How to stay safe online this Holiday Season!
The Ultimate Guide to Phishing Attacks: What They Are, What They Do, and How to Protect Against Them
What is a Phishing Attack?
Phishing is a type of social engineering. Malicious attackers send emails intended to trick users into giving away information like passwords, personal information, or account numbers in order to gain access to personal or company systems. Once they have this information, they can perform a number of hostile acts: from deploying malware including ransomware, to credential theft, data breaches, and more.
Consequences of phishing attacks
For a private individual this often means that they give away information that allows the attacker to make unauthorized purchases, steal money from various sources, or outright steal their identity. In the corporate world however, they are more often used to gain access as part of a more ambitious attack. Compromising employees in an organization allows these attackers to bypass security measures, install and distribute malware inside a closed system, or even gain access to secure data.
The financial losses associated with such an attack can be severe. Not only directly but also through reputation and consumer trust, but also potentially through declining market share. If the scope is large enough, the security incident can be difficult to recover from.
Avoiding phishing attacks and scams
First and foremost, it is important for an organization to keep up with and understand the variety of types of phishing attacks that are out there. Understand what methods are used, and keeping employees up to date on these methods, is an important method for protecting your systems.
There are other methods for avoiding phishing scams as well.
Your digital footprint extends well beyond your internal corporate network. Cloud-based computing and business partnerships touch your network and provide access to your systems as well, so considering their security is equally important. Be aware of what your partners, contractors, and suppliers are giving away about your organization.
Relying solely on employee education isn’t enough to secure your systems. It is an impossible request and is detrimental to productivity. Systems that can be set up to keep a watchful eye on email.
Recognizing a phishing attack attempt is the first step. The attackers are always coming up with new tactics, so staying abreast of their methods is imperative to protecting your company’s data security.
The password change
In this example it appears as though your own business is requiring a password change. Employees may not even really think about what they are about to do. The link will appear fairly normal but be disguised and take the user to an entirely different website that will appear to walk them through a password reset.
Although it often may seem reasonable that this type of phishing attempt is obvious, people fall for them frequently. Remember, phishing relies on social engineering and the expectations and habits of everyday people. Employees may not even think about clicking on a link in an email or message like this one.
NOTE: punishing employees for making the mistake of clicking, getting caught causing an issue, is not recommended. This will further discourage employees from reporting in the future and potentially cause them to scrutinize every single email and message more than needed, creating a loss in productivity and excess paranoia. Both things cause more harm than good.
The habits of attackers
Phishers do have preferences and habits. They tend to attack certain types of industries and attack on certain days of the week or certain times of day. They prefer types of brands to impersonate (see above) and they rely on the same types of language in their attempts to trick users into clicking on links and attachments. Staying informed and understanding these tactics and habits gives you a leg up on preventing the likelihood that they will be successful with your systems.
The financial sector is the most targeted industry when it comes to phishing attacks. According to the research done by Statista nearly a quarter of all phishing attacks worldwide are directed at financial institutions. The financial sector is closely followed by web-based software (SaaS) and webmail services. Other industries popular with phishing attackers are ecommerce/retail, cryptocurrency, and logistics and shipping.
Days and times
It is impressive how cybercriminals have figured out what days of the week, and even what times of day, people are most likely to fall for their trickery.. For example, Friday is a day that is targeted as many people’s guards are down as they head into the weekend. A significant drop-off in activity occurs on Saturdays and Sundays. Phishing emails tend to arrive four to five hours after start of business, and peak around lunchtime, right when everyone is just getting into the swing of things and starting to do things just a little out of habit. Perfect timing.
Learning how the phisher communicates is important. Educating your employees, and yourself, about the way they communicate can help protect your business. Phishing uses the content of an email or message to encourage the reader to perform certain actions; they need us to do the real work for them.
It is a psychological trick. Communicating in the right way can use human emotion and behavior to cause action. It is not lost on these internet criminals that language matters and they can use language to cause the recipients of their messages to act.
There are many groups and research organizations that keep track of various hacking and phishing campaigns. One group, the Anti-Phishing Working Group (APWG) keeps an eye on the behaviors and activity of phishing groups worldwide. One of the many things they track is the subject lines and language content of the emails and messages phishing attackers send.
For example, during the height of the pandemic and since, the APWG found that a common phrase used in phishing emails is “expires in 2 days.” This plays on a sense of urgency and encourages immediate attention to the email.
Over the years researchers have determined the most common words used in phishing emails—many of which also show up in legitimate emails all the time. The top five are:
All about the context
Considering this use of commonly used words, it is important to remember that the context in which they are used really matters in phishing emails. Let’s take a look at the themes and context of phishing emails.
Urgency – For example, pressuring the recipient of the email to change a password or verify something immediately.
