What is Phishing?
Phishing is a type of cybersecurity threat that targets users directly through email, text, or direct messages. During one of these scams, the attacker will pose as a trusted contact to steal data like logins, account numbers, and credit card information. Phishing is a type of social engineering attack where a cybercriminal uses email or other text-based messaging to steal sensitive information. By using a believable email address, an attacker aims to trick the target into trusting them enough to divulge personal data, such as login credentials, credit card numbers, or financial account info.
As an example, the scenario usually plays out as follows:
- An individual receives an email from his or her bank (for example, Chase).
- The email appears to be sent from Chase, with the Chase logo embedded in the email.
- The email explains how there is an urgent issue with the individual's account, instructing her to click on a link to address the matter right now.
- Once the individual clicks on the link, she is brought to a webpage which mimics that of Chase.
- Unknowingly, the individual enters her username and password to enter the website.
In this scheme, the scammer has collected the individual's banking credentials. Further, by visiting the fraudulent banking site, the individual may have unknowingly downloaded malware to her computer, which will be tracking and collecting other data and sending it to the scammer.
The motivations for such malicious behavior are usually financial. According to the 2020 Verizon Data Breach Investigations Report, 86% of the 3,950 breaches were financially motivated.
At the enterprise level, phishing can have greater consequences. By allowing just one scammer to gain entry to a corporate network, a data breach can occur, leaving the organization vulnerable to loss and theft.
While email remains the most critical communications tool for business, it also, unfortunately, makes it the top threat vector, with the volume and sophistication of attacks ever increasing. There is a continuing severity and cost of phishing campaigns as a problem, and it is imperative for organizations to understand this phishing in order to combat email security issues.
For more information, download our Phishing Education Guide.
How Does Phishing Work?
In a typical attack, the criminal gets the contact information of one or many targets and then starts sending phishing messages via email or text message. In most phishing campaigns, the attacker infuses their messaging with a sense of urgency, which motivates the victim to either reply with sensitive data or click on a link. If the victim clicks the link, they’re brought to a fake website specifically designed for identity theft or to enable the attacker to gain access to restricted data. The cybercriminal may use a combination of several factors to trick their targets:
- A realistic email address used by the attacker, such as one that appears to have the same or similar domain as a trusted company
- A website that looks like one belonging to a legitimate business
- A well-worded, grammatically clean email complete with realistic logos or other branding collateral
For example, one of the most common phishing campaigns involves an attacker creating a website that looks almost exactly like that of a financial institution. After the victim clicks on a link, they have no idea they’re falling for a phishing scam, especially because the site looks so authentic.
With these kinds of phishing techniques, the victim enters their login credentials, which the attacker collects. The hacker then either uses the login credentials themselves or sells them to someone else. That’s why it’s crucial to keep an eye out for suspicious emails and to report anything that raises a flag to IT.
Types of Phishing Attacks
Phishing attempts can be diverse, as cyberattackers have become more sophisticated and creative with their techniques. What unites these attacks is their common purpose: identity theft or transferring malware. Below is a review of the different types of information attacks.
1. Spear Phishing
Where general email attacks use spam-like tactics to blast thousands at a time, spear phishing attacks target specific individuals within an organization. In this type of scam, hackers customize their emails with the target’s name, title, work phone number, and other information in order to trick the recipient into believing that the sender somehow knows them personally or professionally. Spear phishing is for organizations with the resources to research and implement this more sophisticated form of attack.
Whaling is a variant of spear phishing that targets CEOs and other executives ("whales"). As such individuals typically have unfettered access to sensitive corporate data, the risk-reward is dramatically higher. Whaling is for advanced criminal organizations that have the resources to execute this form of attack.
3. BEC (Business Email Compromise)
Business Email Compromise (BEC) attacks are designed to impersonate senior executives and trick employees, customers, or vendors into wiring payments for goods or services to alternate bank accounts. According to the FBI's 2019 Internet Crime Report, BEC scams were the most damaging and effective type of cyber crime in 2019.
