Cybercriminals use phishing attacks to gather sensitive data or system access details before beginning their main offensive. What usually follows is a well-targeted ransomware attack or the theft of valuable data to be sold on the dark web.
As a business owner, it is vital to educate both staff and yourself on the most common phishing attacks that are likely to come your way. When it comes to IT security, prevention is always better than cure, so it’s best to act now to take the necessary steps to protect your business from future cyber attacks.
What Is Phishing?
Phishing is a scam that involves cybercriminals sending bogus messages (usually via email or SMS) that appear to be from legitimate organisations. These messages direct unsuspecting recipients to a fake website designed to capture their personal information or contain a malicious attachment to infect user devices.
The intent is usually to extract sensitive information such as login credentials, financial information, personal details, or sensitive business data. Alternatively, a phishing attack may let loose a virus or ransomware on the unsuspecting user’s devices to then spread, causing maximum damage.
Such attacks target millions of individuals and organisations daily. There are several types of phishing attacks to be aware of, which we will cover in this article.
What Is the Business Impact of a Phishing Attack?
The business impact of an effective phishing campaign can be hard to evaluate as sometimes that’s the intention. When cybercriminals steal sensitive data to sell to your competitor, this is usually done without your knowledge.
Equally impacting to business operations (and far more noticeable) would be a ransomware attack brought on by the initial phishing attack. Every device on your network will have its data encrypted by hackers, and a ransom payment is demanded in return for the de-encryption key. Cloud data backups are often also encrypted.
It is also worth understanding the less obvious repercussions involved in being the victim of a phishing attack. For example, if your company experiences a data breach, its reputation and brand can take a significant hit. Investors may also be less likely to support your business. Even if you can recover all your data eventually, it’s usually too late for the brand damage and PR nightmare.
Regulatory fines are another matter. Your business may face steep financial penalties for failing to secure data appropriately. Furthermore, dealing with a data breach disrupts your day-to-day business operations and efficiency, taking time and resources away from other priorities.
5 Common Phishing Attacks Businesses Should Know About
It only takes a single moment of lost concentration to inadvertently provide cybercriminals with what they are after. Here are the five most common phishing attacks you should be aware of to safeguard your business.
1. General Email Phishing
The majority of phishing attacks are sent by email, and the hacker will send emails that often mimic an actual organisations domain name. Using automation, the hacker can send thousands of generic non-targeted emails to multiple targets with ease.
These counterfeit domains often look like the actual website, with small counterfeits like using a zero instead of the letter “o” or using “rn” together to look like an “m.” Other times the domain will look like an official company name with a reference number on the end.
Often, the email will contain several legitimate links with one malicious link included. Alternately, the code in the background will contain legitimate code for the most part, with the malicious code discreetly worked in.
These tricks allow the malicious link to pass through the email security filters. They employ more deception to trick the recipient as well. The email may contain viable links to the help community page, for instance. Many people will take the time to hover over a few links to see if they are legitimate. They may not scrutinise each link carefully. There will be one link that seems to take the user to the communication settings page when it actually takes them to the hacker’s site.
A client of ours recently received an email that the domain name of their website was about to expire. It is very easy to get panicked by such an email and pay. We advised them to log directly into their hosting provider and check their domains expiry date, everything was fine and this was a phishing email. Below is a screenshot of that email.
Other times, a real company name is part of a fake email address, something that the recipient may glance at and think is legitimate. A practical rule is always to check the email address in the message, especially if the message is asking you to download an attachment or click a weblink.
2. Spear phishing
Spear phishing is more sophisticated than general email phishing in that it involves sending a targeted and well crafted malicious email to a specific person. Criminals use social engineering to tailor and personalise the emails to their intended targets. They use email subject lines that are topics of interest to the recipients, which tricks them into opening the message and then clicking on attached files or links.
Alarmingly, 91% of successful cyberattacks begin with a spear-phishing email (source). Because the messages are so finely tuned, many email security application filters miss them. The same applies to the human eye. The message appears legitimate and non-threatening.
