A scam whereby the victim is sent a message, usually by email or over the phone, persuading them to divulge sensitive information or tricking them into downloading malware.
Author: Phil Muncaster
One of the most persistent cyber security trends of the last few decades is phishing. Attacks surged by 11% over the past year and now account for 36% of breaches, according to the Verizon 2021 Data Breach Investigations Report (DBIR). It's time for action.
What is phishing, and how does it work?
Phishing is basically a confidence trick. Attackers typically impersonate a trusted individual or organization to persuade users to hand over personal information or unwittingly download malware onto their machines. They do this typically through malicious links and attachments in email or social media messages, though some attackers seek this information over the phone. Although tactics have evolved over the years, the end goal is usually to obtain login data or personal and financial information, or to install ransomware, cryptojacking malware or other threats.
What are the different types of phishing attacks?
Phishing was the highest volume of reported cyber crime in 2020, according to the FBI. Although the vast majority of attacks are email-borne, attackers use many other methods, too. Here are a few of the most common:
- Social media: Users tend to be more trusting of messages sent by their friends on social sites—something phishers take advantage of by hijacking contacts' accounts to spread malicious URLs. Last year, the Federal Trade Commission recorded surging volumes of incidents starting on social media.
- Spear phishing: These are typically more targeted than usual phishing emails. That means the sender has researched the victim to include specific personal details in their message, lending it greater legitimacy.
- CEO fraud: Phishing attacks targeting senior executives are known as "whaling." Here, the threat actor impersonates the executive in order to trick an employee into wiring money abroad or buying up and sending gift vouchers.
- Vishing: Voice phishing, as the name suggests, is when scammers call up their victims directly to persuade them into handing over personal and financial information. They may also trick them into believing they have malware on their computer, in what's known as a "tech support" scam.
- Smishing: Unsolicited text message links could end up installing malware on users' devices. Sender numbers may be spoofed to add legitimacy.
What could phishing cost my business?
Just one misplaced click could lead to:
- Ransomware compromise: Phishing is a top three vector for ransomware today. Some organizations have lost millions following serious breaches.
- Data theft: The average global cost of a data breach today stands at over $4 million.
- Business email compromise (BEC), aka whaling: This cost organizations an estimated $1.8 billion in 2020, more than any other cyber crime, according to the FBI.
How can I mitigate the phishing threat?
Fighting against phishing doesn't have to cost the earth. A combination of people, process and technology will help to drive a strategy founded on best practices. These include:
- Email security featuring anti-phishing from a reputable provider.
- Staff training and awareness programs involving real-world simulation exercises.
- Domain Name System (DNS) protection to block employees trying to connect to phishing sites.
- Artificial intelligence (AI) tools designed to spot subtle changes in writing style or communication patterns.
Learn more about the rise of social media-based phishing threats.
Preguntas frecuentes
What is phishing? +
What are the dangers of phishing? +
It could lead to data theft or ransomware, or it could become a launch pad for other attacks like cryptojacking.
How do I prevent attacks? +
Train your staff thoroughly, and back this up with technology such as DNS-based protection and AI tools.