Most employees are required to take security awareness training during their first week of work. Normally these courses outline company policies, talk about the importance of online security, what is phishing, and share examples of email attacks so that employees can detect and report them in the future. And yet, how many times do employees, and even leadership, fall for corporate email phishing tests?
The answer is probably far too high. No matter how much education you provide, a compelling corporate phishing scam can deceive even the most savvy of your employees. One employee’s misstep could expose sensitive personal information to a malicious party. This piece will help you understand the nuances of phishing and provide you with useful tips to combat the shrewd techniques of scammers.
Phishing Explained
Phishing is a cyberattack in which a target receives a fraudulent email or text designed to prompt them to share sensitive information such as banking details or login credentials. Attackers typically impersonate legitimate institutions like governments or large corporations to convince individuals to relinquish the data.
Many people have the perception that phishing scams are obvious and, thus, easily avoidable. Yet, phishing attacks occur successfully every day, multiple times per day. The FBI’s Internet Crime Complaint Center discovered that victims lost $57 million to phishing schemes in 2019 alone and estimates that phishing costs United States businesses close to $5 billion per year.
Over time, scammers have honed their craft, making it difficult for many to identify email phishing attacks as they’re happening. A phishing attack could come in the form of a message falsely claiming an account is locked due to suspicious activity, an email noting that a fabricated billing statement is overdue, or a congratulatory text saying a recipient won a free product or service that does not exist.
The Evolution of Phishing
- The expression “phishing” was first used in the 1990s to describe attempts to gain access to AOL usernames and passwords. Users weren’t familiar with this kind of attack, and many fell prey to phishing even when AOL cautioned users about the danger phishing presented.
- Since then, attackers have become even more sophisticated and prolific. In response, companies have adopted powerful gateway-level email security and phishing tools. But attackers have not backed off, creating new methods such as phishing websites that spoof popular domains to attempt to collect sensitive data. The sheer number of phishing sites and the tight timeline security teams have to warn people about them, make phishing attacks extremely difficult problems to address.
- Today, more than 1.5 million new phishing sites get created per month, and the sites only stay active for 4 to 8 hours on average. And unfortunately, rule-based email security tools don’t have the visual anomaly detection features to uncover fake login pages in real-time.
Types of Phishing
The hallmarks of phishing are similar across each type of attack, but it’s beneficial to have a solid understanding of each type of phishing to be as vigilant as possible. Below, we define 4 types of phishing and provide examples to help you take precautionary measures against them.
| Name |
Definition |
Limitations |
| Spear Phishing |
- Targets a particular company or person.
- Perpetrators take the time to deeply understand an enterprise’s organizational structure in order to create a believable scam.
|
A consulting firm is helping a technology company implement new enterprise software. A scammer finds out that a customer success representative is assisting with the testing phase of the project.
Pretending to be a member of the consulting team, the attacker sends the CSR an email claiming that personal information is required to set up her test account. The rep responds to the email, willingly giving out her home address, phone number, and social security number. |
| Whaling |
- Targets senior leadership, e.g., C-suite or company board members.
- Phishers must study the individuals they plan to target carefully.
|
The CEO of a construction company receives an email that warns that the company is under investigation by a legal entity. Panicking, the CEO opens the email and the attachments, unknowingly downloading malware. |
| Smishing/ SMS Phishing |
- Attackers send victims texts with special offers or phony alerts.
- Links within the text ask recipients for credentials or direct them to malicious sites.
|
A finance firm operations manager receives a text about upgrading the business Wi-Fi. The offer is compelling and seems to come from the company’s current internet provider.
He clicks on the link in the text, which takes him/her to the account login page and innocently gives his credentials to attackers. |
| Business Email Compromise (BEC) |
- Scammers hack into enterprise email accounts.
- If attackers cannot get full access to a business email account, they will create their own email address with very similar characteristics to those of the corporate network they are trying to scam.
For example, if company emails usually look like “john@sprint.com”, the hacker might create one like: “john@spriint.com”.
- Criminals then assume the identity of an employee or vendor in an attempt to defraud the company.
|
A procurements manager at a healthcare company is sorting through emails and receives an invoice from a medical supplies vendor- called Medical Devices, Inc.
He/She gets bills from Medical Devices, Inc. often, so opens the email, clicks the embedded link, and pays the invoice.
He/She doesn’t notice that the email came from jessica@medicaldevices.com instead of jessica@medicaldevicesinc.com, so his payment is directed straight into scam bank accounts. |
How to Detect a Phishing Attack
The most revealing thing about phishing scams is that they contain calls to action to click a button, open attachments, or reply with sensitive information.
But there are other telltale signs of phishing attacks as well.
- Usually phishing attacks create an unreasonable sense of urgency, such as limited time offers or alleged account suspensions.
- Phishing scams also have odd aesthetic features, like blurry or overstretched images, and copy with misspellings, odd capitalization, and/or other grammatical errors.
- Look for things like listing an incorrect account number in a text, using an old or outdated company logo on a website, or addressing a subject by the wrong name in an email.
Tips to Prevent Phishing
1. Employee Education
Education increases the likelihood that employees will discern attacks and report them to company security teams before surrendering any information. If you don’t already, instruct your employees to hover over links to check for a Secure Socket Layer certificate, force them to regularly change their passwords, and encourage them to set unique passwords for each application they use.
Besides these common safety measures, continuously update your employees on new tactics scammers are using to add an extra layer of protection to your business.
2. MFA/2FA
Multi-factor or two-factor authentication—MFA and 2FA, respectively—are standard phishing protection for any modern business. When logging into a workplace application, MFA and 2FA require employees to provide their password and one or more codes sent via text or authenticator app to add an extra level of defense around sensitive information.
3. API Mailbox-level Intelligence
To detect malicious emails with and without payloads, the technology must have the capacity to dynamically learn mailbox and communication habits too. This will allow for the detection of anomalies based on both email content and metadata and thereby improve trust and authentication of email communications, flagging and quarantining any threats in real time.
4. AI-powered Incident Response
Many organizations have to manually sift through emails and triage attacks one by one, but relying on humans to find and investigate each attack leaves a lot of room for error. Artificial intelligence can dramatically speed up this process by automatically surfacing, analyzing, and even responding to attacks, freeing up your resources to work on other pressing projects.
Take the first step towards a more holistic, comprehensive approach to your security by requesting a free IRONSCALES demo today.
