As web security improves, email security has become a bigger problem than ever. The overwhelming majority of malware attacks now come from email — as high as 89 percent, according to HP Wolf Security research. And with many employees getting multiple emails per day, it’s easy for spam emails to slip their notice and potentially compromise the network.
Approximately 83 percent of organizations said they faced a successful phishing attempt in 2021, up from 57 percent in 2020. As phishing attacks become more prevalent and more successful, often serving as a gateway for further attacks like ransomware and advanced persistent threats (APTs), businesses need to prioritize protections against them. But in order to do so effectively, companies need to know more about the threat they’re facing. This guide breaks down the different types of phishing attacks and provides examples to help organizations better prepare their staff to deal with them.
- What is Phishing?
- Types of Phishing Attacks & Their Defenses
- Common Examples of Phishing Attacks
- What Can Help to Protect You from Phishing?
- Phishing Protection Doubles as Malware and Ransomware Protection
What is Phishing?
Phishing is a type of social engineering attack in which bad actors pose as a trustworthy entity via phone, email, or text message in order to steal personal information from the recipient. Attackers may try to get their victims to reveal their date of birth, social security number, credit card information, or account passwords. They may also try to trick the recipient into clicking on a malicious link that would download malware onto their computer, giving them access to sensitive information.
Types of Phishing Attacks & Their Defenses
There are several types of phishing attacks that businesses should be prepared for: spear phishing, whaling, clone phishing, vishing, and smishing.
Also read: What are Common Types of Social Engineering Attacks?
Spear phishing attempts are targeted toward specific individuals or groups of individuals. They may include the recipient’s name, position, company, or other information that would set the potential victim at ease. The attacker may even claim they’re the recipient’s boss with an urgent request.
Messages like this tell the attacker whether an email address is active and if the recipient is likely to accept this initial email as legitimate. Notice the email address ends in @mail.ru instead of @eku.edu like a real university email address would. The attacker has taken all of the elements of the real Laurence’s email and spoofed it for their own purposes. If the attacker gets a response, they can execute the second part of their plan, whether it be to get additional information or deliver a malicious link.
Spear Phishing Defenses
Email security software can block many of these emails, but some will still slip through even if you have the proper prevention methods in place. Double-check the email address these emails come from as well as the reply address. If you’re on your computer, hover your mouse over any links to see where they’ll take you before clicking on them. With some mobile phones, you can hold down your finger on a link to see where it goes, although this is riskier than checking it from a computer. Never open any attachments without making sure the message is legitimate.
In addition to verifying the email address, check for grammatical errors that may indicate an attacker is looking for easy targets. While everyone makes mistakes in their emails occasionally, phishing attempts will have a higher number of errors than usual because they want to capture people that won’t question the attacker’s further actions.
If you can’t tell whether the message is real or not, contact the alleged sender through a different channel. Don’t reply to the email if it’s fraudulent or you’re unsure.
Also read: Zero-Click Attacks a Growing Threat
Whaling is similar to spear phishing, except that it targets high-level employees, like executives or directors. They typically have access to the most valuable information in a company, making them appealing targets for attackers. Bad actors can either sell the information they’re able to gather or hold it for ransom. Additionally, they may be able to manipulate these high-level employees into wiring large amounts of money into the attacker’s account.
Whaling protections are similar to those of spear phishing. Email protection software can help, but you’ll still need to know what to look for in the few that slip through. Slight changes in the email address, a different reply-to address, or a large number of grammatical errors can all indicate phishing.
Clone phishing, like spear phishing, is typically targeted at a small group of people because the attacker duplicates an email that the recipients have already received. For example, if the organization sends out an invitation to a company-wide event, the attacker might follow that up with an email that includes a “registration link” which really includes malware. Because the initial email was genuine, employees are more likely to lower their guard when they get the second email.
Clone Phishing Defenses
Clone phishing emails will attempt to spoof the email address of the initial sender, but there will either be slight differences or a different reply-to address. Before clicking on links in an email that you’re not completely certain is legitimate, hold your mouse over them to see the web address and double-check the sender name and email address and compare it against what you have in your contact list. If you’re still not sure, you can always contact the person via a channel other than email, like Slack or phone, to ask them about it. Do not reply to the email if it’s fraudulent.
Smishing is the text message version of phishing attacks. They may be targeted, like spear phishing, but they may also be more general, appearing to come from their bank or Amazon, for example. The SMS text message will prompt users to call a fraudulent number and provide sensitive information or click on a link that will download malware onto their device.
Words like “urgent” prompt recipients into fast action, so they’re more likely to make a mistake. But note the link here. Actual requests from the USPS would likely include usps.com in the link, but this one is just a string of letters and numbers, marking it as fraudulent.
As people become more familiar with phishing and smishing attempts, attackers get better about disguising their links. Nowadays, instead of the random string of letters and numbers pictured above, you’re more likely to get smishing attempts that include links to ama.zon.com or vvalmart.com (note the double v in place of a w).