4. Clone Phishing
In this type of attack, the scammer creates an almost-identical replica of an authentic email, such as an alert one might receive from one's bank, in order to trick a victim into sharing valuable information. The attacker swaps out what appears to be an authentic link or attachment in the original email with a malicious one. The email is often sent from an address that resembles that of the original sender, making it harder to spot.
Also known as voice phishing, in vishing, the scammer fraudulently displays the real telephone number of a well-known, trusted organization, such as a bank or the IRS, on the victim’s caller ID in order to entice the recipient to answer the call. The scammer then impersonates an executive or official and uses social engineering or intimidation tactics to demand payment of money purportedly owed to that organization. Vishing can also include sending out voicemail messages that ask the victim to call back a number; when the victim does so, the victim is tricked into entering his or her personal information or account details.
In a snowshoeing scheme, attackers attempt to circumvent traditional email spam filters. They do this by pushing out messages via multiple domains and IP addresses, sending out such a low volume of messages that reputation- or volume-based spam filtering technologies can’t recognize and block malicious messages right away. Some of the messages make it to the email inboxes before the filters learn to block them.
Statistical Insights on Phishing Attacks
Even though it may seem fairly simple to avoid an attack, the following stats reveal how prominent phishing is:
- 23.6% of phishing attacks impact the financial sector
- 14.6% of attacks take aim at the e-commerce industry
- There are currently 611,877 known phishing sites on the Internet built to trick users into divulging sensitive information.
- Brazil is the most-targeted country when it comes to phishing assaults.
- Of all the attack methods used to infiltrate healthcare organizations, phishing is the number one technique used by hackers.
- Phishing is one of the five cyber crimes highlighted on the United States government's Online Safety page. Other cyber crimes include data breaches, malware, internet auctions, and credit card fraud.
7 Tips to Spot a Phishing Attempt
Below are 7 helpful tips to spot suspicious emails so attacks can be stopped before damage can occur.
1. Assume Every Email Is a Potential Phishing Attempt
While this might sound extreme, it's important for users to carefully examine an email to determine its authenticity. Users should not solely trust their organization's spam filters, as these traditional email security tools do not provide the strongest defense against some types of attack. Some organizations have begun to implement zero-trust network access (ZTNA) in order to secure connectivity to private applications to reduce exposure to applications on the internet.
2. Check and Verify the Address
One of the best ways to prevent phishing is to simply check and verify the "From" address of the email. This should be done every time an email from a bank, payment service, retailer, or even the government unexpectedly arrives, especially to a work email when it normally has not in the past.
3. Read the Email
Open the email and read it. Users should be able to determine if certain factors seem off. Ask questions such as:
- Does this email seem urgent?
- Is the email offering you something that is simply "too good to be true"?
- Do you have an account with the company that is contacting you?
If anything seems odd, do not do anything further.
4. Check Grammar and Spelling
Often grammar, spelling, and even formatting can be red flags. Formal email communications from a bank, credit card company, payment service, or the IRS do not contain spelling errors and always use proper, business English. If you are used to the word choice and tone of voice of such emails and this one seems different, it's most likely a phishing attempt.
5. Look for Your Name
Further to grammar and spelling, look for other elements related to your name and how you are addressed. Legitimate companies, especially the ones with which you have accounts or have done business, will not address you generically. A generic greeting (e.g., "Dear Madam") may be an indicator of a scam.
6. Check for Requests
When reviewing the email, check for any particular, odd request. Most fraudulent emails ask the recipient to respond to the email or click a link in the email. Anything peculiar or unnecessarily urgent is most likely a phishing scheme.
