Phishing is the fraudulent use of electronic communications e.g email, sms , phone call etc. to deceive and take advantage of users.
Phishing attacks attempt to gain sensitive, confidential information such as usernames, passwords, credit card information, network credentials, and more. By posing as a legitimate individual or institution via phone or email, cyber attackers use social engineering to manipulate victims into performing specific actions—like clicking on a malicious link or attachment—or willfully exposing confidential information.
Both individuals and organizations are at risk; almost any kind of personal or organizational data can be valuable, whether it be to commit fraud or access an organization’s network. In addition, some phishing scams can target organizational data in order to support espionage efforts or state-backed spying on opposition groups.
Phishing attempts most often begin with an email attempting to obtain sensitive information through some user interaction, such as clicking on a malicious link or downloading an infected attachment.
- Through link manipulation, an email may present with links that spoof legitimate URLs; manipulated links may feature subtle misspellings or use of a subdomain.
Using covert redirection, attackers can corrupt legitimate websites with malicious pop-up dialogue boxes that redirect users to a phishing website.
- Infected attachments, such as .exe files, Microsoft Office files, and PDF documents can install ransomware or other malware
Phishing scams can also employ phone calls, text messages, and social media tools to trick victims into providing sensitive information.
Types of Phishing Attacks
Some specific types of phishing scams use more targeted methods to attack certain individuals or organizations.
Spear phishing email messages won’t look as random as more general phishing attempts. Attackers will often gather information about their targets to fill emails with more authentic context. Some attackers even hijack business email communications and create highly customized messages.
Attackers are able to view legitimate, previously delivered email messages, make a nearly identical copy of it—or “clone”—and then change an attachment or link to something malicious.
Whaling specifically targets high profile and/or senior executives in an organization. The content of a whaling attempt will often present as a legal communication or other high-level executive business.
How to Prevent Phishing Attacks
Organizations should educate employees to prevent phishing attacks, particularly how to recognize suspicious emails, links, and attachments. Cyber attackers are always refining their techniques, so continued education is imperative.
Some tell-tale signs of a phishing email include:
- ‘Too good to be true’ offers
- The email is not addressed to the recipient, instead the recipient is addressed as "Dear Customer", "Dear User" etc.
- Unusual sender
- Poor spelling and grammar
- Threats of account shutdown, etc., particularly conveying a sense of urgency
- Unexpected attachments, especially .exe files
Additional technical security measures can include:
- Two Factor Authentication incorporating two methods of identity confirmation—something you know (i.e., password) and something you have (i.e., smartphone)
- Email filters that use machine learning and natural language processing to flag high-risk email messages. DMARC protocol can also prevent against email spoofing.