The best way to guard against phishing attacks is to examine the message carefully before taking action. And if you’re not sure whether it’s legitimate, call the company using the number from their actual website or on the back of your credit or debit card in the case of bank-related smishing attempts. If you determine the text message is illegitimate, just delete it and block the number. Don’t reply to it, as you’ll confirm the number is active and will likely get more like it.
Vishing is phishing that is executed via telephone, often coming from spoofed phone numbers. The attacker typically pretends to be someone from a legitimate business, like a bank or retailer, in an attempt to get personally identifiable information from the recipient.
Many wireless phone providers have introduced spam protections to keep their customers from falling victim to vishing scams. While some will not even allow the phone to ring, lowering the chances that the recipient will actually answer the call, others will simply mark the call as potential spam, leaving the choice in the hands of the recipient.
You can also register your number on the federal Do Not Call list, but it doesn’t seem to have any actual effect on the number of scam calls received. Overall, unless you’re expecting a call from someone whose number you don’t have saved, it’s best to ignore calls from numbers you don’t know, trusting that callers with important information will leave a voicemail. If the caller does turn out to be spam, block the number, so they can’t use it to contact you again.
Common Examples of Phishing Attacks
Here are a few real-life examples of phishing attacks that you might run into.
Amazon Phishing Email
Millions of people use Amazon regularly, so it’s no surprise that attackers use their name and logo for phishing attempts. In the above example, the attacker uses the Amazon logo to legitimize the request.
However, notice how the sender uses a comma instead of a period at the end of the first sentence and includes an extra space between “in” and “your.” These grammatical errors serve to identify the easiest targets because if the email recipient doesn’t question those, they’re less likely to question any other mistakes the attacker makes. And if you were able to hover over either of the links, chances are you wouldn’t see an actual Amazon address. Other large vendors, like Walmart and Target, may have their email addresses spoofed as well.
Also read: Salesforce Email Service Used for Phishing Campaign
Chase Phishing Text Message
Many attackers use phishing attempts that appear to be from the recipient’s bank because they’re more likely to respond quickly when money is involved. The above example tells the customer their account has been locked, so they’ll call the number to fix the problem. If that happens, they can then get the recipient to provide the information they want.
Some indicators that this is fake is the lack of spaces between “Chase” and “bank” and after the period. Additionally, there is a zero in the word “LOCKED” instead of a capital O. Chase users aren’t the only targets of this type of attack. Most banks and even Paypal face similar spoofing occurrences.
Car Warranty Phishing Phone Call
Today, you’d be hard-pressed to find someone who hasn’t gotten a spam call from a recorded voice telling them their car warranty is expired or about to expire. This is a common phishing attack that attempts to manipulate people into giving over sensitive information like their credit card number, name, address, and social security number. Additionally, if the recipient answers the call, the attacker knows it’s active and they can sell it to other attackers.
Similar examples of this scam are calls about student loan debt, saying that the IRS has put a warrant out for your arrest, or that there has been fraud on your credit card account. The tells are different for each of these, but typically, they won’t provide any specific information that would verify that the call is actually for you.
What Can Help to Protect You from Phishing?
Attention to detail will help you the most when protecting yourself and your business against phishing attempts, but there are other things you can do to lessen the number of attacks you’re subjected to.
Email Security Software
Email security software can block known malicious domains that other users have marked as spam in the past. Some also use AI and ML to identify patterns that suggest spam or phishing attempts. With these tools in place, you’re less likely to get general phishing emails, meaning you can pay more attention to spear phishing attempts. Some of the top email protection tools include:
- Mimecast Secure Email Gateway
- Barracuda Spam Firewall
- Proofpoint Enterprise Protection
- ClearSwift Secure Email Gateway
Get the full list of our recommendations for the Top Secure Email Gateway Solutions.
Cybersecurity Awareness Training
Employees have to know what to look for before they can spot a phishing attempt, so providing cybersecurity awareness training is the best way to protect your business from a data breach. But it can’t just be a one-time thing. New threats are always emerging, so you need to hold regular training sessions to keep your employees up to date and the training fresh in their minds. Some of the best cybersecurity awareness programs come from:
- SANS Institute
Get the full list of the Best Cybersecurity Awareness Training for Employees to find the program that’s right for your business.
If your training program doesn’t include phishing simulators, you should consider it as an add-on. Phishing simulators give employees a safe space to test their knowledge of phishing attacks without risking personal or company information. They also send test emails to employees to see how well they can spot the signs of phishing. It also provides companies with an idea of their risk profile, showing them how many of their employees engaged in risky behaviors with the fake phishing attempt.
Some companies that offer phishing simulators include:
- Infosec IQ
- Simple Phishing Toolkit
Phishing Protection Doubles as Malware and Ransomware Protection
Phishing attempts are big problems on their own, but they can also serve as a gateway for attackers to introduce malware and ransomware, costing businesses thousands of dollars in remediation. If businesses can effectively block phishing attempts, they also protect themselves against further attacks, especially because it means your employees know what to look out for. Investing time and money in phishing protection can help organizations save both in the long run.
Read next: QR Codes: A Growing Security Problem