According to Cisco’s 2021 Cyber Security Threat Trends report, phishing is the second most prevalent cyber attack after crypto mining. So it shouldn’t be a surprise that 86% of organizations have reports of at least one user trying to connect to a phishing site.
Phishing is also responsible for 90% of data breaches, which is a statistic that should make any organization sit up and take notice.
So what is phishing exactly?
Phishing is a cyberattack that uses email, text messages, or websites to trick people into clicking on links or downloading malicious files that install malware, such as viruses, on their devices. You’ve probably seen one: Attackers pose as a trusted entity, such as a co-worker, bank, or even the IRS, to try and get victims to click on malicious links or attachments. This gives attackers access to sensitive information on your device or connected networks, like passwords and financial details.
Phishing is dangerous because it only takes one person to fall for the attack for the whole organization to be at risk. Once an attacker has a foothold in the network, they can start snooping around for sensitive data or planting malware that can spread throughout the network.
The Age of Social Engineering
Phishing is a type of ‘social engineering attack.’ Social engineering attacks exploit human psychology rather than technical vulnerabilities to gain access to systems or steal sensitive data. We’re all hardwired to trust people we know and like, which makes us more likely to let our guard down when we receive an email from someone we know or an organization we’re familiar with. And even if we’re suspicious of the email, we might still be tempted to click on a link out of curiosity.
In other words, it banks on insider risk, one of the biggest security threats to any organization. For example, an email that looks like it’s from the IT department asks the user to click on a link to reset their password. Once the user clicks on the link, they’re taken to a fake website where they’re asked to enter their login credentials. The attacker can then use those credentials to gain access to the system.
Phishing is just one type of social engineering attack. Other examples include baiting (offering free gifts or prizes), quid pro quo (requesting something in exchange for access to a system), and tailgating (physical access to a building or data center).
Examples of phishing attacks
Phishing attacks come in many different forms, but they all have one goal: to trick victims into clicking on a malicious link or attachment. Some of the most common include:
- Email. Attackers send emails that look like they’re from a legitimate source, such as a co-worker, bank, or even the IRS. The email might contain a malicious link or attachment that, once clicked, will install malware on the victim’s device.
- Text message (smishing). Attackers send text messages that look like they’re from a legitimate source, such as a bank or credit card company. The text message might contain a malicious link that, once clicked, will install malware on the victim’s device.
- Voice (vishing). Attackers use phone calls or voicemails to trick victims into clicking on a malicious link. For example, an attacker might pose as a customer service representative and ask the victim to click on a link to reset their password. Once the victim clicks on the link, they’re taken to a fake website where they’re asked to enter their login credentials.
- Spear phishing. Attackers send emails that look like they’re from legitimate, and personal, sources, such as a co-worker or boss. The email is personalized to the victim and might contain information only the victim would know, such as their login credentials or the name of their dog. This makes the email more convincing and increases the likelihood that the victim will click on the malicious link or attachment.
- Whaling. Attackers send emails that look like they’re from a high-level executive, such as the CEO or CFO. The email might request sensitive information, such as financial data or login credentials.
- Business email compromise (BEC). Attackers send emails that look like they’re from a legitimate business partner. The email might contain an invoice or other financial document that, once opened, will install malware on the victim’s device.
- Microsoft 365 phishing. Attackers send emails that look like they’re from Microsoft, with a login request that provides a seemingly good reason, like a problem with the account or the need to reset the password. Of course, a URL is included that might take the victim to a fake page where their credentials can be harvested, or it might download malware. The malware might steal data for the device or even use the victim’s machine to attack other devices on the network.
- Social media phishing. Attackers create fake social media profiles to friend or follow victims. They might then send a direct message that contains a malicious link.
What’s a common indicator of a phishing attempt?
How can you tell if an email, text message, or phone call is a phishing attempt? There are a few common indicators:
- The sender’s email address doesn’t match the name of the company they’re claiming to be from. For example, an email from “Amazon” might actually be from “aomazon.com” or “amzaon.co.uk.”