7. Look for Links and Attachments
A scammer's goal is to get victims to click on links or download attachments. Doing so results in the automatic download of malware that infects the victim's PC. To determine the validity of a link, users should mouse over it. If the link, usually appearing in the lower left-hand corner of the screen, reveals a long URL with an unfamiliar domain, the link should not be clicked. Similarly, an attachment, even one with a seemingly harmless name like "Monthly Report" with a familiar file extension such as PDF, could be malware and should not be double-clicked or downloaded.
How to Protect Yourself from Phishing
Below are some ways for your organization to protect its employees and its network from phishing attacks. While well-trained employees are an organization's best defense, there are still some preventative actions an organization can take.
1. Use a Spam Filter
This is perhaps the most basic defense an organization can take. Most email programs (e.g., Outlook, G Suite) include spam filters that can automatically detect known spammers.
2. Update Security Software Regularly
Organizations should make sure that all of their security patches have been updated. This can detect and remove malware or viruses that may have accidentally entered an employee's PC via a phishing scheme. Further, security policies should be updated to include password expiration and complexity.
3. Use MFA
Multi-factor authentication requires multiple pieces of information for someone to be able to log in and gain access. This is important in the event a scammer already has stolen the credentials of some employees. With MFA in place, especially if it includes biometric authentication, scammers are blocked.
4. Back Up Your Data
All data should be encrypted and backed up, which is critical in the event of a breach or compromise.
5. Don't Click on Links or Attachments
As described in the previous section, educate employees about how to spot questionable links and attachments, and instruct them to avoid clicking on or downloading something from a source they do not trust.
6. Block Unreliable Websites
A web filter can be used to block access to malicious websites in the event an employee inadvertently clicks on a malicious link
How Fortinet Can Help
Phishing attempts targeting enterprise and business networks can be particularly damaging. It takes only a handful of unsuspecting employees to give scammers access to a significant amount of corporate data, including customer banking and credit card information. The threat potential is very high, and organizations must protect themselves using a range of security tactics.
The Fortinet Sandbox security solution provides users with a malware sandbox. This is a system designed to confine the actions of a specific application to an isolated environment. For example, a Word document infected with malware, once opened, can infect your computer—and even spread to the rest of the network. However, with a malware sandbox, the malware is kept inside the environment, quarantined away from the rest of the computer.
Web Traffic Inspection
Fortinet's secure web gateway provides flexible deployment options to protect against internet-based threats without compromising on end-user experience.
Ongoing employee education is one of the most important defenses against these attacks. This includes training in not only the tools (filters, authentication) but also awareness (recognizing malicious links and knowing how to report phishing). Review the training offerings from Fortinet.
For advanced security, enterprises should consider a secure email gateway solution. FortiMail provides a comprehensive, multilayered approach to address all inbound and outbound email traffic.
With FortiPhish, you get a comprehensive analysis of how prepared your employees are to deal with phishing attacks. As a result, you not only get to expose your employees to phishing attack methodologies in a safe environment, but you also get a full report of how well your staff performed.
First, you select the kind of phishing attack you want to use to test your employees’ vigilance. For example, you can choose a standard phishing attack designed to steal login credentials.
You can also choose specific users you want the simulated attack to target. For example, some companies may choose newer employees they know need training. Once you’ve decided on the kind of attack and who you want to target, you schedule it without letting the “victims” know.
After the attack has finished, you receive a report that indicates how your employees performed in response to the attack. Using this data, you can set up training programs to address knowledge gaps, practices, and mindsets that could compromise your cybersecurity.
What is phishing?
A phishing attack is a type of cybersecurity threat that targets users directly through email, text, or direct messages. During one of these scams, the attacker will pose as a trusted contact to steal data like logins, account numbers, and credit card information.
What are the types of phishing attacks?
Phishing attempts can be diverse, as cyberattackers have become more sophisticated and creative with their techniques. What unites these attacks is their common purpose: identity theft or transferring malware. There are six types of phishing attacks; spear phishing, whaling, BEC, clone phishing, vishing, and snowshoeing.