Often in Cybersecurity, terms can sometimes go over the head of laypeople. While many have heard of terms like phishing, malware, or a DDoS attack, it is important for employees and organizations who are not experts in cybersecurity to know what these terms mean, how they are carried out, and what can be done about them. In this series, we will cover common cyber threats in simple terms, so that even those who are not cybersecurity experts can understand these threats, and why it is important to protect against them.
What is Phishing?
Simply put, phishing is a scam done through social engineering, in which a malicious actor sends a deceptive message to get a target to reveal their sensitive information via a call-to-action (CTA), asking the target to perform an action that will expose their data. These CTAs can take multiple forms, including requesting an email reply wherein sensitive information is divulged or asking a target to open malicious link attachments. These attachments can lead to the installation of malware on a user’s device or may open a fraudulent login page where targets can input their account information for it to be stolen. Sometimes, this is only the first step in a more complex scam, as the malware or login credentials can be used to find and target other users in a network. Social engineering refers to the techniques malicious actors use to manipulate targets into revealing this information, including impersonating a trusted correspondent, a government agency, or a company that does business with the target. Once the impersonation is complete, the attacker will manipulate their targets into revealing information, often by creating a sense of urgency that will make the target worried, and more likely to do what the sender asks of them without following proper safety procedures.
Due to its commonality and the wide variety of forms these scams can take, phishing is a threat to individuals and businesses alike. Over 80% of organizations reported experiencing phishing attacks in 2021, and more than 1 in 5 data breaches that occurred in 2020 were the result of phishing. With the average cost of a data breach surpassing $4 million USD in 2022, phishing is a problem that can affect everyone from technologically-challenged grandparents to the largest corporations in the world.
Types of Phishing
Here are five prevalent types of phishing scams, and while there is some overlap between them, it is important to be familiar with all of them individually for the sake of security:
“Bulk” Email Phishing
Email phishing is the most common type of phishing, wherein a threat actor sends a malicious email pretending to be someone they are not. While “Spear Phishing” (explained more in the next section) takes a targeted approach to this, “Bulk” email phishing aims to cast a wide net (no pun intended). These scams are meant to target as large an audience as possible, with malicious actors impersonating senders with a large email base. These include banking and telecommunication companies, identities around which actors can create a repeatable script that they can send out numerous times with little alteration. This is a buckshot approach, but it is a numbers game that many threat actors are willing to play.
In contrast, Spear Phishing prioritizes quality over quantity. It involves threat actors targeting a specific person or company; spending time to research a singular target and how best to utilize social engineering to separate them from the desired data. Whereas bulk email phishing can require nothing more than an email template and addresses, spear phishing usually involves a higher level of expertise. First, many spear phishers use programs to accumulate email addresses from search engines like Bing or Google, allowing them to peruse these addresses until they find their desired target. Next is where social engineering comes into play, as threat actors will disguise themselves as a trusted email correspondent (for example, a work superior or business partner) by creating an email address that closely resembles who they are attempting to impersonate. Once the threat actor finds out how to bypass the antivirus security (a task that can be completed by locating IT job openings at the target’s company, which often list the antivirus software the organization uses), the email is sent, featuring a script that provokes a user-specific CTA, one these actors hope is more likely to be followed than a bulk phishing CTA due to its personalization.
Not all phishing is done via email. Smishing is one type of phishing that utilizes smartphones as the attack platform. Smishing occurs via SMS text messages, giving smishing its name. Smishing is especially popular as there are few methods to authenticate SMS senders, and programs exist that allow threat actors to usurp the phone numbers of known contacts to send these messages. Additionally, SMS often shortens the URLs of links in texts, meaning parsing a malicious link from a safe one can be a difficult task.
Vishing is voice-phishing, involving calling a target’s telephone. Vishing attacks can be automated - involving a pre-recorded message that plays when the call is answered - or human, where a threat actor uses social engineering to impersonate a customer service representative (often from a financial institution) calling to inform the target that there is an issue with their account. This leads to a CTA in which the victim is asked to state their login credentials in order to verify their identity and ‘re-secure’ their account.
Whale phishing (also known as ‘Whaling’) refers not to the technology used to phish, but rather the intended target. Whale phishing is a form of spear phishing that targets senior-level members of an organization such as executives and board members, whose information (and access to information) far surpasses lower rung employees in value. Because of their seniority, whale phishing can have catastrophic effects on an organization. In 2016, Austrian aviation company FACC fired its CEO after a whaling attack he fell for resulted in $58 million in losses! These attacks show how important it is for security vigilance to be practiced at every level of the corporate ladder.
Ways to Combat Phishing
While phishing can incorporate many advanced programs and technologies, there is almost always a human element at its core, with malicious actors counting on their ability to fool their targets through social engineering. Because of this human element, one does not need to be a cybersecurity expert to combat phishing, as there are several common-sense steps everyone from the most junior employee to the most powerful executive can take to protect against phishing attacks:
Be wary of emails you are not expecting.
Disable automatic loading of images and external content, as phishing attempts often include a clickable image that can bypass security filters that are meant to track suspicious links.
Before you click any link, hover your cursor over it. If the URL that appears in the bottom left corner does not match the expected website, it could be a malicious site.
If you receive an unsolicited attachment in an email, even if it is from someone you know, think before you click! Cyber Criminals can "spoof" the return address, making it look like the message came from a known contact. If you can, check with the person who supposedly sent the message to make sure they meant to send attachments. This includes email messages that appear to be from your internet service provider (ISP) or software vendor and claim to include patches or antivirus software (these things are not sent via email!)
Following these tips will be a good first step for anyone wanting to protect themselves from phishing, no matter their cybersecurity expertise.