When most people think about phishing, they think of emails with fake shipping notices or asking for their Social Security number so they can inherit gold in a foreign country. But the reality is there are many different forms of phishing that social engineers are using to trick your users and systems to gain access, get data, infect machines with ransomware or malware, compromise credentials and steal data.
You may think your organization is secure, but it only takes one of your users to fall victim to a phishing attack for you to see an impact to your organization. And that impact can be catastrophic ranging from ransomware to full data theft of your sensitive information, proprietary information, and client information.
In this blog, we will demystify these attacks so you know what to expect. To learn how to defend your users and systems against these attacks, watch our webinar on how to Protect and Defend Effective Email Protection for the Modern Business.
1. Email Phishing
Email phishing is a “spray-and-pray” attempt to acquire sensitive information like usernames, passwords, and credit card details by masquerading as a trustworthy entity. Phishing emails are usually sent to many people and may include links to fake websites that resemble those of legitimate companies. In some cases, the scammers may even pose as employees or friends of the target. They often use messenger applications and social media to get personal information from their targets. The best way to protect yourself from email phishing attacks is by being vigilant and scrutinizing emails, looking for telltale signs like poor spelling and bad grammar.
2. Spear Phishing
Where email phishing is broad, spear phishing is a highly targeted attempt to trick a user into clicking a link or giving them credentials. It’s a sophisticated email that’s well written (doesn’t contain typos) and contains the name of the recipient or their superior. It’s usually the “name drop email” with some sort of urgency and targeted towards a specific user at that organization. A common example is an email appearing from someone in leadership asking you to purchase gift cards and send them the codes because they’re in a meeting.
This email attack specifically targets senior executives because they have a lot of control and access. The attackers know executives receive hundreds of emails a day and that their schedules are packed. The attackers are counting on those factors to wear down their target’s vigilance – leading to a slip where an executive clicks a link in an email that gives attackers access to company records. These attacks are very selective and subtle; since only a few receive the email, it’s often undetected and unreported.
SMS Phishing (Smishing) is a very common attack that sends text messages to many employees at once containing a link to get an offer or reward. It’s easy for attackers to spoof a phone number to look like it’s coming from a familiar location and person. You can reduce the likelihood an employee will click on a text link by making a company policy to never send texts to employees – and ensuring all employees know it.
5. Voice Phishing
This attack spoofs your company number to make it look like the attacker is a fellow employee. They use the fake number to cold call your employees and pretend they’re in a recognizable department to get the employee to hand over financial information, personal information, or even application information.
6. Angler Phishing
This social media attack intercepts legitimate communications by spoofing the social account a user is interacting with. For example, someone is tweeting at PayPal because they’re trying to get a refund. The attacker will create a fake account with a name that sounds close enough to the legitimate company profile and reach out to the user to “help” them. Once the attacker gets the user in a separate communication thread, they will provide a URL to a website that looks very similar to the legitimate website to scam the user out of their login credentials.
Though ransomware gets most of the press, phishing attacks like these are common and varying. It’s not enough to just focus on system security; you must also think about user security.
To learn how to protect your users from phishing attacks, watch our webinar on how to Protect and Defend Effective Email Protection for the Modern Business.