What is Phishing?
A phishing attack is a type of cybersecurity threat that targets users directly through email, text, or direct messages. During a phishing attempt, the attacker will pose as a trusted contact to steal data like login and credit card information.
As an example, a phishing attempt would go as follows:
- An individual receives an email from his or her bank (for example, Chase).
- The email appears to be sent from Chase, with the Chase logo embedded in the email.
- The email explains how there is an urgent issue with the individual's account, instructing her to click on a link to address the matter right now.
- Once the individual clicks on the link, she is brought to a webpage which mimics that of Chase.
- Unknowingly, the individual enters her username and password to enter the website.
In this scheme, the scammer has collected the individual's banking credentials. Further, by visiting the fraudulent banking site, the individual may have unknowingly downloaded malware to her computer, which will be tracking and collecting other data and sending it to the scammer.
The motivations for such malicious behavior are usually financial. According to the 2020 Verizon Data Breach Investigations Report, 86% of the 3,950 breaches were financially motivated.
At the enterprise level, phishing can have greater consequences. By allowing just one scammer to gain entry to a corporate network, a data breach can occur, leaving the organization vulnerable to loss and theft.
While email remains the most critical communications tool for business, it also, unfortunately, makes it the top threat vector, with the volume and sophistication of attacks ever increasing. There is a continuing severity and cost of phishing as a problem, and it is imperative for organizations to understand phishing in order to combat email security issues.
For more information, download our Phishing Education Guide.
Types of Phishing Attacks
Phishing attempts can be diverse, as cyberattackers have become more sophisticated and creative with their techniques. What unites phishing attacks is their common purpose: stealing information or transferring malware. Below is a review of the different types of information attacks.
1. Spear Phishing
Where general phishing attacks use spam-like tactics to blast thousands at a time, spear-phishing emails target specific individuals within an organization. In this type of scam, hackers customize their phishing emails with the target’s name, title, work phone number, and other information in order to trick the recipient into believing that the sender somehow knows them personally or professionally. Spear phishing is for organizations with the resources to research and implement this more sophisticated form of attack.
Whaling is a variant of spear phishing that targets CEOs and other executives ("whales"). As such individuals typically have unfettered access to sensitive corporate data, the risk-reward is dramatically higher. As with spear phishing, this is for advanced criminal organizations that have the resources to execute this form of attack.
3. BEC (Business Email Compromise)
BEC attacks are designed to impersonate senior executives and trick employees, customers, or vendors into wiring payments for goods or services to alternate bank accounts. According to the FBI's 2019 Internet Crime Report, BEC scams were the most damaging and effective type of cyber crime in 2019.
4. Clone Phishing
In this type of attack, the scammer creates an almost-identical replica of an authentic email, such as an alert one might receive from one's bank, in order to trick a victim into sharing valuable information. The attacker swaps out what appears to be an authentic link or attachment in the original email with a malicious one. The email is often sent from an address that resembles that of the original sender, making it harder to spot.
Also known as voice phishing, in vishing, the scammer fraudulently displays the real telephone number of a well-known, trusted organization, such as a bank or the IRS, on the victim’s caller ID in order to entice the recipient to answer the call. The scammer then impersonates an executive or official and uses social engineering or intimidation tactics to demand payment of money purportedly owed to that organization. Vishing can also include sending out voicemail messages that ask the victim to call back a number; when the victim does so, the victim is tricked into entering his or her personal information or account details.
In a snowshoeing scheme, attackers attempt to circumvent traditional email spam filters. They do this by pushing out messages via multiple domains and IP addresses, sending out such a low volume of messages that reputation- or volume-based spam filtering technologies can’t recognize and block malicious messages right away. Some of the messages make it to the email inboxes before the filters learn to block them.
7 Tips to Spot a Phishing Attempt
Below are 7 helpful tips to spot a phishing attempt so it can be stopped before damage can occur.
1. Assume Every Email Is a Potential Phishing Attempt
While this might sound extreme, it's important for users to carefully examine an email to determine its authenticity. Users should not solely trust their organization's spam filters, as these traditional email security tools do not provide the strongest defense against some phishing types. Some organizations have begun to implement zero-trust network access (ZTNA) in order to secure connectivity to private applications to reduce exposure to applications on the internet.
