Table of Contents
Most employees are required to take security awareness training during their first week of work. Normally these courses outline company policies, talk about the importance of online security, what is phishing, and share examples of email attacks so that employees can detect and report them in the future. And yet, how many times do employees, and even leadership, fall for corporate email phishing tests?
The answer is probably far too high. No matter how much education you provide, a compelling corporate phishing scam can deceive even the most savvy of your employees. One employee’s misstep could expose sensitive personal information to a malicious party. This piece will help you understand the nuances of phishing and provide you with useful tips to combat the shrewd techniques of scammers.
Phishing Explained
Phishing is a cyberattack in which a target receives a fraudulent email or text designed to prompt them to share sensitive information such as banking details or login credentials. Attackers typically impersonate legitimate institutions like governments or large corporations to convince individuals to relinquish the data.
Many people have the perception that phishing scams are obvious and, thus, easily avoidable. Yet, phishing attacks occur successfully every day, multiple times per day. The FBI’s Internet Crime Complaint Center discovered that victims lost $57 million to phishing schemes in 2019 alone and estimates that phishing costs United States businesses close to $5 billion per year.
Over time, scammers have honed their craft, making it difficult for many to identify email phishing attacks as they’re happening. A phishing attack could come in the form of a message falsely claiming an account is locked due to suspicious activity, an email noting that a fabricated billing statement is overdue, or a congratulatory text saying a recipient won a free product or service that does not exist.
The Evolution of Phishing
- The expression “phishing” was first used in the 1990s to describe attempts to gain access to AOL usernames and passwords. Users weren’t familiar with this kind of attack, and many fell prey to phishing even when AOL cautioned users about the danger phishing presented.
- Since then, attackers have become even more sophisticated and prolific. In response, companies have adopted powerful gateway-level email security and phishing tools. But attackers have not backed off, creating new methods such as phishing websites that spoof popular domains to attempt to collect sensitive data. The sheer number of phishing sites and the tight timeline security teams have to warn people about them, make phishing attacks extremely difficult problems to address.
- Today, more than 1.5 million new phishing sites get created per month, and the sites only stay active for 4 to 8 hours on average. And unfortunately, rule-based email security tools don’t have the visual anomaly detection features to uncover fake login pages in real-time.
Types of Phishing
The hallmarks of phishing are similar across each type of attack, but it’s beneficial to have a solid understanding of each type of phishing to be as vigilant as possible. Below, we define 4 types of phishing and provide examples to help you take precautionary measures against them.
Name | Definition | Limitations |
Spear Phishing |
|
A consulting firm is helping a technology company implement new enterprise software. A scammer finds out that a customer success representative is assisting with the testing phase of the project. Pretending to be a member of the consulting team, the attacker sends the CSR an email claiming that personal information is required to set up her test account. The rep responds to the email, willingly giving out her home address, phone number, and social security number. |
Whaling |
|
The CEO of a construction company receives an email that warns that the company is under investigation by a legal entity. Panicking, the CEO opens the email and the attachments, unknowingly downloading malware. |
Smishing/ SMS Phishing |
|
A finance firm operations manager receives a text about upgrading the business Wi-Fi. The offer is compelling and seems to come from the company’s current internet provider. He clicks on the link in the text, which takes him/her to the account login page and innocently gives his credentials to attackers. |
Business Email Compromise (BEC) |
|
A procurements manager at a healthcare company is sorting through emails and receives an invoice from a medical supplies vendor- called Medical Devices, Inc. He/She gets bills from Medical Devices, Inc. often, so opens the email, clicks the embedded link, and pays the invoice. He/She doesn’t notice that the email came from jessica@medicaldevices.com instead of jessica@medicaldevicesinc.com, so his payment is directed straight into scam bank accounts. |
How to Detect a Phishing Attack
The most revealing thing about phishing scams is that they contain calls to action to click a button, open attachments, or reply with sensitive information.
But there are other telltale signs of phishing attacks as well.
- Usually phishing attacks create an unreasonable sense of urgency, such as limited time offers or alleged account suspensions.
- Phishing scams also have odd aesthetic features, like blurry or overstretched images, and copy with misspellings, odd capitalization, and/or other grammatical errors.
- Look for things like listing an incorrect account number in a text, using an old or outdated company logo on a website, or addressing a subject by the wrong name in an email.
Tips to Prevent Phishing
1. Employee Education
Education increases the likelihood that employees will discern attacks and report them to company security teams before surrendering any information. If you don’t already, instruct your employees to hover over links to check for a Secure Socket Layer certificate, force them to regularly change their passwords, and encourage them to set unique passwords for each application they use.
Besides these common safety measures, continuously update your employees on new tactics scammers are using to add an extra layer of protection to your business.
2. MFA/2FA
3. API Mailbox-level Intelligence
4. AI-powered Incident Response
Take the first step towards a more holistic, comprehensive approach to your security by requesting a free IRONSCALES demo today.
Explore More Articles
Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.