Phishing attacks are one of the biggest threats to your company’s security. In fact, according to Verizon’s Data Breach Investigations Report (2019), a whopping 32% of data breaches involved phishing attacks. This crime costs companies time, money, reputation, and their clients’ privacy and privileged information.
A successful phishing scheme can get all manner of confidential information into the wrong hands, from passwords to client data to banking and credit card information. So how do phishing attacks work? How can you recognize and stop them? Here’s what you need to know:
What are Phishing Attacks?
Phishing is a specialized form of cybercrime. The scammer pretends to be a trustworthy person via some form of electronic communication. They may try to get information directly from you, such as by asking for your password. The fishers may also go for a more indirect method. After all, if they can convince you to let them past your company’s security network, they can access far more confidential data than just one person’s login information.
Who do Phishers Target?
Phishers are ultimately after valuable data of the company, the employees, and the business’s customer base. Some phishers target individuals. Meanwhile, others do a mass attack of everyone in the company, industry, or geographic area.
Spear phishing is targeted at a certain individual or company. This cybercrime often begins with gathering personal information or making personal contact. Approaching a target like this increases the chance of building trust and successfully stealing information. In a subset of this, whaling, a high ranking executive is specifically targeted. Executives are more likely to have access to high-value data and override vital security protocols in the phisher’s favor.
Broader phishing attacks can include cold-calling many people, such as the now well-known bank phishing scam. Another attack, clone phishing, involves two maneuvers. The phisher first gains access to an employee’s email. Then this scammer clones a legitimate, successfully delivered email. This email is edited to contain malicious links and attachments while still looking like innocent communication.
What are Phishers After?
Phishers are looking for the personal information of employees, executives, clients, and private data tied to the business itself. This can include:
- employee passwords
- client addresses, credit card information, and social security inforation
- trusted email addresses
- software and projects in development
- patented intellectual property
- coming ad campaigns
- company banking information
This information is highly profitable to scammers because it can be used by many people for many nefarious purposes. Stolen personal data can be used for:
- identity theft
- stealing programs or products in development
- selling the business’s intellectual property to competitors
- draining company and client bank accounts
- crippling computer networks and holding them for ‘ransom’
- using an employee’s identity to phish other companies
- selling data to third parties
How Do Phishers Get Your Data?
Many people picture clicking on the link in a bogus email, and that is indeed one of their strategies. However, phishers can and do use all forms of electronic communication to try to pry key bits of information from a company. This includes:
- texts (SMiShing)
- social media contacts
- forged websites
- phone calls
- VoIP system manipulation (Vishing)
- covertly redirecting browsing tabs
What Do Phishing Attacks Look Like?
Phishers are locked into an ‘arms race’ with the law enforcement and cybersecurity personnel who are trying to prevent this crime. Modern phishers have grown much more sophisticated and subtle over the years, and this trend is likely to continue. The variety of potential phishing attacks are limited only by the imagination of the hackers attempting to phish your company. Four typical examples include:
An email is delivered that contains a link to a website the employee frequents. This website has been designed to closely resemble a reputable institution like their bank. It will use the bank’s fonts, page layout, and color schemes. It may even include the logo. However, this is all a false front. If the recipient attempts to log in, the site collects their user name, password, security verification questions, and more. This data is passed over to the phishers to be exploited or sold.
A text or email is sent that claims to be from the company’s software provider. There’s a security update that’s available and installing it is as simple as clicking on an attachment. Of course, this ‘update’ is actually a piece of malware. Once installed, the malware allows the phishers to slip past a computer’s security system and help themselves to the data within the network.
Someone at the company gets a phone call regarding an urgently needed delivery of office supplies. Unfortunately, there’s been an error. The employee is urged to ‘validate’ that account or purchase by telling the phisher certain private information. Some phishers build on this scam, passing the information on to another scammer. The second phisher builds trust with a different employee by revealing information that (supposedly) only a partnered business would know. The team of scammers may leapfrog from one person to another in an organization, gaining a vast amount of company data.
Many people are savvy to the signs of catfishing on social media, but what about ‘Catphishing?’ Here, the scammer impersonates a casual acquaintance on social media. The catphisher attempts to gain the target’s friendship and trust. This is then leveraged into favors, revealed account information, and so on.
What are the Signs of Potential Phishing?
Many times you’ll notice something is a little off during the phishing attempt. For instance, this supposedly official correspondence from a supplier is riddled with spelling and grammatical errors. You wonder if someone new at the company is writing the email.
You may be curious why your bank is requesting confidential information. They’ve never done that before. In fact, you can’t remember any bank sending you a link to update your account.
