In this day and age, cybersecurity is at the forefront of operational priorities. High-profile data breaches have taught the hard-earned lesson that protecting data and personally identifiable information (PII) needs to take precedence. Among one of the most prevalent threats to organizations is phishing.
In a recent survey, 92% of businesses surveyed reported they had fallen victim to phishing attacks. This is due to the reality that these attacks rely on human error rather than the strength of your systems, and they can also be difficult to combat successfully. This article will provide an overview of phishing and will help you to understand how you can avoid these attacks.
Phishing is a type of cyberattack that uses email (traditional phishing), phone (vishing or voice phishing) or text (smishing or SMS phishing) to entice individuals into providing personal or sensitive information to cybercriminals. This information can range from passwords, credit card information and social security numbers to details about a person or an organization. Attackers pose as legitimate representatives to gain this information, which is then used to access accounts or systems. Ultimately, once in the hands of adversaries, it often leads to identity theft or significant financial loss.
It is common for scammers to use various methods of communication to perpetrate phishing scams, including emails, texts and phone calls. In order to gain trust, attackers often masquerade as legitimate representatives of organizations. They will construct emails that appear genuine or make phone calls in a manner that sounds like valid requests for information.
In most cases, phishing involves human interaction and manipulation to trick victims into clicking on a malicious link or unknowingly providing information to an attacker. Often, people conducting phishing attacks attempt to impersonate tech support, banks or government organizations in order to obtain passwords and personal information.
The term phishing was first used in reference to a program developed by a Pennsylvania teen known as AOHell. The program used a credit-card-stealing and password-cracking mechanism, which was used to cause disruptions for AOL. This software spawned other automated phishing software, such as the one later used by the Warez community.
The first organized phishing attacks are attributed to the Warez community, a group known for hacking and piracy. These phishing scams targeted AOL users in 1996. The Warez community infamously used an algorithm to generate random credit card numbers. When the group landed on a valid number, they were able to create real AOL accounts that they used to scam other AOL users. This was later followed by social engineering tactics when members of the group impersonated AOL employees in an attempt to gather more sensitive information.
After this phishing scam, attackers quickly moved on to email as a method for trying to gather useful intel. Phishing emails ranged in sophistication from the less-than-convincing Nigerian princes asking for financial backing to the much more convincing 2003 Mimail virus, which originated from an email claiming to be from PayPal.
The email containing the Mimail virus was fairly successful at convincing users to enter their username and password credentials. The email warned of expiring credit card information with a request to update it as soon as possible. The link took visitors to a window with PayPal’s logo, and many users entered their password and credit card information on what turned out to be a malicious website.
Today, phishing can use multiple communication methods and has evolved from low-level schemes to the sophisticated targeting of individuals and organizations. Some phishing attempts that many cybercriminals use today can be almost identical to the real company, and it takes a keen eye and knowing what to look for to successfully avoid these attempts.
Phishing can take on many different forms in order for cybercriminals to execute their schemes. Here are several variations of a phishing attack that is used to steal data:
To help prevent phishing attacks, you should observe general best practices, similar to those you might undertake to avoid viruses and other malware.
First, make sure your systems are updated to help protect against known vulnerabilities. Protect devices and systems with reputable security software and firewall protection. You can also add software that watches for PII being sent over email or other insecure methods.
Since the weak link in phishing attacks is the end user, you should provide proper end-user security awareness training and educate your team on how to recognize a phishing scam. The key to protecting against phishing lies in the ability to recognize the cyberattack as illegitimate.
Here are some key concepts to include in end-user training:
Remember, when it comes to protecting yourself from a phishing attack, acting skeptical is often a wise move to better protect against these schemes.
Ransomware, malware, social engineering and phishing all encompass different forms of malicious threats to consumers and companies:
The information in this guide serves as an introduction to the threats posed by phishing, but it is far from comprehensive. Phishing and the cybersecurity world change on a daily basis, with attacks becoming increasingly more sophisticated and more challenging to identify. The best way to combat cyberattacks is to stay informed about the latest attacks and increase security awareness among consumers and your employees from being a victim of a phishing scheme.