What is a Phishing Attack?
Phishing is a type of cyberattack that uses email, SMS, phone, or social media to entice a victim to share personal information — such as passwords or account numbers — or to download a malicious file that will install viruses on their computer or phone.
Phishing is very common. According to Accenture, 60% of Americans say they or a family member has been a victim of a phishing attack, and 15% will be targeted more than once every year. The number of phishing attacks has also been increasing in the U.S., with a growth of 65% in the last year.
Protect Your Business From Phishing Attacks Now
Features of a Phishing Email
Typical characteristics of phishing messages make them easy to recognize. Phishing emails usually have one or more of the following indicators:
- Asks for Sensitive Information
- Uses a Different Domain
- Contains Links that Don’t Match the Domain
- Includes Unsolicited Attachments
- Is Not Personalized
- Uses Poor Spelling and Grammar
- Tries to Panic the Recipient
Phishing Email Example
In this example, the cyber criminal is masquerading as the Ministry of Health from Colombia. The email urges the reader to download a document that supposedly contains the neighborhood areas where COVID-19 has been detected.
The email has a non-malicious PDF document attached, which simply contains the logo of the organization used as a lure and a link to an archive with the password in the message. This multi-step phishing strategy incentivizes the user to manually download and execute the payload and diminishes the chances of the message being blocked by spam filters by avoiding using weaponized documents as an attachment.
The payload is a commodity remote access tool (RAT) named Warzone, which is malware that has the ability to bypass UAC controls. It also has remote execution capabilities, a keylogger, a camera recorder, and can be used to steal the credentials from Google Chrome, Firefox, Thunderbird and Microsoft Outlook.
Types of Phishing
Spear phishing is a phishing attempt that targets a specific individual or group of individuals. One adversary group, known as Helix Kitten, researches individuals in specific industries to learn about their interests and then structures spear phishing messages to appeal to those individuals. Victims may be targeted in an effort to reach a more valuable target; for example, a mid-level financial specialist may be targeted because her contact list contains email addresses for financial executives with greater access to sensitive information. Those higher-level executives may be targeted in the next phase of the attack.
Smishing is a phishing campaign conducted through SMS messages instead of email. Smishing attacks are unlikely to result in a virus being downloaded directly. Instead, they usually lure the user into visiting a site that entices them to download malicious apps or content.
Vishing is a phishing attack conducted by telephone. These attacks may use a fake Caller ID profile to impersonate a legitimate business, government agency or charitable organization. The purpose of the call is to steal personal information, such as bank account or credit card numbers.
Whaling, also called business email compromise (BEC), is a type of spear-phishing that targets a high-profile victim, such as a CEO or CFO. Whaling attacks usually employ a sense of urgency to pressure the victim into wiring funds or sharing credentials on a malicious website.
2021 CrowdStrike Global Threat Report
Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.Download Now
What happens if you open a phishing email?
Simply reading a phishing message is normally not unsafe. The user must click a link or download a file to activate malicious activity. Be cautious about all communications you receive, and remember that although phishing may most commonly happen through email, it can also occur through cell phone, SMS and social media.
What happens if you click a phishing link on your phone?
Phones are computers, and like any desktop, they can become infected by viruses when a malicious link is clicked. Typically, however, malicious links don’t download viruses directly to a phone. Instead, they direct the user to a website or the app store, where they are encouraged to download malicious content.
Before downloading an app, check the reviews for quantity and quality, only connect to trusted devices and treat any incoming messages with the same caution that you’d treat any message that lands in your computer inbox.
Luckily, it’s becoming easier to prevent phishing emails from ever reaching our inboxes. And when they do, we are becoming savvier on how to spot the common signs of phishing scams.
However, they do still occasionally get through, so it’s important you’re able to spot and delete them as necessary. We recommend organizations educate all employees on the common giveaways of phishing scam emails and even provide mock phishing scenarios to test their understanding.
Even if you think you can spot a phishing email easily, make sure you also follow these secure steps:
Use anti-virus software: Anti-malware tools scan devices to prevent, detect and remove malware that enter the system through phishing
Use an anti-spam filter: Anti-spam filters use pre-defined blacklists created by expert security researchers to automatically move phishing emails to your junk folder, to protect against human error
Use an up-to-date browser and software: Regardless of your system or browser, make sure you are always using the latest version. Companies are constantly patching and updating their solutions to provide stronger defenses against phishing scams, as new and innovative attacks are launched each day.
Never reply to spam: Responding to phishing emails lets cybercriminals know that your address is active. They will then put your address at the top of their priority lists and retarget you immediately.
How to Report a Phishing Attack
Users can’t prevent phishing attacks, but they can protect themselves and help slow the tide by reporting phishing emails when they recognize them. Do your part to be a good internet citizen. Report phishing to: firstname.lastname@example.org.
The Most Impersonated Organizations in Phishing Scams
To assess exactly which organizations are being impersonated the most in phishing scams, the CrowdStrike data science team submitted an FOIA request to the Federal Trade Commission and asked for the total number of phishing scams reported as impersonating the top 50 brands and all U.S. federal agencies.
The results show the U.S. public which emails from brands and organizations they need to be the most cautious of, and which are the most lucrative to impersonate for phishing criminals.
Here are the top 20 most impersonated organizations in 2020:
Amazon accounts for 41.5% of all impersonation complaints analyzed, with 1,262 phishing incidents reported to the Federal Trade Commission. Apple accounts for 33.3%, with 1,012 complaints. Together these powerhouses account for 74.7% of all impersonation complaints analyzed.
The third most impersonated organization is not a private enterprise.The Social Security Administration is the most impersonated federal agency in the U.S. for phishing scams (223). To top it off, out of all of the U.S. Federal Agencies the Social Security Administration department accounts for a staggering 91.8% of all phishing scam complaints.
The Most Impersonated Industries in Phishing Scams
While the most impersonated organizations are clear, which is the most targeted industry? The CrowdStrike team explored this too, with the help of the Federal Trade Commission.
The data received by the Federal Trade Commission reveals retail is the most impersonated industry sector in 2020, representing 43.9% of all impersonation complaints analyzed – 1,335 in total. Technology on the other hand represents 35.7% of all complaints analyzed, with 1,087 complaints received. U.S. federal agencies come in third place, with 243 reported phishing incidents.