A Field Guide to Phishing Attacks
Despite the name being mildly amusing, phishing attacks are no laughing matter. These scams, in all their different forms, wreak havoc on businesses—ranking as the top breach threat in the 2020 edition of Verizon’s annual Data Breach Investigations Report, and successfully impacting 65 percent of United States organizations in 2019 as reported by Proofpoint’s 2020 State of the Phish Report. Avoiding them requires you to be able to spot them, so let’s go over the different varieties of phishing that can be encountered.
Of course, before we begin, it is important that we establish what a phishing attack looks like at its essence, as all forms of phishing share a few of these same traits.
In a phishing attack, a target is sent a message that appears to come from a trustworthy contact to manipulate the target’s response. For example, one of your employees may receive an email that looks like it came from a prospect, a client, or vendor… presumably one that they should open. However, rather than opening the message to a legitimate communication, the email would either deliver malware via a download or send the recipient to a malicious website.
Due to this simple basis, phishing can be used as the foundation to various scams, delivered in different ways and relying on different tactics to take advantage of different targets.
Business Email Compromise
In a business email compromise attack, an attacker will pose as an authority figure or resource to coax users into transferring money into an account under the attacker’s control. By writing this email to suggest urgency, the attacker can effectively scare their target into acting without thinking.
These phishing attacks have the potential to be quite lucrative, with the average request in Q2 2020 totaling $80,183.
Some attackers play copycat with their phishing messages, duplicating a legitimate email that their target would likely have encountered before. In doing so, they make their attack appear more convincing and thereby more likely to fool their intended victim. The lone difference—the included link is switched out for one that directs the target to a spoofed website, with a disclaimer explaining why resending the email was “necessary.”
Not all phishing attacks are distributed through email. Nowadays, smishing attacks—those dispersed via SMS—are another common enough tactic used. One of the main reasons that smishing is frequently successful is that people aren’t anticipating being phished through a text message. Text messages are also far more often read and responded to as compared to emails (98 percent read and 45 percent responded for texts, as compared to 20 percent read and 6 percent responded for emails).
On top of all that, mobile devices often don’t uphold the same security standards that a workstation will, leaving a user more vulnerable by default.
Spear phishing is a phishing attack that goes the extra distance. Rather than targeting a user through a generic message, the cybercriminal will have done their due diligence and researched their intended victim. Because these attacks take more time and effort to execute, spear phishing is typically leveraged against higher-value targets. Due to how these attacks are crafted, spear phishing is also a tactic that features a higher level of success. These are even more dangerous for your users.
Vishing, or voice phishing, is a phishing attack conducted over the telephone. By calling up their target under the guise of a business or a financial institution, a scammer can extract credentials and other personally identifiable and sensitive data from their target.
As the name would suggest, whaling is a phishing attack that targets the biggest person in an organization: the boss. As the head honcho, it stands to reason that the business owner would have the most access to the business’ resources and data, enabling the cybercriminal to steal the greatest possible amount.
The CEO isn’t always the recipient of these types of attacks, either. Instead, other personnel will receive an email that looks like it is from the CEO or another high-ranking manager. The messaging in this looks casual and rushed, usually requesting the employee to send money or log in somewhere, or send credentials back. We’ve seen a lot of these going around the last few months, and it’s very important that your staff is looking out for this.
With the amount of background information that these attacks require to be pulled off, it isn’t uncommon for an attacker to do some research through social engineering and reviewing publicly accessible information to make their story more believable.
Phishing is a Serious Threat
While phishing can be largely avoided with the proper diligence, your team will need to know what they are looking for to stop it effectively. ISC can help. Find out what we can do to help keep your business secure by calling 502.292.5097.