What is Phishing
and How to Prevent It

Most employees are required to take security awareness training during their first week of work. Normally these courses outline company policies, talk about the importance of online security, and share examples of scams so that employees can detect and report them in the future. And yet, how many times do employees, and even leadership, fall for email phishing tests?

The answer is probably far too high. No matter how much education you provide, a compelling phishing scam can deceive even the most savvy of your employees. One employee’s misstep could expose sensitive personal information to a malicious party. This piece will help you understand the nuances of phishing and provide you useful tips to combat the shrewd techniques of scammers.

hook_hexagon-1

What is Phishing

Phishing is a cyberattack in which a target receives a fraudulent email or text designed to prompt them to share sensitive information such as banking details or login credentials. Attackers typically impersonate legitimate institutions like governments or large corporations to convince individuals to relinquish the data.

Many people have the perception that phishing scams are obvious and thus easily avoidable. Yet, phishing attacks occur successfully every day, multiple times per day. The FBI’s Internet Crime Complaint Center discovered that victims lost $57 million to phishing schemes in 2019 alone, and estimates that phishing costs United States businesses close to $5 billion per year.

questionmark_blue

Over time, scammers have honed their craft, making it difficult for many to identify phishing as it’s happening. A phishing attack could come in the form of a message falsely claiming an account is locked due to suspicious activity, an email noting that a fabricated billing statement is overdue, or a congratulatory text saying a recipient won a free product or service that does not exist.

2023 Gartner® Market Guide

This guide gives email security leaders exclusive Gartner research on the industry to ensure their existing threat solution remains appropriate for the changing landscape of evolved phishing attacks. In this guide:

  • Key findings and recommendations from Gartner
  • Evaluate native capabilities of cloud email systems
  • Representative Vendors for email security and tools
  • Learn about the market direction of email security
Download Report
Garrtner-Multi-page

The Evolution of Phishing

evol_icon_1

The expression “phishing” was first used in the 1990s to describe attempts to gain access to AOL usernames and passwords. Users weren’t familiar with this kind of attack, and many fell prey to phishing even when AOL cautioned users about the danger phishing presented.

evol_icon_2

Since then, attackers have become even more sophisticated and prolific. In response, companies have adopted powerful gateway-level email security and phishing tools. But attackers have not backed off, creating new methods such as phishing websites that spoof popular domains to attempt to collect sensitive data.

The sheer number of phishing sites and the tight timeline security teams have to warn people about them, make phishing attacks extremely difficult problems to address.

evol_icon_3

Today, more than 1.5 million new phishing sites get created per month, and the sites only stay active for 4 to 8 hours on average. And, unfortunately, rule-based email security tools don’t have the visual anomalydetection features to uncover fake login pages in real-time.

Types of Phishing

The hallmarks of phishing are similar across each type of attack, but it’s beneficial to have a solid understanding of each type of phishing to be as vigilant as possible. Below, we define 4 types of phishing and provide examples to help you take precautionary measures against them.

Name
Spearphishing
Definition
icon_human
Targets a particular company or person
icon_hierarchy
Perpetrators take the time to deeply understand an enterprise’s organizational structure in order to create a believable scam
Example
A consulting firm is helping a technology company implement new enterprise software. A scammer finds out that a customer success representative is assisting with the testing phase of the project.

Pretending to be a member of the consulting team, the attacker sends the CSR an email claiming that personal information is required to set up her test account. The rep responds to the email, willingly giving out her home address, phone number, and social security number.
Name
Whaling
Definition
icon_senior
Targets senior leadership, e.g., C-suite or company board members.
icon_target
Phishers must study the individuals they plan to target carefully.
Example
The CEO of a construction company receives an email that warns that the company is under investigation by a legal entity. Panicking, the CEO opens the email and the attachments, unknowingly downloading malware.
Name
Smishing/SMS Phishing
Definition
icon_alert
Attackers send victims texts with special offers or phony alerts.
icon_malicious
Links within the text ask recipients for credentials or direct them to malicious sites.
Example
A finance firm operations manager receives a text about upgrading the business Wi-Fi. The offer is compelling and seems to come from the company’s current internet provider.

He clicks on the link in the text, which takes him/her to the account login page and innocently gives his credentials to attackers.
Name
Business email compromise (BEC)
Definition
icon_false_user
Scammers hack into enterprise email accounts.
icon_similar

If attackers cannot get full access to a business email account, they will create their own email address with very similar characteristics to those of the corporate network they are trying to scam.

For example, if company emails usually look like “john@sprint.com”, the hacker might create one like: “john@spriint.com”.

icon_company
Criminals then assume the identity of an employee or vendor in an attempt to defraud the company.
Example
A procurements manager at a healthcare company is sorting through emails and receives an invoice from a medical supplies vendor- called Medical Devices, Inc.

He/She gets bills from Medical Devices, Inc. often, so opens the email, clicks the embedded link, and pays the invoice.

