Phishing is one of the oldest types of cyberattacks, dating back to the 1990s. It only takes one successful phishing attack to compromise your network and steal your data. Phishing is hard to combat because it relies on deception.
Even the most sophisticated security software and hardware are not able to identify and block all phishing attacks. Everyone should learn how to protect themselves and their organization.
what is phishing
A phishing attack is a form of fraudulent digital communication. Cybercriminals will disguise their emails, websites, social media, instant messaging, and other platforms as reputable, trustworthy sources in an attempt to deceive their recipient. The end goal is to steal personal credentials such as credit card information and passwords or even install malware on the victim's computer or device. Phishing attacks are one of the most dangerous cyber threats facing organizations.
5 Types of Phishing Explained
1. DECEPTIVE PHISHING
This is the most common type of phishing. For this tactic, cybercriminals pose as a legitimate company to steal personal data or login credentials. These emails a lot of times use threats and a sense of urgency to scare users into doing what the attackers want. Fake password resets, phony invoices, and bogus shipping updates are among the most common types of deceptive phishing attacks.
2. SPEAR PHISHING
Spear phishing is an email or electronic communications scam targeted towards a specific individual or group within an organization. Cybercriminals research their victims on social media and other websites. This way, they can tailor and personalize their communications and appear legitimate. The typical spear phishing attack involves an email with the target's name and rank within the organization.
Whaling is a more targeted form of spear phishing that relies on the trust of recipients by pretending to be a known authority figure such as a senior executive within a company. A technique used by scammers is to find names, email addresses, and phone numbers from a company website. This helps the cybercriminal figure out the hierarchy of the organization and helps them in planning who they will pretend to be in their bogus email. Whaling can be devastating to companies of all sizes since the attack focuses on stealing sensitive data and financial information or initiating wire transfer of funds.
Smishing is an attempt to maliciously collect logins or other sensitive information with a short message service or SMS, more commonly known as text messages, hence the term "smishing." This scam uses the same methods as other phishing techniques, but with a more mobile device centered approach, asking a user to download an app that is malicious, for example.
Another phishing technique that doesn’t use email is vishing. It is a phishing attack made with a voice call. Vishing is a mix of traditional phishing methods and social engineering, where the scammer claims to be a customer support representative, a tech support representative, or a salesperson. Scammers can spoof their caller ID to make it appear they’re calling from a legitimate company.
Phishing Attack Prevention
Fortunately, due to their commonplace nature, phishing scams are avoidable if you know how to correctly identify and prevent them. Here are a few steps a company can take to protect itself against phishing:
1. KNOW WHAT A PHISHING SCAM LOOK LIKE
New phishing attack methods come out a lot, but they share traits that can be identified if you know what to look for. There are many websites that will keep you informed of the latest phishing attacks and help you identify them. The more you know about the latest attack methods and share them through regular security awareness training, the more likely you are to avoid a potential attack. You can also contact Kappa, we can help you identify a phishing attack.
2. DO NOT CLICK LINKS OR OPEN ATTACHMENTS
If you don’t know the sender and it’s clearly something you don’t need, delete it and move on. If you don’t know the sender but think it may be legitimate, contact the organization that supposedly sent the message to verify the validity of the message. If you know the sender, but something about the email doesn't seem right, contact them to confirm they intentionally sent it to you. You should also hover over links to see if the destination is the correct one.
3. DON'T GIVE YOUR INFORMATION TO AN UNSECURED WEBSITE
If the URL of the website doesn’t start with “https”, or you don't see a closed padlock icon next to the URL, do not enter any sensitive information or download files from that site. Sites without security certificates may not be intended for phishing scams, but it’s better to be safe than sorry.
4. KEEP UP WITH BROWSER UPDATES
Security patches and updates are released to keep up to date with modern cyber-attack methods by patching holes in security. If you don’t update your browser, you could be at risk of phishing attacks through known vulnerabilities that could have been easily avoided. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.