In 2023, the average financial impact of a data breach caused by phishing soared to a staggering $4.76 million. This alarming statistic serves as a stark reminder of just how cunning and costly these attacks can be.
In this blog post, we will dive deep into the world of phishing, exploring its various forms and providing you with essential insights on how to spot and thwart these malicious attempts.
What is Phishing?
Phishing is a type of cyber attack where individuals are targeted via email, telephone, or text message by an attacker posing as a legitimate organisation, friend or coworker. The objective of such attacks is to trick victims into providing sensitive data, including personal identification information, banking and credit card details, and passwords.
According to a report by Egress, 92% of organisations have experienced phishing attacks in 2022. A single deceptive message can lead to personal information theft or device infection with malware. However, recognising phishing emails can be a significant step in preventing these attacks.
Types of Phishing Attacks
Spear phishing: A personalised form of cyber attack that leverages detailed information about the target to make the attack more believable. These attacks are meticulously designed, often employing surveillance and intelligence gathered on the target organisation or individual.
Email Phishing: Unlike spear-phishing, email phishing campaigns adopt a broader approach. They aim to trick many users or employees into revealing personal information, such as usernames, phone numbers, and credit card details. These emails often employ common phrases and create a sense of urgency to trick recipients into clicking a malicious link or downloading an infected attachment.
Business Email Compromise (BEC): A sophisticated attack that often begins with a spear-phishing email. Fraudsters impersonate high-ranking executives or trusted vendors and send seemingly legitimate requests for fund transfers or sensitive information.
Whaling: Whaling is a type of cyber attack that specifically targets high-ranking executives or important individuals within an organisation. It is a form of spear phishing that is designed to steal sensitive information or gain unauthorised access to corporate networks.
Smishing: Smishing is a term used to describe an attack that is carried out through SMS (Short Message Service) or text messaging, but they can also be sent via popular messaging apps like WhatsApp or Facebook Messenger.
Vishing: Telephone scams are a targeted attempt to manipulate someone into performing certain actions or divulging confidential information. This practice is commonly known as vishing. Vishing is a combination of the words voice and phishing and refers to phishing scams that take place over the phone.
Spotting a Phishing Attack
It has become increasingly difficult to identify phishing emails as cybercriminals have become more skilled and sophisticated in their attack methods. These fraudulent emails are now better crafted and personalised, often using trusted brand logos and language, making it challenging to distinguish between a legitimate email and a scammer’s fraudulent one.
By familiarising yourself with the following signs, you can effectively identify and protect yourself and your organisation against attacks.
Suspicious Links: Phishing attempts frequently include links that appear suspicious or lead to unfamiliar websites. Before clicking on any link, verify its legitimacy by examining the URL carefully. Hover your mouse over the top of the URL. If this address differs from the one displayed, don’t click on it.
Requests for Sensitive Information: Emails originating from an unexpected or unfamiliar sender that requests login credentials, payment information or other sensitive data should always be treated with caution.
Unusual Sender Information: Scams frequently impersonate legitimate companies. Don’t just verify the sender’s name; hover your mouse over the ‘from’ address and check for any alterations, such as additional numbers or letters.
Generic Salutations: Fraudsters often resort to generic greetings like “Dear Customer” or “Dear Member”. Reputable companies usually personalise their emails and direct you to contact them via phone if necessary.
Urgent or Fear-Provoking Language: Cybercriminals will often create a sense of urgency or fear to provoke immediate action. Attackers use this strategy to rush recipients into acting before they can scrutinise the email for potential flaws or inconsistencies. Common phrases and tactics used by scammers include:
- We’ve noticed some suspicious activity or log-in attempts
- There’s a problem with your account or payment information
- You need to make a payment
- Offering coupons for free products
- Issuing a fake order confirmation
Spelling or Grammar Errors: Reputable organisations employ professional copywriters for their communications. Multiple spelling or grammar mistakes in an email could indicate a phishing attempt.