Cybersecurity requires organizations to spot and respond to an array of threats, some of which are easier to identify and guard against than others. One of the most prevalent types of cybersecurity breaches is phishing, and they are launched against organizations of all sizes across industries. In the past, even leading brands such as Google, Facebook, Amazon and Apple have been targeted. One of the most popular mediums for attackers to use is the professional social media platform LinkedIn, which is responsible for 52% of phishing attacks globally.
What is Phishing?
Phishing is a scam that enables a cybercriminal to trick ordinary users into providing personal information, such as login credentials. A user may be fooled into clicking a fraudulent link, or misled into entering his or her personal information on a form.
Either way, the attacker gains access to valuable data, which can be used for harmful purposes in the future.
The Dangers of Phishing Attacks
Phishing is dangerous in part because of how common and easy it is to execute. Nearly a third of all breaches in 2019 involved some kind of phishing. In cyberespionage attacks, a whopping 78% of breaches involved phishing.
You don’t need to have a degree in computer science, nor do you even have to be a “hacker,” to engage in successful phishing. A phishing attack may be executed simply by creating a website or sending an email that looks as if it’s been issued from an authority; for example, a bank or a tech company.
Thanks to the availability of technologically simple “phishing kits,” even people who have no technical experience or expertise can design and launch their own phishing attacks.
The extent of an attack depends on how it was executed and who the target is. If an individual hands his personal information over, including name, date of birth, Social Security number and/or credit card details, this can result in direct theft or identity theft.
If an organization is the victim of a phishing attack, it might give the hacker a foothold, which can be used as a tool in a larger criminal enterprise. For example, a cybercriminal could get access to a company’s internal servers, which would provide the opportunity to launch a much more sophisticated raid.
This can be especially dangerous for your organization because even a single vulnerability can open the way to a devastating chain reaction: When one person in your company falls for a phishing scam, this could jeopardize the integrity of the entire operation.
It might even have a ripple effect that extends to partner organizations, suppliers and your customers. In other words, if a third-party vendor suffers a phishing attack, that could leave you vulnerable as well.
11 Types of Phishing Attacks
It’s easiest to understand the nature of phishing when you study an example of how one has played out. Many phishing techniques can be employed: sometimes independently, other times using many different techniques as part of a single assault. For example, an email phishing attack may release malware, which then infects an entire network, leading to a supply chain attack. The recent evolution of AI has made it easier for cybercriminals to personalize phishing attacks and target different roles and organizations at scale.
Some common techniques include:
1) Email Phishing
Attackers target email users to divulge sensitive or confidential data from them such as credit card information, bank details or medical information. In 2022, an email circulated to many Netflix subscribers, informing them that their subscription was about to expire.
2) Link Manipulation in Phishing
Here, a cybercriminal disguises a link in an email to fool you into clicking on the link. For example, it might read www.paypall.com, which closely resembles “paypal.com” but with only a subtle difference. Sometimes, hackers use subdomains to pose as a familiar, trustworthy website. Either way, when you click on the link, you might download malware to your device, or be led to a forged website.
3) Website Spoofing as a Phishing Tactic
These function like regular websites, but are mocked up to resemble a trustworthy site. For example, you may see a page that looks like a typical login page, and it prompts you to enter your usual entry information. However, when you attempt to do so, the cybercriminal at the other end captures your credentials. Forged websites are usually identifiable if you pay attention to the details; the design won’t look quite right, and the URL will be subtly different from the site you know well.
4) Vishing (Voice Phishing)
Phishing can also take place via social engineering through other mediums besides email. An individual may call you, pretending to be the representative of a trustworthy organization. If the person is persuasive enough, he or she may manipulate you into providing vital personal information.
5) Domain Phishing
Domain phishing occurs when attackers use a domain name or email using that domain name to fool users into divulging sensitive or confidential data. For instance, Paypal has frequently been the target of domain phishing attacks. Attackers send emails or use domains that are similar to the domain but misspelled. One user lost $50,000 after receiving an email that looked like it was from Paypal.
6) Whaling
Also known as CEO fraud, whaling targets C-level members of an organization to lure them into transfering money for criminal purposes. It may also attack specific members of the organization with access to PHI or PII data, such as accounts payable or human resources. Employee awareness throughout the organization is essential for safeguarding against this type of threat.
7) Spear Phishing
Similar to whaling, spear phishing targets specific individuals with access to sensitive and confidential information. However, this individual may not be someone with an executive role in the company. It can also be targeted toward a specific brand. For example, between 2013 and 2015 Facebook and Google both fell for a phishing scam that invoiced the company from a Quanta Computer, a supplier used by both companies.
8) Smishing
Smishing is the attempt to lure sensitive or confidential data from customers via text messages. It is an effective delivery method for phishing attacks because studies have shown that text messages have a 98% delivery rate. Smishing attacks, a relatively new form of attack, increased by 700% in 2021.
9) Quishing
Also known as QR phishing, this type of attack occurs when the malicious link is placed inside a QR code. A relatively new type of phishing attack, it has been used to execute attacks against Microsoft Authenticator, Docusign and Microsoft Teams.
10) Pharming
Pharming attacks direct users to malicious websites with the intent of gathering sensitive or confidential information such as credit card information, usernames, passwords and bank details. Pharming is especially dangerous because it runs code on the user’s computer to direct them to a malicious site, rather than relying on them to click on a link. The DNSChanger malware was a famous example of a pharming attack launched by an Estonian cyber gang.
