September 30, 2024
Phishing is one of the biggest threats to information security, and the impact on companies can be severe. In light of October being Cyber Security Awareness month, it’s a good time to explore the cause and effect of phishing scams and learn strategies to help avoid the potential harm.
Phishing is a type of social engineering scam, where cybercriminals pose as legitimate companies, people, or institutions in emails or text messages, to trick recipients into sharing financial information, corporate credentials, or other sensitive data. The scammer may ask the recipient to click on a link or attachment, which infects the recipient’s computer with malware that steals information directly or reroutes the recipient to a fake website that asks for sensitive information.
In 2024, IBM's Cost of a Data Breach report found that phishing accounts for 15% of all breaches, making it the most common method. Unsurprisingly, a majority (71%) of organizations experienced at least one successful phishing attack in 2023, according to ProofPoint.
Phishing often takes the form of something an employee is expecting, such as an HR document, a shipping confirmation, or an IT department request to change a password. In fact, Verizon’s 2024 Data Breach Investigations Report found phishing is the most common credential-related attack, accounting for 14% of breaches. The email may even appear to come from the company’s senior leaders and be designed to play on people’s insecurities, and uncertainties, making them even more difficult to recognize.
There are a variety of phishing types, and cybercriminals get more sophisticated every day. That said, there are some common kinds of phishing you and your staff should know how to recognize.
Email Phishing
Also known as deception phishing, this common scheme occurs when malicious characters send an email impersonating a recognized company or brand. Using social engineering tactics, they direct people to click on a link or download an attachment, stressing an urgency to act. Links go to malicious websites that either steal credentials or install malware on a user’s device.
How to identify: Look for something “off” about the email address or misspellings or misused words in the body of the text.
Spear Phishing
This type of attack is more targeted. Cybercriminals gather information from company websites about specific individuals and design emails or texts to appear as if they’re sent from internal individuals, often using their names, titles, telephone numbers, and email addresses. Since recipients think a colleague is reaching out, they’re more likely to click on links or download malware. For example, a recent series of phishing attacks that targeted iPhone users used messages that appeared as though they were from Apple.
How to identify: Look for abnormal requests, including someone asking for highly sensitive information, such as passwords.
Whale Phishing
Along the same lines as spear phishing, whale phishing occurs when a cybercriminal impersonates a senior company leader. These emails may request a money transfer or ask the recipient to review a document, prompting them to click on external links and share sensitive information.
How to identify: As with other types of attacks, read with a close eye for any phishing “tells,” like something unusual, before clicking on links.
Vishing/Smishing/and Angler Attacks
These are similar to email phishing but involve phone calls (vishing), texts (smishing), or social media messages (angler attacks). Criminals create a heightened sense of urgency and spur the recipient to act. These communications often occur during stressful times. For example, the United States Postal Inspection Service recently issued a warning about bad actors claiming to be Postal Inspectors, or USPS and USPIS employees, claiming they need to verify personal information.
How to identify: Remember that no legitimate entity will make an unsolicited request for confidential information via phone, text, or social media.
Credit Card Data Breach
This involves the large-scale exposure of confidential data. Criminals use nefarious tactics, such as phishing, to obtain collective credit card information in a single attack. These strategies enable criminals to infiltrate their target's websites or applications, potentially granting them access to a breadth of financial information simultaneously.
How to identify: Monitor your credit card statements for any unfamiliar charges. Often, bad actors will make small purchases to “verify” stolen credit card numbers before making larger ones.
There are several negative effects, including significant financial implications. According to IBM, the average cost of a data breach alone is $4.88 million, and phishing attacks, on average, cost organizations $4.76 million. An infiltration can also introduce viruses, halt productivity, and compromise sensitive data on a broader scale. A company’s reputation can suffer with wide-reaching financial and operational repercussions.
**This article is for general information purposes only and should not be construed as legal advice on any specific facts or circumstances.