“Your password has expired. Please update your password now to maintain access to Office 365”
“A vulnerability has been detected in your Facetime mobile application. Please verify your account now.”
Fear of missing out (FOMO) – FOMO can be highly effective in phishing emails.
“Don’t miss out on this once in a lifetime offer… “
Authority – often combined with urgency. Spoofing the name of a CEO or other high-level authority figure in a company is not uncommon.
“Beth, I need you to process this transaction ASAP. It needs to be done today or we will lose this new customer.”
Emotion or fear – A tactic often used in sexploitation campaigns.
“You’ve been recorded while using a porn website…”
Phishing damage and prevention
When it comes to ensuring your business is as protected as possible, a multi-layered approach is best. Seek out technical solutions that can keep an eye on things for you via your IT department.
It’s important to note that many – if not most – of the really dangerous phishing emails cannot be spotted with the naked eye. They seem legitimate, and only a technology that is purpose-built to identify such emails, can protect you.
Human-centered defense is also very important. Phishing is especially social, using emotion, clever language, and relying on turning the recipient of a message into an unknowing accomplice. The better the humans at your business are at recognizing these tactics the better.
The damage is real
Phishing is on the rise: since 2020, 81% of organizations worldwide have experienced an increase in phishing attacks. In fact, research has found that recent attacks have been focused more on stealing credentials in order to breach a system rather than installing malware.
All these attacks and attack attempts out there can be incredibly costly for a business. The financial consequences can be quite dire.
The cost of a data breach is, on average, upwards of $4 million, and that figure is rising. However, studies show that there is an increasing gap in cost of a breach between organizations that have more advanced security processes in place and those with fewer.
Costs and financial damage done by a successful phishing attack can be broken down into categories.
- Direct monetary losses
- User downtime
- Loss of intellectual property
- Remediation time and associated costs
- Compliance fines
- Loss of revenue and customers
- Legal fees
- Damage to reputation
It is worth considering that the costs of a successful attack are not simply financial. A successful phishing attack can lead to a multitude of issues for your business including:
- Lost data
- Compromised accounts and credentials
- Damaged reputation
- Malware infections
Lost data is a key cost when a breach has occurred. The types of data that are most often compromised during a phishing attack are:
- Credentials: Usernames and passwords to various systems
- Personal data: Addresses and phone numbers stored on your systems
- Internal data: Sales figures, financial data, customer data
- Banking data: Credit card information, bank account information
- Medical data: Insurance claim data
Protecting your company from phishing attacks
There are many ways to protect your company from the damage phishing attacks can cause. These range from employee education and training to implementing software and other tools that protect your systems.
Each of these tools has its advantages, but none are fully effective on their own. Look for email security solutions that work in tandem with these systems to make sure your organization is as safe as possible from phishing attacks and other dangers.
Security awareness training
Your employees can be a critical part of your defense against attacks. Security awareness programs provide engaging simulations and training so your employees company-wide can learn how to recognize, without endangering anything, how these attackers really work.
A 2022 report found that employees who completed a security awareness training program were much more likely to report and detect a phishing attempt.
Using your trained workforce as a defense against phishing is a clear benefit. But people alone cannot do all the defending in this case. Phishers are using technology, and you should be, too.
Secure email gateway
A Secure Email Gateway (SEG) monitors your incoming and outgoing email for malicious content. If the SEG detects any spam, malware threat, or phishing attempt that it recognizes, it quarantines or blocks the email from getting through. As long as it is kept up to date with the latest information for generic phishing, malware, and spamming attempts, an SEG does a pretty good job.
However, SEGs will not catch spoofed email messages. In order to defend your data and systems against these more individual types of attacks, you need another layer of technological protection. Look for a tool that integrates with SEGs to make sure you’re fully covered.
Well rounded security
Ensuring your business or organization has as much protection set up as possible is key to preventing the worst of scenarios. A robust multi-layered defense means finding the right training program for your workforce, staying informed yourself, and doing everything you can with technology to filter and monitor email communication as well as keep those passwords and credentials safe.
Popular phishing scams in 2022
The essential formula behind phishing attacks is using psychological tricks, social engineering, natural human behaviors, and things people do nearly automatically without thinking. The attackers use these methods because it makes them hard to detect by humans and software which in turn allows them to steal sensitive information and/or credentials, often using fake links or malicious attachments.
Changing scams for changing times
Lack of up-to-date awareness is a big problem, because attackers rely on this missing knowledge and habitual behavior to accomplish their goals. This makes users, and therefore your business, more susceptible to these threats.
Standard phishing emails and messages generally represent themselves as a reputable source or organization, often your own, a partner organization, or a familiar brand. The most effective of these uses current issues and events that most people are aware of to trick people.