- The email contains grammar or spelling errors.
- The email or text message contains a sense of urgency, such as a deadline or a request for immediate action.
- The email or text message contains a generic greeting, such as “Dear valued customer.”
- The email or text message contains a request for personal information, such as login credentials or Social Security numbers.
Your Guide to Selling Managed Network Services
Get templates for network assessment reports, presentations, pricing & more—designed just for MSPs.
What should your team/organization look out for?
A significant issue for IT staff is that end users might not be aware of the different types of phishing attempts or how to spot them. That’s why your team needs to have a plan in place to educate end users and help them avoid falling for phishing attacks.
Here are a few ideas:
- Send out regular emails or company-wide messages reminding end users of the different types of phishing attempts and how to spot them.
- Include phishing awareness training as part of new employee onboarding.
- Ensure end users know how to report suspicious emails or text messages.
- Use a phishing simulation tool to test end users and see how they respond to different types of phishing attempts.
- Periodically review your organization’s security policies and procedures to ensure they’re up to date.
- Stay on top of the latest phishing trends and share that information with your team.
- Inform all employees of known or suspected phishing attempts.
- Employ network monitoring tools to detect and block phishing attempts and to detect abnormal login locations or devices.
- Consider DNS filtering to block known bad domains and prevent end users from ever accessing in the first place.
- Institute two-factor authentication for all accounts.
- Forbid suspicious file types from non-whitelisted domains from being downloaded from emails.
If the worst happens, it’s important to have a plan to deal with the fallout. This might include resetting passwords, changing security questions, or revoking access to specific systems or data. You might also need to contact law enforcement if sensitive information has been compromised.
Preventing phishing attacks starts with awareness, so make sure your team is up-to-speed on the latest threats. By being proactive, you can help protect your organization from becoming the victim of a phishing attack.
Appendix: Some phishing email employees have fallen for
It’s not always easy to tell a phishing email from a legitimate one. Sometimes they can be pretty convincing. Other times, though, they are relatively obvious, but employees still fall for them. Here are a few examples of phishing emails that employees have actually fallen for.
Payroll falls for employee impersonator
One user on Reddit explains how their company’s payroll department fell for someone who impersonated an employee and convinced them to change their direct deposit information. Despite the email address being external, and the name not matching what was in the address book, the payroll department didn’t realize it was a phishing attempt.
As the user explains, payroll didn’t check whether the desired change was valid through Slack or even with a phone call. Even when the attacker left out some of the required information on the Direct Deposit Change Form, payroll still processed it. Only once the actual employee received a notification that their direct deposit had been changed and contacted payroll did anyone realize something was wrong.
Luckily, the user says that the issue was quickly resolved, and no one lost any money. But it could have been much worse.
Finance department falls for vendor impersonator
Another Reddit user wondered if other companies disciplined employees for falling for phishing emails. It seemed that their finance department was contacted by someone impersonating one of their vendors. The scammers sent a fake invoice in the email and explained they’d changed their payment details. They requested payment via ACH to the new account. And the finance department made the payment.
In the same company, the HR department was also targeted by an employee impersonator. Unfortunately, the scammer got away with it because the payment was made before anyone realized there was a problem.
Even help desk techs aren’t impervious
A Reddit user fell for a phishing attack that was made to look like an internal email. They worked for a very large company at the time, and the email laid out rules about Halloween costumes. Employees could wear them, but the costumes should be appropriate for work. The email included a link with so-called examples of inappropriate costumes from the previous year that should be avoided. It seems a significant number of employees fell for said email.
Phishing attacks are becoming more and more common, and they’re also becoming more sophisticated. Companies need to have systems in place to prevent them and a plan for what to do if an employee falls for one. By being aware of the latest threats and having a plan in place, you can help protect your company from becoming the victim of a phishing attack.