Get a free 90-day scanback:   Discover threats in your organization's Office 365 mailboxes >>

What is Phishing:
How to Protect
Your Company from
Scams

Example of Phishing Attack
Example of Phishing Attack

Most employees are required to take security awareness training during their first week of work. Normally these courses outline company policies, talk about the importance of online security, and share examples of scams so that employees can detect and report them in the future. And yet, how many times do employees, and even leadership, fall for email phishing tests?


The answer is probably far too high. No matter how much education you provide, a compelling phishing scam can deceive even the most savvy of your employees. One employee’s misstep could expose sensitive personal information to a malicious party. This piece will help you understand the nuances of phishing and provide you useful tips to combat the shrewd techniques of scammers.

A decorative line
A hook for fishing

What is Phishing

Phishing is a cyberattack in which a target receives a fraudulent email or text designed to prompt them to share sensitive information such as banking details or login credentials. Attackers typically impersonate legitimate institutions like governments or large corporations to convince individuals to relinquish the data.

Many people have the perception that phishing scams are obvious and thus easily avoidable. Yet, phishing attacks occur successfully every day, multiple times per day. The FBI’s Internet Crime Complaint Center discovered that victims lost $57 million to phishing schemes in 2019 alone, and estimates that phishing costs United States businesses close to $5 billion per year.

A questionmark in a blue hexagon
Over time, scammers have honed their craft, making it difficult for many to identify phishing as it’s happening. A phishing attack could come in the form of a message falsely claiming an account is locked due to suspicious activity, an email noting that a fabricated billing statement is overdue, or a congratulatory text saying a recipient won a free product or service that does not exist.

The Evolution of Phishing

An ancient animal

The expression “phishing” was first used in the 1990s to describe attempts to gain access to AOL usernames and passwords. Users weren’t familiar with this kind of attack, and many fell prey to phishing even when AOL cautioned users about the danger phishing presented.

A shark

Since then, attackers have become even more sophisticated and prolific. In response, companies have adopted powerful gateway-level email security and phishing tools. But attackers have not backed off, creating new methods such as phishing websites that spoof popular domains to attempt to collect sensitive data.

The sheer number of phishing sites and the tight timeline security teams have to warn people about them, make phishing attacks extremely difficult problems to address.

A whale

Today, more than 1.5 million new phishing sites get created per month, and the sites only stay active for 4 to 8 hours on average. And, unfortunately, rule-based email security tools don’t have the visual anomalydetection features to uncover fake login pages in real-time.

Types of Phishing

The hallmarks of phishing are similar across each type of attack, but it’s beneficial to have a solid understanding of each type of phishing to be as vigilant as possible. Below, we define 4 types of phishing and provide examples to help you take precautionary measures against them.

Name
Spearphishing
Definition
Targets a particular company or person
Targets a particular company or person
Perpetrators take the time to deeply understand an enterprise’s organizational structure in order to create a believable scam
Perpetrators take the time to deeply understand an enterprise’s organizational structure in order to create a believable scam
Example

A consulting firm is helping a technology company implement a new enterprise software. A scammer finds out that a customer success representative is assisting with the testing phase of the project.

Pretending to be a member of the consulting team, the attacker sends the CSR an email claiming that personal information is required to set up her test account. The rep responds to the email, willingly giving out her home address, phone number, and social security number.

Name
Whaling
Definition
Targets senior leadership, e.g., C-suite or company board members.
Targets senior leadership, e.g., C-suite or company board members.
Phishers must study the individuals they plan to target carefully.
Phishers must study the individuals they plan to target carefully.
Example

The CEO of a construction company receives an email that warns that the company is under investigation by a legal entity. Panicking, the CEO opens the email and the attachments, unknowingly downloading malware.

Name
Smishing/
SMS Phishing
Definition
Attackers send victims texts with special offers or phony alerts.
Attackers send victims texts with special offers or phony alerts.
Links within the text ask recipients for credentials or direct them to malicious sites.
Links within the text ask recipients for credentials or direct them to malicious sites.
Example

A finance firm operations manager receives a text about upgrading the business Wi-Fi. The offer is compelling, and seems to come from the company’s current internet provider.

He clicks on the link in the text, which takes him/her to the account login page and innocently gives his credentials to attackers.

