicator of a phishing attack.
Using a password manager like LastPass is another simple step to prevent hackers from accessing email communications and prevent end-users from filling out fraudulent forms.
Protecting Yourself from Phishing
Best practices to prevent phishing attacks
There are simple best practices to help prevent phishing attacks. To start with, slow down. Read your email thoroughly, checking to see if the sender and address match before responding, and looking for signs of suspicious activity.
Use strong and unique passwords
Using multi-factor authentication (MFA) and strong passwords prevents break-ins and protects data. Changing your passwords regularly or using a password manager can make it harder for hackers to maintain access, protecting your data.
The role of password managers like LastPass in phishing protection
Password managers like LastPass help guard against end-user password fatigue and facilitate accurate and secure communication. LastPass detects fake websites, preventing the filling out of forms with personal information on fraudulent sites.
Reporting and Responding to Phishing
What to do if you receive a phishing email
If you receive a phishing email, respond with caution, observation, and reporting.
Do not click any links or download attachments. Verify with the sender before taking any action and follow your company’s reporting process.
How to report phishing scams
Reporting phishing helps prevent future scams and identify known scammers. Follow your organization’s procedures for reporting and consult your IT or cybersecurity teams for advice. You can also report phishing attempts to government agencies like the FBI’s Internet Crime Complaint Center, the Anti-Phishing Working Group, or the FTC.
Actions to take if you believe you have been successfully phished
If you believe you’ve been successfully phished, immediately disconnect your device from the internet, scan it with antivirus software, and monitor emails and online accounts for suspicious transactions. If the event occurred on a work-related network or device, report it and follow standard security procedures.
Phishing is a serious threat that requires vigilance and knowledge of phishing to combat. By understanding common phishing techniques, recognizing suspicious emails, and following best practices, individuals and organizations can protect themselves from these attacks.
One of the easiest first steps? Use a password manager. Start your LastPass trial today to strengthen your organization against phishing attacks.