Using the pandemic
Two years of battling the pandemic has created a new opening for phishing attackers. Because it is of concern in every home and in every field of work, it is much easier for cybercriminals to use it as a clever method to gain access to systems. According to Check Point researchers “…cyber-criminals are exploiting interest in the global epidemic to spread malicious activity…” and they are finding great success doing so. The fears and misconceptions people have about COVID-19 have opened a whole new entry point.
These attackers are constantly updating their methods and clever messaging. Use this as a reference guide and starting point to help identify the types of pandemic-related phishing you and your employees may come across.
Emails that spoof or impersonate the World Health Organization (WHO)
These emails often will include subject lines asking for donations or warnings about taking precautions. An attachment or link can be clicked on including the phrases like “Virus Protections” or “Donate to the Pandemic Response Plan” will be included. Once it is clicked on it will infect the system with malware.
IMPORTANT: The World Health Organization has said it will never ask for donations to emergency plans via email, websites other than their own (WHO), calls, or text messages.
Emails with fake medical test results
Frequently targeting healthcare industry companies, these emails contain a link or an attachment labeled “test results.” When it is clicked on malware will be installed on your system.
Emails targeting work-from-home employees
Taking advantage of the many more people working from home since the beginning of the pandemic, cybercriminals have found that impersonating company higher-ups or even the HR department can be useful. Tricking these remote workers into signing into a spoofed system on a website and thereby giving away their login credentials.
Emails impersonating your local health department or ministry
It could be your state health department, a county health department, or another local health organization with official standing. Many of them contain an informational document as an attachment, or possibly a link to click on, that once opened will install malware that can allow the attackers access.
Customs and delivery services
Delivery services, customs services, and even postage sales phishing emails are popular and have been making the rounds. Attackers and scammers send emails and messages designed to look like package tracking or ask for payment of a fee via a malicious link.
Often these messages will be designed to look like a legitimate package or customs service that may be familiar to you or your employees. Claiming to have failed a delivery attempt or announcing customs fees are common tactics in these emails. Attackers may also send a message that offers tracking of a package that you or your employees do not remember ordering.
Invoicing and finance-related scams
Targeting financial employees has become more common in 2022 as well. Using their sense of responsibility to stay on top of investigating and checking payment issues, these emails can look very normal to this specific set of employees. Fake links and attachments, sometimes PDFs, to steal credentials or install malware, are designed to look very official and blend in with all the other emails financial employees see every day.
Urgency is an important and useful tactic that scammers and cybercriminals use to socially engineer their way into systems. These targeted finance phishing emails will often use phrases such as “overdue notice,” or “update payment details.”
Taxes for companies are dealt with, one way or another, year-round. Phishing messages using official tax entities or tax organizations become more common during tax season but can happen year-round. Look for these and remember that no one should be asking for information like Tax ID, Social Security Numbers, banking details, or other confidential financial or tax-related information via message or email.
Always double-check and investigate emails claiming to be from a taxation organization. Even if you are waiting for a refund, subsidy, or other information from your tax office, check with them on the status.
Phishing emails using taxes in an attempt to steal information or install malicious code on your systems often use subject lines like “Tax Refund Due,” “Tax Account Restricted” or “Update Tax Information.”
Impersonating a recognizable brand
An oldie but a goodie, impersonating a well-known brand is one of the most common, and one of the most successful, methods attackers use when phishing via email. It is just as popular as ever.
The most popular brand to impersonate is Microsoft, which makes sense, especially in the business world. Microsoft is ubiquitous in offices and on work computers. Almost everyone uses a Microsoft product at work one way or another.
Phishing attackers also impersonate other brands. Facebook is a very close second behind Microsoft. It is still the most used social media platform in the world. Other popular brands that are frequently impersonated are Crédit Agricole, WhatsApp, Orange, Paypal, and Google. Other very common brands that get impersonated are Norton, McAfee, Apple, and Amazon.
Malicious actors use these recognizable and trusted brands to trick users into giving out enough of the right confidential information or to click on links or attachments that are in the email. Inconsistencies or unexpected messages should be double-checked.
Checking with the brand immediately via their contact details on their websites is a good idea. Often these emails will be asking for a password reset when one wasn’t requested by you or your employee or asking for an update of payment information on the existing account.
Contact IronVest for Phishing Protection
IronVest designed InboxGuard to provide advanced protection for employee email accounts to help safeguard companies from malicious phishing attacks.
InboxGuard takes email security even further by using AI to perform advanced checks on employee email accounts and creating active alerts for suspicious elements.
Download our PDF, “Top 7 most common and most dangerous phishing attacks.” We put this report together to show you what to look out for and how InboxGuard from IronVest protects your company from these scams.
To find out more about how to protect your company and your employees from phishing attacks like the ones we’ve outlined in this blog, book an IronVest demo today. Your company’s security is literally our business.