Subscribe
Categories
< Back to Blog
What is Phishing in Cybersecurity?
Glossary

What is Phishing in Cybersecurity?

By Editorial Team Jun 25, 20206 min read

Cybersecurity requires organizations to spot and respond to an array of threats, some of which are easier to identify and guard against than others. One of the most prevalent types of cybersecurity breaches is phishing.

Phishing is a scam that enables a cybercriminal to trick ordinary users into providing personal information, such as login credentials. A user may be fooled into clicking a fraudulent link, or misled into entering his or her personal information on a form.

Get the best third-party security content sent right to your inbox

Thanks for subscribing!

Either way, the attacker gains access to valuable data, which can be used for harmful purposes in the future.

The Dangers of Phishing

Phishing is dangerous in part because of how common and easy it is to execute. Nearly a third of all breaches in 2019 involved some kind of phishing. In cyberespionage attacks, a whopping 78% of breaches involved phishing.

You don’t need to have a degree in computer science, nor do you even have to be a “hacker,” to engage in successful phishing. A phishing attack may be executed simply by creating a website or sending an email that looks as if it’s been issued from an authority; for example, a bank or a tech company.

Thanks to the availability of technologically simple “phishing kits,” even people who have no technical experience or expertise can design and launch their own phishing attacks.

The extent of an attack depends on how it was executed and who the target is. If an individual hands his personal information over, including name, date of birth, Social Security number and/or credit card details, this can result in direct theft or identity theft.

If an organization is the victim of a phishing attack, it might give the hacker a foothold, which can be used as a tool in a larger criminal enterprise. For example, a cybercriminal could get access to a company’s internal servers, which would provide the opportunity to launch a much more sophisticated raid.

This can be especially dangerous for your organization because even a single vulnerability can open the way to a devastating chain reaction: When one person in your company falls for a phishing scam, this could jeopardize the integrity of the entire operation.

It might even have a ripple effect that extends to partner organizations, suppliers and your customers. In other words, if a third-party vendor suffers a phishing attack, that could leave you vulnerable as well.

Examples of Phishing

It’s easiest to understand the nature of phishing when you study an example of how one has played out. Many phishing techniques can be employed: sometimes independently, other times using many different techniques as part of a single assault.

Some common techniques include:

  • Link manipulation. Here, a cybercriminal disguises a link in an email to fool you into clicking on the link. For example, it might read www.paypall.com, which closely resembles “paypal.com” but with only a subtle difference. Sometimes, hackers use subdomains to pose as a familiar, trustworthy website. Either way, when you click on the link, you might download malware to your device, or be led to a forged website.
  • Forged websites. These function like regular websites, but are mocked up to resemble a trustworthy site. For example, you may see a page that looks like a typical login page, and it prompts you to enter your usual entry information. However, when you attempt to do so, the cybercriminal at the other end captures your credentials. Forged websites are usually identifiable if you pay attention to the details; the design won’t look quite right, and the URL will be subtly different from the site you know well.
  • Social engineering. Phishing can also take place via social engineering. An individual may call you, pretending to be the representative of a trustworthy organization. If the person is persuasive enough, he or she may manipulate you into providing vital personal information.

Most phishing attacks attempt to motivate action through a compelling or time-sensitive demand. For example, their messages may warn you that your password is about to expire, or there’s an undefined “problem with your account.”

How to Combat Phishing

The best way to combat phishing in your own organization is through education. The more knowledgeable your employees are, the less likely they’ll fall for a phishing scam.

