So what is phishing anyway?
Phishing is a type of cybercrime that attempts to get victims to leak sensitive information through email, call, and/or text message scams.
Cybercriminals often try to use social engineering to convince the victim to leak personal information by presenting themself as a trustworthy person in order to make a reasonable request for sensitive information.
Are there different types of phishing?
Spear phishing is similar to general phishing in that it targets confidential information, but spear phishing is much more tailored to a specific victim. They try to extract the most information out of a person. Spear phishing attacks try to specifically address the target and disguise themselves as a person or entity the victim might know. As a result it takes a lot more effort to make these as it requires finding information on the target. These phishing attacks usually target people who put personal information on the internet. Because of how much effort it took to personalize the email, spear phishing attacks are much harder to identify compared to regular attacks.
Compared to spear phishing attacks, whaling attacks are drastically more targeted. Whaling attacks go after individuals in an organization or company and impersonate somebody of seniority in the company. Common goals of whaling is to trick a target into potentially revealing confidential data or transferring money. Similar to regular phishing in that the attack is in the form of the email, whaling may use company logos and similar addresses to disguise themselves. As employees are less likely to refuse a request from somebody higher up these attacks are much more dangerous.
Angler phishing is a relatively new type of phishing attack and exists on social media. They do not follow the traditional email format of phishing attacks. Instead they disguise themselves as customer services of companies and trick people into sending them information through direct messages. Another way is leading people to a fake customer support website that will download malware onto the victim’s device.
How does a phishing attack work?
Phishing attacks rely entirely on tricking victims to give personal information through different methods of social engineering.
The cybercriminal will attempt to gain the trust of the victim by presenting themselves as a representative from a reputable company.
As a result, the victim would feel safe to present the cybercriminal with sensitive information, which is how information is stolen.
How can you identify a phishing attack?
Most phishing attacks occur through emails, but there are ways to identify their legitimacy.
- Check Email Domain
When you open up an email, check to see whether or not its from a public email domain (ie. @gmail.com). If it is from a public email domain, it is most likely a phishing attack as organizations do not use public domains. Rather, their domains would be unique to their business (ie. Google’s email domain is @google.com). However, there are trickier phishing attacks that use a unique domain. It might be useful to do a quick search of the company and check its legitimacy.
- Email has Generic Greeting
Phishing attacks always attempt to befriend you with a nice greeting or empathy. For example, in my spam not too long ago I found a phishing email with the greeting of “Dear friend”. I already knew this was a phishing email as in the subject line it said “GOOD NEWS ABOUT YOUR FUNDS 21 /06/2020”. Seeing those types of greetings should be instant red flags if you have never interacted with that contact.
- Check the contents
The contents of a phishing email are very important and you’ll see some distinctive features that make up most. If the contents sound absurd or over the top then most likely it’s a scam. For example, if the subject line said “You won the Lottery $1000000” and you have no recollection of participating then that’s an instant red flag. When the content creates a sense of urgency like “it depends on you” and tries to make you click on a link, do not click on the link and simply delete the email.
- Hyperlinks and Attachments
Phishing emails always have a suspicious link or file attached to them. Sometimes these attachments may be infected with malware so don’t download them unless you are absolutely certain that they are safe. A good way to check if a link has a virus is to use VirusTotal, a website that checks files or links for malware.
How can you prevent phishing?
The best way to prevent phishing is to train yourself and your employees to identify a phishing attack.
You can properly train your employees through showing many examples of phishing emails, calls, and messages.
There are also phishing simulations, where you can put your employees firsthand through what a phishing attack is really like, more on that below.
Can you tell me what a phishing simulation is?
Phishing simulations are exercises that help employees distinguish a phishing email from any other ordinary email.
This would allow employees to recognize potential threats to keep their company’s information safe.
What are the benefits of simulation phishing attacks?
Simulating phishing attacks can be very beneficial in observing how your employees and company would react if actual malicious content was sent.
It will also give them first hand experience of what a phishing email, message, or call looks like so they can identify actual attacks when they come.