What is a Phishing Attack?
Phishing is an email scam that impersonates a reputable person or organization with the intent to steal credentials or sensitive information. Although email is the most common type of phishing attack, depending on the type of phishing scam, the attack may use a text message or even a voice message.
How do Phishing Attacks Work?
A typical phishing attack starts with a threat actor sending mass amounts of emails in hopes of getting anyone to click on malicious links.
These threat actors, whether an individual criminal or a nation-state, craft such messages to appear to be legitimate. A phishing email can appear to be from your bank, employer or boss, or use techniques to coerce information out of you by pretending, for example, to be a government agency.
The intent could be to deploy ransomware, to steal existing account credentials, to acquire enough information to open a new fraudulent account, or simply to compromise an endpoint. A single click on a malicious phishing link has the potential to create any of these problems.
Phishing Attack Techniques
1. Email Phishing
Spear phishing is a phishing attempt that targets a specific individual or group of individuals. One adversary group, known as Helix Kitten, researches individuals in specific industries to learn about their interests and then structures spear phishing messages to appeal to those individuals. Victims may be targeted in an effort to reach a more valuable target; for example, a mid-level financial specialist may be targeted because her contact list contains email addresses for financial executives with greater access to sensitive information. Those higher-level executives may be targeted in the next phase of the attack.
Whale Phishing (Whaling)
Whaling, also called business email compromise (BEC), is a type of spear-phishing that targets a high-profile victim, such as a CEO or CFO. Whaling attacks usually employ a sense of urgency to pressure the victim into wiring funds or sharing credentials on a malicious website.
2. Voice Phishing (Vishing)
Vishing is a phishing attack conducted by telephone. These attacks may use a fake Caller ID profile to impersonate a legitimate business, government agency or charitable organization. The purpose of the call is to steal personal information, such as bank account or credit card numbers.
3. SMS Phishing (Smishing)
Smishing is a phishing campaign conducted through SMS messages instead of email. Smishing attacks are unlikely to result in a virus being downloaded directly. Instead, they usually lure the user into visiting a site that entices them to download malicious apps or content.
2022 CrowdStrike Global Threat Report
Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.Download Now
How to Recognize Phishing: Can you spot the Scam?
Typical characteristics of phishing messages make them easy to recognize. Phishing emails usually have one or more of the following indicators:
- Asks for Sensitive Information
- Uses a Different Domain
- Contains Links that Don’t Match the Domain
- Includes Unsolicited Attachments
- Is Not Personalized
- Uses Poor Spelling and Grammar
- Tries to Panic the Recipient
The Most Impersonated Organizations in Phishing Scams
While the most well-known phishing attacks usually involve outlandish claims, such as a member of a royal family requesting an individual’s banking information, the modern phishing attack is far more sophisticated. In many cases, a cyber criminal may masquerade as common retailers, service providers or government agencies to extract personal information that may seem benign such as email addresses, phone numbers, the user’s date of birth, or the names of family members.
To assess exactly which organizations are being impersonated the most in phishing scams, the CrowdStrike data science team submitted an FOIA request to the Federal Trade Commission and asked for the total number of phishing scams reported as impersonating the top 50 brands and all U.S. federal agencies.
The results show the U.S. public which emails from brands and organizations they need to be the most cautious of, and which are the most lucrative to impersonate for phishing criminals. Topping the list is e-retailer Amazon, followed by technology companies Apple (2), Microsoft (4) and Facebook (8). Other organizations include: the Social Security Administration (3); retail banks, such as Bank of America (5) and Wells Fargo (6); telecommunications providers such as AT&T (7) and Comcast (10); retailers such as Costco (11), Walmart (12) and Home Depot (18); and courier services such as FedEx (9) and UPS (14).
How to Prevent Against Phishing
Even if you think you can spot a phishing email easily, make sure you also follow these secure steps:
Employee awareness training: Employees must be trained to recognize and constantly be on alert for the signs of a phishing attempt, and to report such attempts to the proper corporate security staff.
Use anti-virus software: Anti-malware tools scan devices to prevent, detect and remove malware that enter the system through phishing.
Use an anti-spam filter: Anti-spam filters use pre-defined blacklists created by expert security researchers to automatically move phishing emails to your junk folder, to protect against human error.
Use an up-to-date browser and software: Regardless of your system or browser, make sure you are always using the latest version. Companies are constantly patching and updating their solutions to provide stronger defenses against phishing scams, as new and innovative attacks are launched each day.
Never reply to spam: Responding to phishing emails lets cybercriminals know that your address is active. They will then put your address at the top of their priority lists and retarget you immediately.
Use multi-factor authentication (MFA): Even if a victim’s credentials have been compromised in a phishing attack, MFA requires a second level of verification, like an access code sent to your phone, before gaining access to a sensitive account.
Don’t open the email: If you believe you have a phishing email in your inbox, do not open it, and report it through the proper channels.
What happens if you open a phishing email?
Simply reading a phishing message is normally not unsafe. The user must click a link or download a file to activate malicious activity. Be cautious about all communications you receive, and remember that although phishing may most commonly happen through email, it can also occur through cell phone, SMS and social media.
How to Report a Phishing Attack?
Users can’t prevent phishing attacks, but they can protect themselves and help slow the tide by reporting phishing emails when they recognize them. Do your part to be a good internet citizen. Report phishing to: email@example.com.