Most phishing attempts can be avoided with the following understanding:

  • Unusual emails should never be trusted. If you get an email from someone you don’t know, or a message that’s worded in an unusual way, you shouldn’t automatically accept it. Clicking a link or downloading an attachment, even out of curiosity, can have devastating consequences.
  • URLs should always be double-checked. One of the easiest ways to spot a phishing attempt is by checking the URL you’re currently clicking or visiting. Are there any strange spelling errors? Do you perceive a subdomain that doesn’t match what you intended to visit? You might also notice subtle design differences; for example, the company’s logo may be slightly misplaced, or the color scheme appears slightly “off.”
  • No one will ever ask you for your password. This is common advice, and should be common knowledge, but it’s often neglected; no person in or outside of your organization should ever ask you for your password directly. If someone does, it’s almost always a nefarious attempt to obtain your sensitive information. To maintain excellent security, always practice password resets with caution. Even if everyone knows and follows the practices above, your firm may still be vulnerable to a phishing attack if one of your vendors, suppliers or third-party partners becomes a victim.
  • Enable and Enforce Two-Factor Authentication. Authentication takes on three parts: what you know, what you have and what you know. Two-factor authentication requires you to authenticate with two such factors in order to proceed with a transaction. Having two-factor authentication enabled means that even if you fall prey to a phishing attack that stole your password, you still minimize the risk of a fraudulent transaction going forward since the attacker may not be able to succeed adding one of the second authentication factors.  

Phishing and Third-Party Vendors

You could have a fantastic cybersecurity strategy in place for your own operation, but how confident are you about the cybersecurity of your third-party vendors? How vulnerable are your suppliers to phishing attacks? Since your suppliers may be accessing, storing or processing your data, a phishing attack on their employees might put you in risk of a breach as well. 

That’s why it’s critical to use automated third-party security management software to vet your suppliers, so you can assess the security risk they pose to your company. Assessing a supplier’s security posture must also include measuring the risk that their employees pose. 

Panorays is the only security rating platform that includes an assessment of the human factor. With Panorays, you can be confident about your suppliers’ security; sign up for a free demo today, and see it in action!

Author Thumbnail
Editorial Team

You may also like...
What is a Third-Party Vendor
Oct 21, 2021 What is a Third-Party Vendor and Why is Third-Party Security… Editorial Team
What is MAS-TRM?
Jun 28, 2021 What is MAS-TRM? Editorial Team
What Is CRISC & How It Improves Third-Party Security
Jun 09, 2021 What Is CRISC Certification and How Can It Improve Third-Party… Editorial Team
Get Started Free

Popular Posts

Top 5 cyber gaps
Feb 10, 2022 1 min read

The Most Common Third-Party Cyber Gaps Revealed

Wouldn’t it be great if you could get a sneak peek at all the upcoming 2022 cyberattacks? Yes, it would be. But, since that’s not going to happen, we’ve done the next best thing.  Panorays used data from our cyber posture evaluations of tens of thousands of third parties from various industries over an extensive period of time to find...
By Aviva Spotts
Security Best Practices & Advice
4 ways to see if you are at risk of a vendor breach
Aug 26, 2021 3 min read

4 Ways to See if You Are at Risk of a Vendor…

Recent supply chain attacks such as Kaseya, Accellion and SolarWinds have illustrated that when it comes to vendor breaches, it’s not if, but when. While it’s impossible to predict cyberattacks, there are key steps that you can take with your vendors to determine if you might be at risk. Here are 4 key strategies: 1. Monitor security posture It’s important...
By Demi Ben-Ari
Security Best Practices & Advice
5 Ways to Reduce Third-Party Cyber Risk in 2022
Jan 03, 2022 3 min read

5 Resolutions for Reducing Third-Party Cyber Risk in 2022

If there’s one thing we’ve all learned, it’s that supply chain attacks are not going away anytime soon. Last year, we saw major cyber incidents involving Accellion, Kaseya, Codecov and others; next year, there will certainly be more.  To help prevent and respond to similar cyber incidents, it’s essential to consider how best to reduce third-party risk. How can this...
By Yaffa Klugerman
Security Best Practices & Advice

Building Trust Between Companies Worldwide

Get Started

Featured Authors

Author Thumbnail
Yaffa Klugerman Director of Content Marketing at Panorays
Author Thumbnail
Elad Shapira Head of Research at Panorays.
Author Thumbnail
Moshe Ferber Cyber and Cloud Computing, entrepreneur, investor, board member and lecturer.
We use cookies to ensure you get the best experience on our website. Visit our Cookie Policy for more information.
Get our latest posts straight to your inbox Subscribe