In an attempt to capture sensitive data such as personally identifiable information, passwords, and more worryingly, your bank and credit card details, Phishing is now the most popular form of cybercrime and one we all need to be aware of.
We reveal everything you need to know about the much-talked-about and increasing form of cyberattack, and more importantly, how to protect you and your business online.
What Is Phishing?
Phishing is a form of cyberattack that uses deceptive emails as its weapon of choice.
The purpose of these emails is to mislead and trick the recipient into believing that the message is something they need to take action on – a request from their bank, for instance, or an email from their colleagues or manager, asking them to click on a link or download an attachment.
Phishing is popular amongst hackers, quite simply because it works, and that’s down to the ever-changing techniques and convincing emails that nurture and build trust with a recipient.
By coming from what appears to be a real person or a trusted entity, the recipient is more likely to click or download an attachment – and that’s when the clever but nasty stuff happens.
Whilst very common, Phishing isn’t new, in fact, it’s one of the oldest forms of cybercrime – with the first ever lawsuit for Phishing being filed back in 2004, highlighting how hard it can be to deter due to the ever-changing techniques and type of attacks.
How common is Phishing?
Phishing, malware and ransomware remain the top three weapons of choice for today’s cyber criminals. The Cyber Security Breaches Survey, a research study by GOV.UK. recently found that 72% of large organisations and 36% of small firms have experienced cyberattacks in the UK in early 2023 and 83% of those encountered breaches were identified as phishing attacks.
Types of Phishing?
Spear Phishing
Spear Phishing is when a hacker creates a bespoke email targeting a specific individual – like a fisherman aiming for one specific fish, as to just casting a hook with bait on and see who bites.
Hackers do their research, identifying targets on social media, most commonly LinkedIn so they can impersonate their co-workers. As an example, a Spear Phisher might impersonate a manager and target the finance department requesting the payment or bank transfer.
Clone Phishing
Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email.
The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original.
Whale Phishing
Whale Phishing, or Whaling, is like Spear Phishing, instead, they target the very big fish – CEOs, Directors and other high-value targets.
Company board members are thought to be an extremely high-risk target, due to the fact they have a great deal of authority within a company, but since they aren’t full-time employees, they often use personal email addresses for business-related communication, which usually, doesn’t have the security factors and added protection offered by a business email.
Smishing and Vishing
Both smishing and vishing move away from email to employ telephones as their preferred means of communication. Smishing entails criminals sending text messages that contain content similar to email phishing attempts, while vishing revolves around engaging in telephone conversations.
Angler Phishing
Social media, is the relatively new kid on the block, providing numerous avenues for criminals to deceive individuals. They can employ tactics such as fake URLs, cloned websites, posts, and tweets, as well as instant messaging (which essentially mirrors smishing) to manipulate people into disclosing sensitive information or downloading malware.
The Top 10 Most Impersonated Brands
As mentioned above, Phishing is most effective when impersonating your favourite and most popular services, some of which you’ll probably already have an account with, or at least be familiar with – making the emails a lot more plausible.
Taken from a recent survey by Vade, the top 10 most impersonated brands are:
- Microsoft
- PayPal
- MTB
- Orange
- Crédit Agricole
- La Banque Postale
- au
This doesn’t say that these are the only brands out there being targeted, it’s just more likely that a victim will actually have one or more of these accounts, making a victim more susceptible to trusting and clicking on the email.
Top 5 Most Commonly Used Email Subject Lines
A hackers biggest challenge is getting a victim to even open an email, let alone clicking on it, that’s why they use scare tactics when choosing subject lines.
According to research from KnowBe4, the most common subject lines to real-life phishing emails in Q3 of 2022 were as follows:
- Equipment and Software Update
- Mail Notification: You have 5 Encrypted Messages
- Amazon: Amazon – delayed shipping
- Google: Password Expiration Notice
- Action required: Your payment was declined
As you can see, all of the above use tactics which require immediate attention or action, creating urgency or putting a victim into a state of panic, affecting judgement when clicking on a link.
So the next time you get an email from Google asking you to change your password or your credit card saying your payment was declined, think twice and check that the email is actually real.
How Can I Check If an Email Is Real?