Name
Business email
compromise
(BEC)
Definition
Scammers hack into enterprise email accounts.
Scammers hack into enterprise email accounts.
<p>If attackers cannot get full access to a business email account, they will create their own email address with very similar characteristics to those of the corporate network they are trying to scam.</p>
<p>For example, if company emails usually look like
“<span class="irn-text-royal">john@sprint.com</span>”, the hacker might create one like: “<span class="irn-text-royal">john@spriint.com</span>”.
</p>

If attackers cannot get full access to a business email account, they will create their own email address with very similar characteristics to those of the corporate network they are trying to scam.

For example, if company emails usually look like “john@sprint.com”, the hacker might create one like: “john@spriint.com”.

Criminals then assume the identity of an employee or vendor in an attempt to defraud the company.
Criminals then assume the identity of an employee or vendor in an attempt to defraud the company.
Example

A procurements manager at a healthcare company is sorting through emails, and receives an invoice from a medical supplies vendor- called Medical Devices, Inc.

He/She gets bills from Medical Devices, Inc. often, so opens the email, clicks the embedded link, and pays the invoice.

He/She doesn’t notice that the email came from jessica@medicaldevices.com instead of jessica@medicaldevicesinc.com, so his payment is directed straight into scam bank accounts.

Person using a computer

How to detect a phishing attack

The most revealing thing about phishing scams is that they contain calls to action to click a button, open attachments, or reply with sensitive information.

But there are other telltale signs of phishing attacks as well.

Usually phishing attacks create an unreasonable sense of urgency, such as limited time offers or alleged account suspensions.


Phishing scams also have odd aesthetic features, like blurry or overstretched images, and copy with misspellings, odd capitalization, and/or other grammatical errors.


Look for things like listing an incorrect account number in a text, using an old or outdated company logo on a website, or addressing a subject by the wrong name in an email.

Examples of Phishing Attacks

Everyday examples can solidify these concepts. The following screenshots exemplify everyday methods scammers use to entice victims, so we’ll highlight the clues attackers left behind.

Take this one, for instance:

Seems like an ordinary email, right? Wrong. “2021 Tax Return Receipt” makes it seem like a tax return is already on its way to the recipient’s bank account.



The email content itself may be an even bigger indicator that the message is fake. “Wilson” is in a different font and is much larger than the rest of the copy.

Oddly, the recipient’s name is not in the header either, starting with “Hi there,” instead. Plus, there is no way that the IRS would use a signoff so informal as “Enjoy!”

Call to action phishing email





However, he/she doesn’t know how much money there is and might be confused, prompting him/her to click on the “View Document Now” button.

Call to action phishing email
Seems like an ordinary email, right? <strong>Wrong.</strong> “2021 Tax Return Receipt” makes it seem like a tax return is already on its way to the recipient’s bank account.
Seems like an ordinary email, right? Wrong. “2021 Tax Return Receipt” makes it seem like a tax return is already on its way to the recipient’s bank account.
<br/>
<br/>
<br/>
<br/>
<p>The email content itself may be an even bigger indicator that the message is fake. “Wilson” is in a different font and is much larger than the rest of the copy.</p>
<p>Oddly, the recipient’s name is not in the header either, starting with “Hi there,” instead. Plus, there is no way that the IRS would use a signoff so informal as “Enjoy!”</p>




The email content itself may be an even bigger indicator that the message is fake. “Wilson” is in a different font and is much larger than the rest of the copy.

Oddly, the recipient’s name is not in the header either, starting with “Hi there,” instead. Plus, there is no way that the IRS would use a signoff so informal as “Enjoy!”

<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<p>
However, he/she doesn’t know how much money there is and might be confused, prompting him/her to click on the “View Document Now” button.</p>






However, he/she doesn’t know how much money there is and might be confused, prompting him/her to click on the “View Document Now” button.

Let's study a second example:

This email also appears to be sent from the IT Service department, but “johnsmithtrading@gmail.com” isn’t an appropriate address for any IT team member.









The email doesn’t address the recipient by name, nor does it have a subject line, and the content of the email contains extra periods and unusual capitalization.
Phishing email example with points of urgency











Notice that the email establishes a sense of urgency, asking the recipient to upgrade his mailbox or else he will not be able to send or receive emails.





