What is phishing? How can you protect your organization against phishing attacks?
What is a phishing attack?
Phishing is a type of cyberattack that uses social engineering tactics to manipulate individuals into giving away sensitive information, such as login credentials or financial information. Phishing can also be designed to trick unsuspecting users into downloading malicious attachments containing malware. Sites linked to from phishing emails may download malware as soon as they’re opened, or the malware may be triggered when a link or image on the site is clicked. Phishing attacks can be delivered in many forms, including through email, text message, phone calls, instant messaging or even social media messages. Let’s take a look at how phishing works, and what you can do to protect yourself from phishing attacks.
How does phishing work?
A phishing attack typically begins with a cybercriminal sending a message or communication that looks legitimate, often appearing as if it is from a trusted source, such as a bank, government agency or known company. The attacker then uses this form of communication to trick the individual into clicking on a malicious link or providing personal information like login credentials. The attacker can then enter the user credentials to gain access to valuable data or install phishing attack malware that could spread from the device to infect an entire network. Phishing attacks that include malicious links deliver malware directly, without requiring user credentials.
Phishing can have disastrous ramifications for businesses – with the FBI IC3 report stating that approximately $44 billion was lost by victims of phishing attacks in 2021 alone.
Types of phishing
Email phishing – this is the most popular form of phishing. The user is sent an email message that appears to be from a genuine sender. The email either requests information or contains a link to a site which collects sensitive information or installs malware on the user’s device. According to KnowBe4, 40% of phishing email subjects are HR related, and use some form of urgency to pressure employees into giving over their details without thinking clearly first.
Vishing – vishing is ‘voice phishing’, in which the attacker speaks directly to the victim over the phone. This includes common scams where callers pretend to be calling from a bank or credit card company and request sensitive financial data from unsuspecting targets.
Smishing – a shortened version of ‘SMS phishing’, where deceptive text messages are sent with the aim of gathering sensitive information. They generally include a link to a malicious website. These messages may also be sent via instant messengers (IM).
Clone phishing – a clone phishing attack copies an email sent by a legitimate company and redirects the link to a fraudulent website or adds a malicious attachment. This makes it very hard for victims to detect that the email is not genuine.
Spear phishing – this is a form of phishing in which a particular user or group of users is targeted, in order to harvest credentials and gain access to valuable data or a specific network. Spear phishing may target individuals who are ‘high value’, such as senior executives, or someone in the IT department with access to a lot of data. Often, the attacker will pretend to be a colleague. When the victim is a senior executive, this type of phishing can be referred to as ‘whaling’.
HTTPS phishing – this is a URL-based phishing attack, in which a user clicks on a malicious link to a site that appears safe, but which downloads phishing attack malware to their device when opened. HTTPS or SSL used to be a sure sign that a site was secure but now, attackers can easily add these features to their site using free certificates, giving site visitors a false sense of security.
Pop-up phishing – this is a type of phishing that uses web advertisements or pop-ups that look legitimate but lead to fraudulent websites or download malware when clicked.
How can you prevent phishing attacks?
Phishing training – Once you’re wise to the forms that phishing can take, you are already one step towards keeping safe. Make sure everyone on your team and anyone sharing your network is familiar with phishing methods. Training them to spot suspicious account behavior or communications is important, although it cannot be relied on to protect your organization.
Help each other to stay safe – Try not to ask colleagues to send sensitive information by email. Keep up transparent communication, double-check any unusual-sounding requests, and expect others to check with you, too. Report any suspicions you have immediately, as the longer a breach goes unreported, the more likely it is to cause harm.
Be careful with links – Think twice before following a link sent in an email, even one that appears to be from a colleague or associate. Hovering over a link will reveal more obvious fake links and redirections but it isn’t foolproof. When possible, use your search engine to get to a site instead. When on websites, beware of clicking on links in advertisements and assume pop-up advertisements are suspicious.
Use anti phishing software tools – there are various types of anti-phishing security software tools that can warn against or prevent phishing attempts. They can pick up on unsafe websites, scan files or downloads, and prevent harmful processes from running.
For example, ZTEdge web security isolates users and devices from all web-based malware by rendering websites in remote cloud containers. Malicious web code can’t reach local devices, providing protection even in cases where a user mistakenly clicks on a malicious link. To protect users from email-based phishing, the tool also opens email links to potentially risk domains in a read-only mode, preventing users from being able to enter their credentials. It also uses CDR (Content Disarm and Reconstruction) to sanitize web downloads and email attachments.
Don’t give out financial information – There are very few situations in which you would need to enter credit card numbers or details in response to a query, rather than as part of a purchase process that you initiate. Never give this kind of information to anyone, unless you are 100% sure of where it’s going and why it’s needed. Genuine companies will never ask you to send this information through unsecured communication (email, sms etc.). Double check the credentials of anyone asking for this information over the phone. If you are in any doubt at all, don’t do it.
Clean up unused email accounts and logins – An account that isn’t being used regularly could become compromised and go unnoticed for a long while. Make sure you have procedures in place to remove accounts of previous employees, or any other account that is no longer needed.
Beware of unsafe websites – Don’t enter information or download from a site that doesn’t begin with ‘https’, or one that looks suspicious, such as one that displays pop-ups.
Use strong passwords and multi-factor authentication – if you use weak passwords, or you reuse the same password for many applications, and you’re not using multi-factor authentication, attackers can easily gain access to important information on your computer and/or network. Using MFA and/or varied, strong passwords will minimize this threat.
Follow browser updates – Browser development teams stay ahead of cybersecurity threats by actively seeking out potential breaches or loopholes in their own systems and patching them out with security updates. Keeping your browser up to date is not just an aesthetic choice, it can also be vital for your protection.
Phishing uses many forms. Being aware of how phishing works and how you can prevent it from succeeding by using a mixture of awareness, training, good security practices, and anti-phishing software tools helps reduce the risk of cyberattacks and keeps your network safe.