There’s plenty of phish in the sea, and each is looking to take advantage of unsuspecting victims, costing businesses millions of dollars every year. In fact, the average cost of a phishing attack for a mid-size company is $1.6 million—and it increased by 65% in 2018 alone. Why the rise in popularity? Experts agree it’s the ease with which they can be carried out. Phishing attacks are generally nothing more than phony emails or websites designed to trick someone out of money or confidential information; there’s no need to infiltrate a system, which also makes these cyber criminals less likely to get caught. To ensure you’re not hooked by a phishing scam, it helps to know what to look for.
4 Common Types of Phishing Methods
1. Deceptive Phishing
The most basic phishing scam, deceptive phishing, involves cyber criminals deploying a large batch of emails in an attempt to dupe anyone they can, often by impersonating a legitimate business. For example, victims may receive an email from “Walmart” notifying them that there is an issue with their account and they need to log in to correct it. The victim clicks a link, is taken to a fake website that looks just like the real deal, and plugs in their login information. Voila, the scammer now has their personal information.
2. Spear Phishing
A more targeted attack, spear phishing involves a scammer sending out personalized emails with details that are specific to the target. These are often sent to individuals within an organization, posing as another employee, contractor, or vendor, in order to forge a connection. Then, the scammer will seek to obtain confidential data or banking information. In 2017, Google and Facebook were victims of a $100 million spear phishing scam, demonstrating that even a tech giant isn’t immune to a scammer’s tricks.
Whaling, as the name implies, targets the biggest players within a company. To harpoon a member of the C-suite, scammers take their time, spending weeks or even months researching them—they do this through online background checks, social media, and good old-fashioned sleuthing. When they’re ready to make their move, they may send a series of emails intended to build trust and establish rapport before putting forth the request for financial information or sensitive data, resulting in a data breach. Why go through all this hassle when they could simply send out a batch of deceptive phishing emails? Whales generally equal bigger paydays or more valuable information than the others.
4. Business Email Compromise Phishing
Whereas whaling targets the big wigs, BEC phishing involves posing as them. In a BEC scam, the cyber-criminal will email a lower-level employee who has access to sensitive information by pretending to be an executive, and asking for access to the information they are looking for. You might think, why wouldn’t the employee just pick up the phone and confirm with the executive? The scam operates on the principles of social engineering, which in the context of IT security refers to “the psychological manipulation of people into performing actions or divulging confidential information.” Often these lower-level employees don’t interact with the C-suite, so they’re not comfortable questioning them or interrupting their day.
How to Protect Your Organization from Phishing Scams
A 2015 survey conducted by computer security company McAfee, reveals that 97% of respondents could not correctly identify a phishing scam email, so employee education is crucial. Employees need to be aware that:
Scammers will often use domain names that are very similar to the legitimate domain, but contain a slight difference; if an email raises an eyebrow, always check the domain.
Scammers aren’t known for their spelling skills and grammatical prowess; always look for errors in questionable emails or sites.
Safe websites begin with "https," with the “s” standing for “secure.” If the “s” is missing, X out of the site.
Retailers generally don’t email customers about security issues and prompt logins; if an employee receives one of these, they should go directly to the site to login instead of clicking the link, or call the retailer directly to see if there really is a problem.
Scammers often lurk on social sites where they can acquire personal and professional information to build a targeted attack, so employees need to be careful who they connect with and what they post, especially on sites like LinkedIn where education and work history is often readily available.
Executives would rather receive an email or a phone call inquiring about a potential request, than risk a data breach or take a financial loss (each member of the C-suite needs to be on board with this).
It’s important to understand that phishing emails are always evolving and are also becoming more sophisticated; the recent Canon attack is one such example. It begins as a phishing email, but then the link downloads malware into the system, causing even more turmoil than traditional phishing.
No matter how much training is provided, of course, everyone makes mistakes. Organizations should look into anti-phishing software, and speak with a cloud provider about protection against phishing. A reputable provider may offer machine learning-based detection of spam and phishing emails, and attachment scanning for malware. They also continuously update security software, such as anti-virus, while providing backups so data isn’t lost if malware enters the system via phishing. If you’re interested in the security of a predictable cloud provider and protection from malicious attacks, contact the experts at DSM to learn more, or schedule a free security vulnerability assessment.