He/She doesn’t notice that the email came from jessica@medicaldevices.com instead of jessica@medicaldevicesinc.com, so his payment is directed straight into scam bank accounts.
blue_guy

How to Detect a Phishing Attack

The most revealing thing about phishing scams is that they contain calls to action to click a button, open attachments, or reply with sensitive information.

But there are other telltale signs of phishing attacks as well.

Usually phishing attacks create an unreasonable sense of urgency, such as limited time offers or alleged account suspensions.


Phishing scams also have odd aesthetic features, like blurry or overstretched images, and copy with misspellings, odd capitalization, and/or other grammatical errors.


Look for things like listing an incorrect account number in a text, using an old or outdated company logo on a website, or addressing a subject by the wrong name in an email.

Examples of Phishing Attacks

Everyday examples can solidify these concepts. The following screenshots exemplify everyday methods scammers use to entice victims, so we’ll highlight the clues attackers left behind.

Take this one, for instance:

Seems like an ordinary email, right? Wrong. “2021 Tax Return Receipt” makes it seem like a tax return is already on its way to the recipient’s bank account.

The email content itself may be an even bigger indicator that the message is fake. “Wilson” is in a different font and is much larger than the rest of the copy.

Oddly, the recipient’s name is not in the header either, starting with “Hi there,” instead. Plus, there is no way that the IRS would use a signoff so informal as “Enjoy!”

example1_desktop

However, he/she doesn’t know how much money there is and might be confused, prompting him/her to click on the “View Document Now” button.

Let's study a second example:

This email also appears to be sent from the IT Service department, but “johnsmithtrading@gmail.com” isn’t an appropriate address for any IT team member.

The email doesn’t address the recipient by name, nor does it have a subject line, and the content of the email contains extra periods and unusual capitalization.

example2_desktop

Notice that the email establishes a sense of urgency, asking the recipient to upgrade his mailbox or else he will not be able to send or receive emails.

Moreover, the link embedded in the email doesn’t contain “https” in the URL, and a message from IT wouldn’t need to cite copyright.

Tips to Prevent Phishing

Phishing attacks compromise employee and customer data, and, ultimately, cost you money.
The good news is that there are ways to reduce your organization’s vulnerability to attacks. Here are a few:

1. Employee Education

Education increases the likelihood employees will discern attacks and report them to company security teams before surrendering any information. If you don’t already, instruct your employees to hover over links to check for a Secure Socket Layer certificate, force them to regularly change their passwords, and encourage them to set unique passwords for each application they use.

Besides these common safety measures, continuously update your employees on new tactics scammers are using to add an extra layer of protection to your business.
hexagon1
hexagon2

2. MFA/2FA

Multi-factor or two-factor authentication—MFA and 2FA, respectively—are standard phishing protection for any modern business. When logging into a workplace application, MFA and 2FA require employees to provide their password and one or more codes sent via text or authenticator app to add an extra level of defense around sensitive information.

3. API Mailbox-level Intelligence

To detect malicious emails with and without payloads, the technology must have the capacity to dynamically learn mailbox and communication habits too. This will allow for the detection of anomalies based on both email content and metadata and thereby improve trust and authentication of email communications, flagging and quarantining any threats in real time.
sender_reputation1
sales_demo

4. AI-powered Incident Response

Many organizations have to manually sift through emails and triage attacks one-by-one, but relying on humans to find and investigate each attack leaves a lot of room for error. Artificial intelligence can dramatically speed up this process by automatically surfacing, analyzing, and even responding to attacks, freeing up your resources to work on other pressing projects.

Combat Phishing With
Anti-Phishing Software

With phishing getting more advanced by the day, businesses need a way to stay ahead of the attackers to avoid compromising their information security. Anti-phishing software can be an extremely valuable asset to aid in detecting and removing phishing attempts. IRONSCALES is a self-learning email security platform that provides all the tools necessary to keep a business safe from evolving phishing threats.

Try a free trial of IRONSCALES to see how you can keep your business safe from phishing.

FREE TRIAL
ironscales_logo_blue

It’s not just our customers talking about us

The word is out: IRONSCALES is leading the pack in email security!

  • Inc. 5000 Black Stacked Medallion 200x200
  • Best-Of Email Security-Fall 2022-Expert Insights-carousel
  • Best-Of Phishing Protection-Fall 2022-Expert Insights-carousel
  • Best-Of Security Awareness Training-Fall 2022-Expert Insights-carousel
  • Best-Of Phishing Simulation-Fall 2022-Expert Insights-carousel
  • CSGEA-2023-Gold-carousel
  • Global-InfoSec-Awards-for-2021-Winner-3
  • Frost & Sullivan: 2021 Best Practices Award
  • Expert Insights: Best Email Security Provider 2021
  • Expert Insights: Best Security Awareness Training 2021
  • Expert Insights: Best Phishing Protection 2021
  • CloudEmailSecurity_HighPerformer_HighPerformer-carousel
  • IntelligentEmailProtection_EasiestToDoBusinessWith_EaseOfDoingBusinessWith-carousel
  • CloudEmailSecurity_MomentumLeader_Leader-carousel
  • Deloitte-Fast-500-award-logo