Moreover, the link embedded in the email doesn’t contain “https” in the URL, and a message from IT wouldn’t need to cite copyright.

Learn more about fake login pages against the biggest brands in tech

Phishing email example with points of urgency
This email also appears to be sent from the IT Service department, but “<span class="irn-text-royal">johnsmithtrading@gmail.com</span>” isn’t an appropriate address for any IT team member.
This email also appears to be sent from the IT Service department, but “johnsmithtrading@gmail.com” isn’t an appropriate address for any IT team member.
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
The email doesn’t address the recipient by name, nor does it have a subject line, and the content of the email contains extra periods and unusual capitalization.










The email doesn’t address the recipient by name, nor does it have a subject line, and the content of the email contains extra periods and unusual capitalization.
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
Notice that the email establishes a sense of urgency, asking the recipient to upgrade his mailbox or else he will not be able to send or receive emails.












Notice that the email establishes a sense of urgency, asking the recipient to upgrade his mailbox or else he will not be able to send or receive emails.
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<p>Moreover, the link embedded in the email doesn’t contain “https” in the URL, and a message from IT wouldn’t need to cite copyright.</p>
<p><a href="https://ironscales.com/ebook/fake-login-pages/" target="_blank">Learn more about fake login pages against the biggest brands in tech</a></p>






Moreover, the link embedded in the email doesn’t contain “https” in the URL, and a message from IT wouldn’t need to cite copyright.

Learn more about fake login pages against the biggest brands in tech

Tips to Prevent Phishing

Phishing attacks compromise employee and customer data, and, ultimately, cost you money.
The good news is that there are ways to reduce your organization’s vulnerability to attacks. Here are a few:
1. Employee education

Education increases the likelihood employees will discern attacks and report them to company security teams before surrendering any information. If you don’t already, instruct your employees to hover over links to check for a Secure Socket Layer certificate, force them to regularly change their passwords, and encourage them to set unique passwords for each application they use.

Besides these common safety measures, continuously update your employees on new tactics scammers are using to add an extra layer of protection to your business.

Business woman
2. MFA/2FA
Multi-factor or two-factor authentication—MFA and 2FA, respectively—are standard phishing protection for any modern business. When logging into a workplace application, MFA and 2FA require employees to provide their password and one or more codes sent via text or authenticator app to add an extra level of defense around sensitive information.
Person using phone and computer
3. API Mailbox-level Intelligence
To detect malicious emails with and without payloads, the technology must have the capacity to dynamically learn mailbox and communication habits too. This will allow for the detection of anomalies based on both email content and metadata and thereby improve trust and authentication of email communications, flagging and quarantining any threats in real time.
Dangerous typing
4. Phishing Emulator
Phishing emulators run realistic phishing attacks to a designated mailbox. Unlike breach and attack simulators (BAS), advanced emulators expose gaps at the secure email gateway level, helping your team find and resolve emerging vulnerabilities as frequently as possible.
Computer keyboard typing
5. AI-powered incident response
Many organizations have to manually sift through emails and triage attacks one-by-one, but relying on humans to find and investigate each attack leaves a lot of room for error. Artificial intelligence can dramatically speed up this process by automatically surfacing, analyzing, and even responding to attacks, freeing up your resources to work on other pressing projects.
Neural network image lines
IRONSCALES logo blue and white

Phishing Protection Starts with Preparation

Phishing attacks aren’t slowing down anytime soon. Rather than living in constant fear of a security breach, take proactive measures to combat phishing in your organization. The first step is to adopt a cost-effective anti-phishing platform like IRONSCALES. IRONSCALES’ state-of-the-art phishing emulator can run real-world phishing attacks in less than 5 minutes.

Comprehensive reports that result from those tests enable your security administrators to see vulnerabilities and make smart changes to keep your company safe. The best part is that IRONSCALES prides itself on an easy, out-of-the-box setup.

Get ahead of the curve. Request a free trial of the IRONSCALES anti-phishing platform and phishing emulator today.

Here’s Why 98% Of Our Customers Rate Us 5 Stars
Awards
Award Frost & Sullivan 2021
50 Fire
InfoSec Awards Winner
Sinet Award
CyberSecurity Award
CSGEA-gold