Phishing attacks attempt to gain sensitive, confidential information such as usernames, passwords, credit card information, network credentials, and more. By posing as a legitimate individual or institution via phone or email, cyber attackers use social engineering to manipulate victims into performing specific actions—like clicking on a malicious link or attachment—or willfully divulging confidential information.
Both individuals and companies are at risk; almost any kind of personal or company data can be valuable to the unscrupulous, whether it be to commit fraud or access a companies network. In addition, some phishing scams can target business data in order to support espionage efforts or spying on competitors.
Phishing attempts normally start with an email attempting to obtain sensitive information through some user interaction, such as clicking on a malicious link or downloading an infected attachment.
A good rule of thumb to avoid such scams is to consider the old adage of, “it’s too good to be true,” and to never click on links within emails. When it comes to attachments, asking colleagues to distribute them over file sharing platforms is safer and less susceptible to manipulation than emails which can easily be spoofed to look like they come from somewhere legitimate.
Using covert redirection, attackers are also capable of corrupting legitimate websites with malicious pop-up dialogue boxes that redirect users to a phishing website.
Infected attachments, such as .exe files, Microsoft Office files, and PDF documents can install ransomware or other malware.
Phishing scams can also employ phone calls, text messages, and social media tools to fool victims into providing sensitive information.
Phishing Attack Types
Some specific types of phishing scams use more targeted methods to attack certain individuals or businesses.
Spear phishing email messages are targeted attacks and not at all random. Attackers will often gather information about their targets to fill emails with more authentic context. Some attackers even hijack business email communications and create highly customised messages.
Attackers are able to view legitimate, previously delivered email messages, make a nearly perfect clone copy of it and then change an attachment or link to something malicious.
Whaling specifically targets high level users in a company, such as senior managers or directors. The content of a whaling attempt will often present as a legal communication or other high-level related content.
How to Prevent Phishing Attacks
It is important that you should educate employees to prevent phishing attacks, particularly how to recognise suspicious emails, links, and attachments. Cyber attackers are always refining their techniques, so continued education is essential.
What to look for in a typical phishing email:
‘Too good to be true’ offers
Strangely spelt sender names
Poor spelling and grammar
Threats of account shutdown, etc., particularly conveying a sense of urgency
Links, especially when the destination URL is different than it appears in the email content
Unexpected attachments, especially .exe files
It would be advisable to say that if anybody receives an email that they are at all suspicious about, should contact the IT department who can check the validity of the sender, the website links or any attachments.
Phishing is still a very popular cyber attacking method and can make the unscrupulous sender a large of money. Now we don't want that do we.