What exactly is Phishing? It’s one of the biggest threats from hackers, yet most people still aren’t sure how phishing works. Hackers mimic the emails, forms, and websites of legitimate companies to lure people into providing their private, personal, and business information. Credit card numbers, social security information, account logins, and personal identifiers are just some of the data hackers are looking for. Victims don’t realize they’ve been compromised until long after the event took place. And often only after their identity or finances are affected.
In the past, an attack was carried out relatively quickly. As soon as the victim gave up their information, the hacker moved in and stole money from the compromised account. Today, it’s often more lucrative for hackers to sell that information on the Dark Web, resulting in longer-lasting and even more devastating attacks.
3 Types of Phishing Attacks
Spear Phishing
Phishing attempts directed at specific individuals, or companies, are termed ‘spear phishing.’ These attacks gather personal information to increase the probability of success. This technique is by far the most successful on the Internet today, accounting for 91% of attacks.
Personalized attacks work because the victim typically doesn’t identify the attack as a threat. The approach is usually an email that contains a bogus attachment. The email usually looks legitimate, as it includes the person’s name and position in the company. Once the attachment is clicked on, threats, including ransomware, are launched.
Clone Phishing
Clone phishing is an attack where a previously delivered email containing an attachment or link is used to create an almost identical email. The attachment is replaced with a malicious copy, then sent from an email address spoofed to appear that it came from the original sender. It may claim to be a resend of the original or an updated version.
Clone Phishing attacks can look like an anti-virus update, a refund or credit offer, and even gift cards. Make sure you know where these emails came from before you click on any links. Better yet, don’t click on those links at all!
Whaling
Whaling attacks target the big fish of the company, hence the term. These phishing attacks focus on senior executives and high-profile targets. They use a more serious tone to match the executives’ roles in the company. For example, the email may pretend to be a legal subpoena, a customer complaint, or a payment request.
Whaling emails masquerade as a critical business message. They appear to be sent from a legitimate business. Whaling phishers have also forged official-looking FBI subpoena emails and claimed that the manager needs to click a link and install special software to view the subpoena.
Some examples are, emails from a bank or medical office asking to update information online or confirm the username and password? It could be a suspicious email from your boss asking you to execute a wire transfer. If you see any of these you’re among the 76% of businesses that were victims of a phishing attack in the last year.
Methods of Delivery
Most phishing scams are received through emails. But now hackers are getting trickier with their methods of execution. Personal device and Phone attacks using SMS texting (smishing), Voice phishing (vishing) are very common. Social engineering, a method in which users can be encouraged to click on various kinds of unexpected content for a variety of technical and social reasons, is everywhere.
Ransomware
Phishing, the most common way to spread ransomware, grows rapidly every year. Phishing can victimize anyone, or make them vulnerable to ransomware attacks. However, hackers have started to target organizations that are more likely to pay the ransom. These include small businesses, education, government, and healthcare sectors that often lack protected data backups. Without backups, they cannot re-install a pre-ransomed version of their data. Instead, they have to pay the ransom or shut down. The ransom alone can ruin many small businesses. Moreover, phishing victims can lose their reputation as trustworthy. This could drive some customers to their competitors, leading to even more financial loss.
Phishing campaigns are rampant
There are nearly 5 million new phishing sites created every month, according to Webroot Threat Report. On the dark web, hackers can find Phishing as a Service, offering phishing attacks in exchange for payment. One Russian website, “Fake Game,” claims over 61,000 subscribers and 680,000 credentials stolen.
These attacks have scary stats. People carelessly open over 30% of phishing messages. Then, 12% of them click on the attachments. As a result, these hackers appear legitimate.
Sophisticated hackers can create new phishing campaigns and sites in a matter of minutes. Although we believe there are much more honest ways to make money, these individuals have chosen to scam the general public instead.
Protect Yourself
Since Emails are the most common delivery method for Phishing attacks, it makes sense to train your employees how to spot these scams. It’s safe to assume that, if an email looks fishy, it probably is. Contact us if you have any questions or concerns.