A Facebook contact may reach out to you with a new email address or phone number. Their name sounds familiar, but was it always spelled like that? This contact is friendly and chatty, but talks in generalities. They carefully bat away questions about themselves and focus on what you have to share.
These examples may seem suspicious, but you can’t always rely on the small details being off. Sophisticated and well prepared scammers may not make these mistakes. So what else can you look for?
Keep an eye out for an overall combination of tempting bait and pressure. Phishers operate with varying degrees of ‘carrot and stick’ inducements.
The ‘carrot’ is often an opportunity that sounds too good to be true. Perhaps it’s a once in a lifetime vacation sweepstakes that requires your credit card information for entry. Maybe the supplier is offering a high-value item for half its usual price. There could be both money and a career opportunity at hand, if you cooperate.
Here comes the stick: pressure is applied to you. That tempting offer comes with a hard deadline. The person contacting you has ten other people interested in what they’re selling, and they’re doing you a favor by talking to you first. Maybe they’re claiming that your bank account might be frozen. If you don’t act now to put in your information and validate it, you might not be able to access your money for weeks!
What is the time pressure and induced fear for? It increases the chance that you’ll overlook the gaps in their story and take the bait.
How to Protect Yourself and Your Company
Preparation is key here, both in terms of how you structure your data and backup systems and your employee training plan. Software can also improve your business’s resistance to phishing. Finally and perhaps most important are the day to day choices you and your employees make in your electronic communications. These can spell the difference between a defeated cyberattack and a serious data breach.
Let’s take a look at some anti-phishing tools and strategies:
Preparing for Potential Cyberattack
Although some internet presence is expected in this day and age, be cautious and selective about what you put up. Does your website really need to list employee phone numbers, extensions, or emails? The more contact information you give out, the more doors a phisher can try to open.
Encrypt vital information. In particular, set up and require encryption for employees that are telecommuting.
Train your employees in what to look out for and how to react if they suspect phishing. Who do they contact? Do they delete the email or save it for IT to examine? What if they discover a problem after putting in their login information?
Ask your IT department to update you and the rest of the company on new phishing scams. This will keep anti-phishing training fresh in employees’ minds and let them know what to look out for.
Back up information frequently and in multiple places. Remember the 3-2-1 rule. Keep at least 3 copies of your data, stored on at least 2 different forms of storage media, and have 1 of them located offsite. For instance, store two copies on cloud storage and one copy on an external hard drive at the office. This way, if phishers go in and alter your contact list or plant something malicious, you have a clean backup to work from.
When backing up your data, make sure they aren’t connected to your home network. Also, don’t forget to back up your business phone’s data.
Use anti-phishing software and keep it fully updated. This software has been specially designed to detect and disable phishing attempts. Look for programs that work with the Domain based Message Authentication, Reporting, and Conformance policy (DMARC).
While you’re at it, keep all other software fully updated and patched. These companies are constantly making their programs more robust against cyberattacks. If you fall behind and are working off of older versions of the software, hackers will find it an easy target. Just remember to verify the update first.
Consider converting HTML email into text only messages. You can also disable HTML email messages. This limits phishers’ options for fooling employees with doctored hotlinks and other tricks.
Filter spam emails. Be very cautious before retrieving anything from your spam folder. Try to verify that address before opening it. Watch out for tricks like changing upper and lower cases, substituting the number one for a lowercase ell, or adding spaces. These false addresses might look very convincing at a glance but fall apart on closer examination.
Filter the web. Certain software keeps a registry of malicious, suspect, and insufficiently protected websites or IP addresses. This is insufficient on its own but does create another brick in your cyberdefense wall.
Don’t forget to protect your phone and tablet along with your computer. Consider strategies like multi-factor authentication or pairing a passcode with a fingerprint scan.
Day-to-day Best Practices
Avoid accessing the company’s website through public or unsecured networks.
Be cautious about shortened links. These aren’t always a scam. However, some common phishing tricks involve manipulating URLs. It’s easier for the phisher to redirect you to a false website via a shortened link.
Do not send sensitive information such as pin numbers over email or text. In this day and age, all businesses are well aware of potential data breaches. Reputable companies will not ask you to do something so risky.
Verify links before you click on them. Doublecheck any attachments or software updates. When in doubt, your IT department should be able to tell you if a file or link is legitimate.
Report suspicious communications and follow your company’s anti-cyberattack response plan.
Preparation and Education Make All the Difference
There are many phishers out there who are willing to create devious malware, build mock-up websites, and devote days or weeks to getting data from your company. Your business’s and customers’ information is that valuable.
However, phishing can only succeed when systems are not properly secured or when employees let them in. Update your cybersecurity. Educate yourself and your employees. By taking away all points of access, the phisher will have no choice but to leave you alone and move on to a new target.