Whilst hackers are getting smarter in their phishing techniques, they’re still human, and its the human errors that are easiest to spot. Here are a few obvious things to look out for:
URL’s
Often URLs will appear like the real thing, but by simply hovering your mouse over the top of the URL or checking the info on it, you should can the actual address. If the address differs from the display email – something isn’t quite right. You can also do the same with the ‘from’ address, check if the domain name is associated with the company it claims to be. For example, if you receive an email from what you think is your bank but the email domain is Gmail, or the name is misspelt in any way, it’s most definitely a scam.
Spelling & Grammar
Brands are pretty serious about their image, so it’s very rare for an official brands email to have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.
Personalisation
Phishing emails are usually sent in mass, generally to thousands if not millions of email addresses at any one time, so the chances are, it won’t be personalised. You’ll most likely get an email saying “Dear Member” or “Valued Customer”, as to real first name personalisation.
The Dangers of Phishing
Not only can phishing have an immediate financial impact on your business, but it can also cause permanent damage to your brand.
Whilst most would agree that Phishing attacks and data breaches impact a company’s bottom line, they can also cause so much more damage than just the initial financial loss.
Organisations lose approximately $180 (£143) for each piece of personal information stolen in a phishing attack, according to Venari Security. IBM also found that the average cost of a data breach rose from $4.24 million (£3.42 million) in 2021 to $4.35 million (£3.51 million) in 2022.
Like most forms of cybercrime, attacks are usually spotted too late, In fact, its quite common for hacks to be discovered by customers and not the company itself. In fact, it’s quite common for hacks to be discovered by customers and not the company itself. In the UK, organisations took an average of 181 days to identify the fact that a breach had occurred and a further 75 days to contain the incident.
So as we trust a business with our personal and financial details, we also expect to be able to shop securely online as standard, knowing our credentials are in safe hands – but with so many outlets and choices online nowadays, it doesn’t take much for a customer to take their custom elsewhere, especially in light of a cyber attack or some form of breach.
In addition to losing existing customers, the news of a hack is one the press and social media will take a shine to, instantly damaging a brands overall image. Readers will judge quickly, casting doubt over the business, and whether you are a small time business or one of the world’s biggest and best-known brands, people need to have confidence in how you store and manage their personal details online.
However, it doesn’t stop there, in addition to being left red-faced and dealing with financial losses, customers can then also file lawsuits where a business can be fined for non-compliance with data protection regulations – highlighting the seriousness of phishing and cybercrime.
How Do I Protect Against Phishing Attacks?
User Education
One way to protect your business from phishing is user education, and this should involve all employees at every level.
Whilst all employees are at risk, CEO’s, Executives and Board members are most commonly the dream target for hackers, so education is needed at the top as well as the bottom of an organisation chart.
Educate and teach your employees how to recognise a phishing email using some of the tips highlighted above, and equally, if not, more importantly, know what to do when they receive one. Put a procedure in place where they can quarantine and report the emails safely – ensuring they don’t click or download any attachments.
However, whilst user education is essential to protecting a business, the emails are becoming more convincing, and worryingly, tactics are becoming far more advanced than we imagined, so technology is the only sure-fire way to get the upper hand on phishing.
Security Technology
No single cybersecurity strategy can prevent phishing attacks. Instead, businesses must take a layered approach to reduce the number of attacks and lessen their impact if and when they do occur.
Network security technologies that should be implemented include email and web security, malware protection, user behaviour monitoring, and access control.
So whilst one solution won’t give you 100% protection from phishing, an obvious place to would be something like Cisco’s Umbrella and Duo’s multi-factor authentication.
As the industry’s first Secure Internet Gateway in the cloud, Cisco Umbrella provides the first line of defence against threats on the internet. Because Umbrella is delivered from the cloud, it is the easiest way to protect all of your users in minutes.
Whereas, Duo’s MFA and 2FA (two-factor authentication) app and access tools can help make security resilience easy for your organisation, with user-friendly features for secure access, strong authentication and device monitoring.
Still Need Convincing?
Do you still think you’re invincible? Don’t think it will happen to you?
Send us your details below and get a FREE Cybersecurity Consultation!
We’ll carry out a FREE no-obligation consultation at your business and examine your existing infrastructure and security network(s). As well as examine what you’re currently doing, we will advise on how you can best protect your data – and help prepare you and your business for the imminent threat of a cyberattack.
Don’t take the risk, get in touch today!
