Phishing is one of the biggest threats that individuals and organisations face, but do you know what they are, what they look like, and where to look for them?
In the broadest sense, phishing is any attempt to pose as a trustworthy source in order to get people to hand over personal information. Phishing usually takes the form of mass emails sent to hundreds or thousands of people, criminals can use other forms of communication or create more nuanced attacks.
We’ve listed the most common forms of phishing here, along with examples to help you spot these attacks.
Most people are at least vaguely aware of what email phishing attacks look like. They are the poorly written and unexpected messages that try to scare you into thinking something has gone wrong. Perhaps your account has been hacked, you need to confirm a card payment, or your bank account has been compromised.
Whatever form the messages take, they always contain a request for information, an attachment to open (often a .zip file) or a link to click on.
If an email isn’t addressed to you personally, contains suspicious attachments or links or is sent from a bogus email address, it is probably a phishing scam.
There are two other, more sophisticated, types of phishing involving email. The first, spear phishing, describes malicious emails sent to a specific person. Criminals who do this will already have some or all of the following: the victim’s name, place of employment, job title, email address and specific information about their job.
One of the most famous data breaches in recent history, the hacking of the Democratic National Committee, was done so with the help of spear phishing. The first attack sent emails containing malicious attachments to more than 1,000 email addresses. Its success led to another campaign that tricked members of the committee into sharing their passwords.
Whaling attacks are even more targeted, taking aim at senior executives. Although the ultimate goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler. Tricks such as fake links and malicious URLs aren’t useful in this instance, as criminals are attempting to imitate senior staff.
Scams involving bogus tax returns are an increasingly common variety of whaling. Tax forms are highly valued by criminals as they contain a host of useful information: names, addresses, Social Security numbers and bank account information.
Smishing and vishing
With both smishing and vishing, telephones replace emails as the method of communication. Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation.
A common vishing scam involves a criminal posing as a fraud investigator (either from the card company or the bank) telling the victim that their account has been breached. The criminal will then ask the victim to provide payment card details to verify their identity or to transfer money into a ‘secure’ account – by which they mean the criminal’s account.
Social media phishing
A relatively new attack vector, social media offers a number of ways for criminals to trick people. Fake URLs; cloned websites, posts, and tweets; and instant messaging (which is essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware.
Alternatively, criminals can use the data that people willingly post on social media to create highly targeted attacks.
In 2016, thousands of Facebook users received messages telling them they’d been mentioned in a post. The message had been initiated by criminals and unleashed a two-stage attack. The first stage downloaded a Trojan containing a malicious Chrome browser extension on to the user’s computer.
When the user next logged in to Facebook using the compromised browser, the criminal was able to hijack the user’s account. They were able to change privacy settings, steal data and spread the infection through the victim’s Facebook friends.
Your employees are your last line of defence
Organisations can mitigate the risk of phishing with technological means, such as spam filters, but these have consistently proven to be unreliable. Malicious emails will still get through regularly, and when that happens, the only thing preventing your organisation from a breach is your employees’ ability to detect their fraudulent nature and respond appropriately.
Our Phishing Staff Awareness Course helps employees do just that, as well as explaining what happens when people fall victim and how they can mitigate the threat of an attack.
If you pair this course with our Simulated Phishing Attack, you can see how much information your employees retained. We’ll send a phishing attack to your organisations (obviously without the malicious payload) and give you an independent assessment of your employees’ susceptibility to an attack. It also benchmarks your security awareness campaigns and helps you:
- Satisfy compliance and regulatory requirements;
- Adapt future testing to areas and employees of greatest risk; and
- Reduce the number of employee clicks on malicious emails.
You might also be interested in our phishing infographic. This guide outlines the various forms that phishing attacks can take, explains the damage they can cause and provides an annotated example of a scam email, showing you what to look out for.