2. Check and Verify the Address
One of the best ways to prevent phishing is to simply check and verify the "From" address of the email. This should be done every time an email from a bank, payment service, retailer, or even the government unexpectedly arrives, especially to a work email when it normally has not in the past.
3. Read the Email
Open the email and read it. Users should be able to determine if certain factors seem off. Ask questions such as:
- Does this email seem urgent?
- Is the email offering you something that is simply "too good to be true"?
- Do you have an account with the company that is contacting you?
If anything seems odd, do not do anything further.
4. Check Grammar and Spelling
Often grammar, spelling, and even formatting can be red flags. Formal email communications from a bank, credit card company, payment service, or the IRS do not contain spelling errors and always use proper, business English. If you are used to the word choice and tone of voice of such emails and this one seems different, it's most likely a phishing attempt.
5. Look for Your Name
Further to grammar and spelling, look for other elements related to your name and how you are addressed. Legitimate companies, especially the ones with which you have accounts or have done business, will not address you generically. A generic greeting (e.g., "Dear Madam") may be an indicator of phishing.
6. Check for Requests
When reviewing the email, check for any particular, odd request. Most phishing emails ask the recipient to respond to the email or click a link in the email. Anything peculiar or unnecessarily urgent is most likely a phishing scheme.
7. Look for Links and Attachments
A scammer's goal is to get victims to click on links or download attachments. Doing so results in the automatic download of malware that infects the victim's PC. To determine the validity of a link, users should mouse over it. If the link, usually appearing in the lower left-hand corner of the screen, reveals a long URL with an unfamiliar domain, the link should not be clicked. Similarly, an attachment, even one with a seemingly harmless name like "Monthly Report" with a familiar file extension such as PDF, could be malware and should not be double-clicked or downloaded.
How to Protect Yourself from Phishing
Below are some ways for your organization to protect its employees and its network from phishing attacks. While well-trained employees are an organization's best defense against phishing, there are still some preventative actions an organization can take.
1. Use a Spam Filter
This is perhaps the most basic defense an organization can take. Most email programs (e.g., Outlook, G Suite) include spam filters that can automatically detect known spammers.
2. Update Security Software Regularly
Organizations should make sure that all of their security patches have been updated. This can detect and remove malware or viruses that may have accidentally entered an employee's PC via a phishing scheme. Further, security policies should be updated to include password expiration and complexity.
3. Use MFA
Multi-factor authentication requires multiple pieces of information for someone to be able to log in and gain access. This is important in the event a scammer already has stolen the credentials of some employees. With MFA in place, especially if it includes biometric authentication, scammers are blocked.
4. Back Up Your Data
All data should be encrypted and backed up, which is critical in the event of a breach or compromise.
5. Don't Click on Links or Attachments
As described in the previous section, educate employees about how to spot questionable links and attachments, and instruct them to avoid clicking on or downloading something from a source they do not trust.
6. Block Unreliable Websites
A web filter can be used to block access to malicious websites in the event an employee inadvertently clicks on a malicious link
Phishing Protection for Organizations
Phishing attempts targeting enterprise and business networks can be particularly damaging. It takes only a handful of unsuspecting employees to give scammers access to a significant amount of corporate data, including customer banking and credit card information. The threat potential is very high, and organizations must protect themselves using a range of security tactics.
A sandbox is an isolated testing environment for running programs or executing files without affecting the application or system on which they run. A sandbox can be used to detect and test potentially malicious software, offering an additional layer of protection against phishing and other threats.
Web Traffic Inspection
A secure web gateway logs and inspects web traffic for full visibility, URL and application controls, and protection against malware.
Ongoing employee education is one of the most important defenses against phishing. Training in not only the tools (filters, authentication) but also awareness (recognizing malicious links) is imperative for the protection of the organization against phishing.
For advanced security, enterprises should consider a secure email gateway solution. FortiMail provides a comprehensive, multilayered approach to address all inbound and outbound email traffic.
Prevent phishing with FortiMail Secure Email Gateway Solutions.