The Ultimate Guide To Understanding Phishing In 2020
Table of Contents:
2. Types of Phishing Attacks
3. How to identify a Phishing Attack
4. How to protect your company
What is phishing? Phishing is a cybercrime that entices individuals to give out passwords or other information. With this information, attackers can then access vital accounts and perform identity theft, major financial losses, and other serious crimes. Phishing attacks can be in the form of emails, text messages, and phone calls. Usually these attacks pose as popular services and companies that are trying to lure in individuals. When an individual clicks or goes to a phishing link potentially the website can inject malicious code which can mess up your device.
Phishing is becoming more apparent as businesses and people integrate more with email services. They are evolving, becoming more sophisticated and targeted to certain individuals. On top of that they are harder to detect. In this guide we’ll be showing you how to identify and avoid a phishing attack and if for businesses out there how to protect your company.
Variations on Phishing Attacks
There are many variations on the general phishing attacks. In this article we’ll be going over spear phishing, whaling, and angler phishing.
Spear phishing is similar to general phishing in that it targets confidential information, but spear phishing is much more tailored to a specific victim. They try to extract the most information out of a person. Spear phishing attacks try to specifically address the target and disguise themselves as a person or entity the victim might know. As a result it takes a lot more effort to make these as it requires finding information on the target. These phishing attacks usually target people who put personal information on the internet. Because of how much effort it took to personalize the email, spear phishing attacks are much harder to identify compared to regular attacks.
Compared to spear phishing attacks, whaling attacks are drastically more targeted. Whaling attacks go after individuals in an organization or company and impersonate somebody of seniority in the company. Common goals of whaling is to trick a target into potentially revealing confidential data or transferring money. Similar to regular phishing in that the attack is in the form of the email, whaling may use company logos and similar addresses to disguise themselves. As employees are less likely to refuse a request from somebody higher up these attacks are much more dangerous.
Angler phishing is a relatively new type of phishing attack and exists on social media. They do not follow the traditional email format of phishing attacks. Instead they disguise themselves as customer services of companies and trick people into sending them information through direct messages. Another way is leading people to a fake customer support website that will download malware or in other words ransomware onto the victim’s device.
How to identify a phishing attack
Most phishing attacks occur through emails, but there are ways to identify their legitimacy.
1. Check Email Domain
When you open up an email check to see whether or not its from a public email domain (ie. @gmail.com). If it is from a public email domain, it is most likely a phishing attack as organizations do not use public domains. Rather, their domains would be unique to their business (ie. Google’s email domain is @google.com). However, there are trickier phishing attacks that use a unique domain. It might be useful to do a quick search of the company and check its legitimacy.
2. Email has Generic Greeting
Phishing attacks always attempt to befriend you with a nice greeting or empathy. For example, in my spam not too long ago I found a phishing email with the greeting of “Dear friend”. I already knew this was a phishing email as in the subject line it said “GOOD NEWS ABOUT YOUR FUNDS 21 /06/2020”. Seeing those types of greetings should be instant red flags if you have never interacted with that contact.
3. Check the contents
The contents of a phishing email are very important and you’ll see some distinctive features that make up most. If the contents sound absurd or over the top then most likely it’s a scam. For example, if the subject line said “You won the Lottery $1000000” and you have no recollection of participating then that’s an instant red flag. When the content creates a sense of urgency like “it depends on you” and it leads to clicking a suspicious link then that is also a no go.
4. Hyperlinks and Attachments
Phishing emails always have a suspicious link or file attached to them. A good way to check if a link has a virus is to use VirusTotal, a website that checks files or links for malware.
Example of Phishing email:
In the example, Google points out that the email can be potentially dangerous as it recognizes that its content matches with other similar phishing emails.
If an email meets most of the criteria above then it’s recommended to report it to [email protected]g or [email protected] so that it gets blocked. If you are using Gmail there is sometimes an option to report the email for phishing.
How to protect your company
Even though phishing attacks are geared towards random individuals they can still target employees of a company. However, not always, attackers are not after a company’s money but its data. In terms of business, data is far more valuable than money and revealing it can severely impact a company. Attackers can use leaked data to influence the public seriously impacting consumer trust and tarnishing the company name. But that’s not the only consequences that can result from that. Other consequences include negative impact on investor trust, disrupt business, and if in Europe incite regulatory fines under the General Data Protection Regulation (GDPR). Training your employees to deal with this problem would be the most recommended action to reduce successful phishing attacks. Ways to train them generally are just showing employees examples of phishing emails and the ways to spot them. Another good way to show employees phishing is through simulation. Phishing simulations are basically fake attacks designed to help employees recognize phishing first hand without any negative effects. However, be aware that using phishing simulations comes with a price.
Be wary as anyone is victim to a phishing attack. Use the checklist to identify unusual emails and if they are phishing then report them. Even though there are phishing filters out there that can protect you, it’s not 100%. Phishing emails are constantly evolving and are never the same. To protect your company from phishing attacks you can partake in phishing simulations to decrease chances of successful phishing attacks.