Phishing is where cyber attackers masquerade as legitimate entities to steal information.
In a phishing attack, the victim receives a message that appears to come from someone they trust. For example, their bank. The aim is to trick them into handing over information or installing malicious software. The stolen information can then be sold on the dark web or used to break into the victim’s accounts or systems.
As technology advances and more of our daily activities move online, learning to recognize and avoid phishing attacks is vital for our safety.
How phishing evolved
The term phishing was coined in the mid-1990s to refer to scams that “fished” for passwords or financial data. These early attacks were unsophisticated, relying on generic messages with broad targets.
As the public’s awareness of phishing grew, attackers developed a more sophisticated approach known as spear phishing. A spear-phishing attack targets specific individuals or organizations using personalized information.
Today’s phishing attacks use advanced social engineering tactics and technology. Attackers may use generative AI to write more convincing messages and use the software toolsets known as phishing kits to create and send messages faster and more efficiently. They can also use social media, and compromised personal information, to gather information about potential targets.
Integrating malicious links and attachments has also become more sophisticated, making detection more challenging.
Common types of phishing attacks
Email phishing
Email phishing is still the most prevalent form. The attacker sends an email pretending to be from a reputable company, such as a bank. Typically, the message warns the recipient about a problem they must urgently address by clicking a link. The link will take them to a fake website where they’ll be prompted to enter their login credentials or other personal information.
Spear phishing
Spear phishing attacks target specific individuals or organizations. The attackers research their target to create personalized and believable messages. For example, they can send an email pretending to be from the victim’s colleague or their line manager.
Whaling
Whaling targets high-profile individuals, such as C-suite executives, to exploit their influence and privileged access. For example, a Chief Financial Officer receives a fake message from their organization’s CEO. The message requests an urgent transfer of funds for a confidential purpose.
Clone phishing
A clone phishing attack duplicates a legitimate email that the victim has previously received. For example, a copy of the tracking email for a package they’re expecting. The copy replaces legitimate attachments or links with malicious ones.
Smishing and vishing
Smishing is phishing by SMS or text message. Vishing is phishing by voice, via a phone call or voicemail.
Smishing and vishing messages use similar tactics to phishing emails while sidestepping spam filters. They take advantage of people’s willingness to trust text messages and phone calls more readily than emails.
How to protect against phishing
The primary way to protect your organization against phishing attacks is to teach everyone how to recognize them. Introduce organization-wide training. Strive to create a security awareness culture where everyone understands that they have a role in keeping your organization safe.
Here are some key warning signs that an email may be a phishing attack:
-
An unfamiliar or external sender: Be careful with emails from senders you don’t know, who don’t usually contact you, or who are outside your organization.
-
Surprise: The email arrives unexpectedly with a request to provide personal information.
-
Urgency: The email pressures you to act now. For example, suspicious activity has been detected on your account so you must confirm your password immediately.
-
Generic greetings: Companies today personalize their customer communications. An email that opens with a generic greeting like “Dear sir or madam” could be a scam.
-
Mistakes: If an email contains obvious spelling or grammatical mistakes or fuzzy, low-quality graphics, it could be fake. Genuine companies today don’t make these kinds of errors.
-
Strange domain names or addresses: The sender’s address doesn’t include your bank’s usual domain name, such as MyBank.com. Instead, it may use a lookalike domain, such as MyBaink.com. Or it may replace letters with numbers of special characters, such as MyB@nk.com. Before you click a link, hover your mouse over it to see where it leads. If anything seems wrong, don’t click.
The golden rules to avoid falling for a phishing attack are:
-
Always be vigilant.
-
Always think before you click a link or open a file.
-
If in doubt, call the supposed sender at their usual number to confirm that the message is genuine.
Cybercheck can help protect your organization
Safeguarding organizations against modern forms of phishing requires a combination of awareness and technology.
At Cybercheck, we constantly monitor forums where cybercriminals buy and sell stolen personal information. If cybercriminals are trading data about you or your organization, we alert you right away so you can take immediate action to avoid being profiled and targeted by them.