11) Man-in-the-Middle (MiTM) Attacks
Man-in-the-Middle attacks are newer forms of phishing attacks that are able to successfully bypass authentication such as MFA and other content defenses. Instead of showing the user a spoofed version of a website, they display the actual website, and the user enters his information without suspicion of any attack. However, the attacker is able to intercept the information and use it for malicious purposes. The EvilProxy phishing attack does this by functioning as a reverse proxy so that it can intercept between users and their requests.
Pressure to Take Action
Most phishing attacks attempt to motivate action through a compelling or time-sensitive demand. For example, their messages may warn you that your password is about to expire, or there’s an undefined “problem with your account.”
How to Prevent Phishing Attacks
The best way to combat phishing in your own organization is through education. The more knowledgeable your employees are, the less likely they’ll fall for a phishing scam.
Most phishing attempts can be avoided with the following understanding:
- Unusual emails should never be trusted. If you get an email from someone you don’t know, or a message that’s worded in an unusual way, you shouldn’t automatically accept it. Clicking a link or downloading an attachment, even out of curiosity, can have devastating consequences.
- URLs should always be double-checked. One of the easiest ways to spot a phishing attempt is by checking the URL you’re currently clicking or visiting. Are there any strange spelling errors? Do you perceive a subdomain that doesn’t match what you intended to visit? You might also notice subtle design differences; for example, the company’s logo may be slightly misplaced, or the color scheme appears slightly “off.”
- No one will ever ask you for your password. If someone does, it’s almost always a nefarious attempt to obtain your sensitive information. To maintain excellent security, always practice password resets with caution. Even if everyone knows and follows the practices above, your firm may still be vulnerable to a phishing attack if one of your vendors, suppliers or third-party partners becomes a victim.
- Update passwords regularly. Simply ensuring passwords are changed regularly decreases the potential for attackers to successfully launch brute force and dictionary attacks and gain access to your networks and systems. This is especially true as organizations increasingly rely on third parties which expand your attack surface and potential entry points for attackers.
- Enable and enforce two-factor authentication. Authentication takes on three parts: what you know, what you have and who you are. Two-factor authentication requires you to authenticate with two such factors in order to proceed with a transaction. Having two-factor authentication enabled means that even if you fall prey to a phishing attack that stole your password, you still minimize the risk of a fraudulent transaction going forward since the attacker may not be able to succeed adding one of the second authentication factors.
- Implement anti-phishing tools. Firewalls, malware detection, vulnerability, patch management and antivirus software all help minimize the effects of phishing. Secure email gateways (SEGs) also offer protection for email phishing attempts, as do web proxies for web phishing attempts.
- Keep IT assets and systems updated. When IT assets and systems are outdated, attackers can more easily infiltrate through known vulnerabilities in the software, particularly when armed with user credentials gained in a phishing attack. Many updates also have their own phishing detection capabilities that are maintained to defend against the latest phishing attempts.
- Employee phishing awareness training. Employees across the organization must be kept aware of the latest phishing attacks and educated as to the types of behaviors that mitigate against these attempts. For example, not to click on suspicious links, update passwords regularly, and understand that brands never ask for you to validate user data such as passwords, bank and credit card information. Some organizations use technology such as Security Awareness Training (SAT) and phishing simulators to enhance employee awareness and IT preparedness.
Preventing Phishing Attacks for Third-Party Vendors
You could have a fantastic cybersecurity strategy in place for your own operation, but how confident are you about the cybersecurity of your third-party vendors? How vulnerable are your suppliers to phishing attacks? Since your suppliers may be accessing, storing or processing your data, a phishing attack on their employees might put you in risk of a breach as well.
That’s why it’s critical to use automated third-party security management software to vet your suppliers, so you can assess the security risk they pose to your company. Assessing a supplier’s security posture must also include measuring the risk that their employees pose.
Panorays is the only contextual third-party cyber risk management platform that detects threats indications within the unique business context of every relationship, enabling companies to adapt their defenses, minimize risk and proactively prevent the next breach from affecting their business.
Want to learn more about how Panorays can help you defend against phishing attacks from third parties? Get a demo today.
Phishing FAQs
-
Phishing is a scam that enables a cybercriminal to trick ordinary users into providing personal information, such as login credentials by clicking a fraudulent link or misleading them into entering personal information on a form. Either way, the attacker gains access to valuable data, which can be used for harmful purposes in the future.
-
Here’s how you can identify a phishing scam:
- Any email that suddenly asks for sensitive data such as your username or password or credit card information.
- Suspicious attachments or ones not requested by the user.
- Type links into your browser to validate the true identity rather than rely on one that is malicious but looks like a valid brand at first glance.
-
It is important to understand the risk of phishing as the exposure of sensitive data and information such as PII, PHI and IPO information can lead to financial, legal and reputational damage within your organization. Phishing is usually the first step in a data breach, which attackers can then leverage to become a larger infiltration of a company network or system.
-
To avoid phishing attacks, organizations can update passwords regularly, enable and enforce multi-factor authentication, keep IT assets, systems, and passwords updated, and adapt employee awareness programs across the organization.
-
No, phishing attacks can be launched from a variety of attack vectors, including your phone, QR code, browser and text message. In addition, consumers can also be phishing through man-in-the-middle attacks.