Whoever creates the spear-phishing email already has some of all of the following details about the victim that is usually easy to obtain from business directory websites such as Linkedin. A quick move to social media can then find additional personal information to tweak the spear-phishing email.
- First and last name
- Job title & job description
- Place of employment
- Email address
- Hobbies & interests
All it takes is for one person to click a malicious link, and the damage is done. Even the savviest among us can be tricked when the message contains enough valid information.
Whaling attacks are even bolder and more targeted than spear phishing. This type of attack targets senior executives who are chosen because of their positions within the company. While the goal is the same (to obtain information or access), the messages are more subtle and targeted due to their intended recipients. The goal is to trick executives into providing sensitive corporate-level information or data.
A whaling attack can work in another distinct direction, where the actual phishing email appears to come from a high-level senior executive and is sent to several lower-level executives or managers within the company. They’re highly tailored to their intended audiences and often include the victim’s full name, job title, and other harder to find (but still publically available) details that make the message appear legitimate.
Although email is the most common delivery vehicle for phishing attacks, it isn’t the only one. Vishing attacks (voice phishing), for instance, deploy as a phone call.
The victim receives a phone call that sounds as though it’s coming from their credit card company, Amazon account, or some other typical service to which most people subscribe. The phone call often begins as an automated call that then re-routes the individuals to the criminals themselves, who are posing as customer service agents. Of course, these criminals use mobile apps and other technology to spoof their phone number or hide it altogether.
The attackers use social engineering tactics to trick the person into providing personal, business or financial information. They pretend to be someone else like your bank, the Inland Revenue, or an executive at your own company who happens to work off-site. Whatever the fake issue is, they will first need to “verify your information.” This is the point where they get what they came for.
Smishing (short for SMS phishing) is delivered to the intended targets mobile phone in the form of a text message. These malicious text messages trick users into clicking a malicious link hand over sensitive information. The message could be disguised as something familiar like a missed delivery, an urgent need to contact “customer support,” or discounted tickets to an upcoming local event.
Here is a real-life example we received recently via SMS where the domain name looks like an official company name with a reference number appended onto the end.
Sometimes, smishing attacks lead the recipient to download a malicious app unwittingly. The recipient clicks a link that automatically downloads apps that can potentially deploy ransomware or enable the hacker to control the phone remotely. Other times, the link goes to cloud-based malicious forms designed to steal data.
Defending Against Phishing Attacks
At Securus Communications, we recommend that the best ways to defend against phishing attacks is using a combined effort. Anti-phishing/anti-malware services should be running on your email servers, the latest antivirus software running on all user devices (including BYOD) and staff should receive security training.
Anti-phishing/anti-malware can block and quarantine phishing and malware that arrives in the form of a phishing email. Keeping user device antivirus software up to date ensures that phishing attempts can still be detected and dealt with if anything does slip the net.
Phishing attacks succeed because they resemble official messages. Your staff should be trained to carefully look at all incoming messages, inspect the URL, and spot any small mistakes that reveal it as a fake email. Users must understand that if they don’t recognise an email address and can’t verify the sender, they should avoid clicking any web links or opening any attachments in the message and report to IT.
Your business cannot afford to be the victim of a phishing attack as it usually leads to something much worse, such as data theft or a ransomware attack. Not only do such attacks threaten your valuable data, but they can also damage your reputation along with your IT systems.
Securus can provide your business with an easy-to-manage anti-phishing/anti-malware email solution. We also offer effective antivirus services that can run on your entire estate and provide centralised alerting. Staff cybersecurity awareness training is another service we offer. Please get in touch if you would like to discuss your security requirements further.
Technology Insights Newsletter
Includes our FREE 10-page SASE Report
The Securus Technology Insights monthly newsletter for IT decision-makers who need to stay well-informed. We update you on key business areas relating to the technology landscape, best practices and insightful news. Don’t get left behind.
You will also have our insightful Complete Guide To SASE article sent to you for FREE. This is a 10-page deep-dive into the SASE technology, exploring how it can help your business.
By subscribing to our hugely popular monthly Technology Insights newsletter you will receive the 10-page Securus Communications Complete Guide To SASE article direct to your email inbox, right now!