Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually performed through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim's machine. Phishing is a common type of cyber attack that everyone should learn about in order to protect against email threats.
Phishing attacks are counterfeit communications that appear to come from a trustworthy source but which can compromise all types of data sources. Attacks can facilitate access to your online accounts and personal data, obtain permissions to modify and compromise connected systems--such as point of sale terminals and order processing systems--and in some cases hijack entire computer networks until a ransom fee is delivered.
Sometimes hackers are satisfied with getting your personal data and credit card information for financial gain. In other cases, phishing emails are sent to gather employee login information or other details for use in more malicious attacks against a few individuals or a specific company. Phishing is a type of cyber attack that everyone should learn about in order to protect themselves and ensure email security throughout an organization.
It has been a few decades since this type of scam was first referenced and the first primitive forms of phishing attacks started in chatrooms. Phishing has evolved to become one of the largest cybercrimes on the internet that leads to BEC and ransomware. Read about the phishing history, evolution, and predictions for the future in The Evolution of Phishing.
Phishing starts with a fraudulent email or other communication designed to lure a victim. The message is made to look as though it comes from a trusted sender. If it fools the victim, he or she is coaxed into providing confidential information--often on a scam website. Sometimes malware is also downloaded onto the target's computer.
Cybercriminals start by identifying a group of individuals they want to target. Then they create email and text messages that appear to be legitimate but actually contain dangerous links, attachments, or lures that trick their targets into taking an unknown, risky action. In brief:
No single cybersecurity solution can avert all phishing attacks. Your company should consider a tiered security approach to lessen the number of phishing attacks and reduce the impact when attacks do occur. This multilayered approach includes employee awareness training. When an attack makes it through your security, employees are typically the last line of defense.
Learn how to account for phishing attacks, how to recognize them, and what to do if you ever discern that you may have accidentally succumb to a phishing attack. Test your phishing knowledge by taking our Phishing Awareness Quiz.
On any email client: You can examine hypertext links, which is one of the best ways to recognize a phishing attack.
When checking for hyperlinks: The destination URL will show in a hover pop-up window near the hyperlink. Ensure that the destination URL link equals what is in the email. Additionally, be cautious about clicking on links that have strange characters in them or are abbreviated.
On mobile devices: You can observe the destination URL by briefly hovering your mouse over the hyperlink. As a result, the URL will materialize in a small pop-up window.
On web pages: The destination URL will be revealed in the bottom-left corner of the browser window, when hovering over the anchor text.
If you receive a suspicious email, the first step is to not open the email. Instead, report the email to your company or organization as suspected phishing. Most importantly, you never want to assume that a coworker has already reported a phishing attack. The sooner your IT and security teams are forewarned to the potential threat, the sooner your company can take actions to prevent it from damaging your network.
If you discern that you have accidently engaged with a phishing attack and gave out any internal information, you must report the occurrence immediately. If you don't report a phishing attack immediately, you could put your data and your company at risk.
Spear phishing targets specific individuals instead of a wide group of people. That way, the attackers can customize their communications and appear more authentic. Spear phishing is often the first step used to penetrate a company's defenses and carry out a targeted attack. According to the SANS Institute, 95 percent of all attacks on enterprise networks are the result of successful spear phishing.
Tips to stop phishing (PDF) Blog: How to Identify a Spear Phish
The methods used by attackers to gain access to a Microsoft 365 email account are fairly simple and becoming the most common. These phishing campaigns usually take the form of a fake email from Microsoft. The email contains a request to log in, stating the user needs to reset their password, hasn't logged in recently, or that there's a problem with the account that needs their attention. A URL is included, enticing the user to click to remedy the issue.
BEC is carefully planned and researched attacks that impersonate a company executive vendor or supplier.
When attackers go after a "big fish" like a CEO, it's called whaling. These attackers often spend considerable time profiling the target to find the opportune moment and means to steal login credentials. Whaling is of particular concern because high-level executives are able to access a great deal of sensitive company information.
Attackers often research their victims on social media and other sites to collect detailed information, and then plan their attack accordingly.
Voice phishing, or "vishing," is a form of social engineering. It is a fraudulent phone call designed to obtain sensitive information such as login credentials. For instance, the attacker might call pretending to be a support agent or representative of your company. New employees are often vulnerable to these types of scams, but they can happen to anyone--and are becoming more common.