An Essential Guide to Recognizing and Preventing Phishing Attacks

Phishing is one of the biggest threats to information security, and the impact on companies can be severe. In light of October being National Cybersecurity Awareness month, it’s a good time to explore the cause and effect of phishing scams and learn strategies to help avoid the potential harm.

What Is Phishing?

Phishing is a type of social engineering scam, where cybercriminals pose as legitimate companies, people, or institutions in emails or text messages, to trick recipients into sharing financial information, corporate credentials, or other sensitive data. The scammer may ask the recipient to click on a link or attachment, which infects the recipient’s computer with malware that steals information directly or reroutes the recipient to a fake website that asks for sensitive information.

How Common Is a Phishing Attack?

In 2024, IBM's Cost of a Data Breach report found that phishing accounts for 15% of all breaches, making it the most common method. Unsurprisingly, a majority (71%) of organizations experienced at least one successful phishing attack in 2023, according to ProofPoint.

Phishing often takes the form of something an employee is expecting, such as an HR document, a shipping confirmation, or an IT department request to change a password. In fact, Verizon’s 2024 Data Breach Investigations Report found phishing is the most common credential-related attack, accounting for 14% of breaches. The email may even appear to come from the company’s senior leaders and be designed to play on people’s insecurities, and uncertainties, making them even more difficult to recognize.

What Are Different Types of Phishing Attacks?

There are a variety of phishing types, and cybercriminals get more sophisticated every day. That said, there are some common kinds of phishing you and your staff should know how to recognize.

Email Phishing

Also known as deception phishing, this common scheme occurs when malicious characters send an email impersonating a recognized company or brand. Using social engineering tactics, they direct people to click on a link or download an attachment, stressing an urgency to act. Links go to malicious websites that either steal credentials or install malware on a user’s device.

How to identify: Look for something “off” about the email address or misspellings or misused words in the body of the text.
 
Spear Phishing

This type of attack is more targeted. Cybercriminals gather information from company websites about specific individuals and design emails or texts to appear as if they’re sent from internal individuals, often using their names, titles, telephone numbers, and email addresses. Since recipients think a colleague is reaching out, they’re more likely to click on links or download malware. For example, a recent series of phishing attacks that targeted iPhone users used messages that appeared as though they were from Apple.

How to identify: Look for abnormal requests, including someone asking for highly sensitive information, such as passwords.
 
Whale Phishing

Along the same lines as spear phishing, whale phishing occurs when a cybercriminal impersonates a senior company leader. These emails may request a money transfer or ask the recipient to review a document, prompting them to click on external links and share sensitive information.

How to identify: As with other types of attacks, read with a close eye for any phishing “tells,” like something unusual, before clicking on links.
 
Vishing/Smishing/and Angler Attacks

These are similar to email phishing but involve phone calls (vishing), texts (smishing), or social media messages (angler attacks). Criminals create a heightened sense of urgency and spur the recipient to act. These communications often occur during stressful times. For example, the United States Postal Inspection Service recently issued a warning about bad actors claiming to be Postal Inspectors, or USPS and USPIS employees, claiming they need to verify personal information.

How to identify: Remember that no legitimate entity will make an unsolicited request for confidential information via phone, text, or social media.

Credit Card Data Breach

This involves the large-scale exposure of confidential data. Criminals use nefarious tactics, such as phishing, to obtain collective credit card information in a single attack. These strategies enable criminals to infiltrate their target's websites or applications, potentially granting them access to a breadth of financial information simultaneously.

How to identify: Monitor your credit card statements for any unfamiliar charges. Often, bad actors will make small purchases to “verify” stolen credit card numbers before making larger ones.

What Are the Consequences of Phishing Attacks?

There are several negative effects, including significant financial implications. According to IBM, the average cost of a data breach alone is $4.88 million, and phishing attacks, on average, cost organizations $4.76 million.  An infiltration can also introduce viruses, halt productivity, and compromise sensitive data on a broader scale. A company’s reputation can suffer with wide-reaching financial and operational repercussions.

What Are Some Tips for Reducing the Risk of Phishing Attacks?

• Understand that your employees should be the first line of defense. If they don’t click on suspicious communications, you can avoid the negative consequences of a phishing attack. The Cybersecurity & Infrastructure Security Agency outlines four ways to stay safe online, one of which is to recognize and report phishing. 
• Provide ongoing training on the effects of phishing and the employees’ role in mitigating risk. By identifying potential attacks early on, your company can alert users and possibly avoid a breach.
• Install IT safeguards, including anti-virus software, firewalls, and multi-factor authentication that can limit phishing and provide early warnings if there is a security compromise. Keeping cybersecurity protections up to date is critical.
• Restrict the number of people in the company who have access to sensitive and confidential information to further reduce risk. Encrypting sensitive data is also essential to mitigating harm should a scammer access data.
• Establish a reporting system so if an employee does click on a phishing link, they can let the appropriate people know and it can be addressed immediately.
• Make sure your physical security is robust through visible surveillance cameras, locked offices and desks, regularly scheduled professional document destruction, secure data backups, and policies that promote data security best practices.

What Should You Do if Your Company Experiences a Phishing Attack?

1. Notify your employees to change their passwords to prevent further infiltration and safeguard your company’s sensitive information.
2. Verify that your virus scans have not uncovered any suspicious issues. You may want to take this opportunity to examine existing cybersecurity protection measures to make sure they’re adequately protecting you. Email authentication technology, for example, can help prevent phishing emails from reaching your company’s inboxes in the first place.
3. If the attack results in a data breach, where sensitive information is compromised, be sure to follow your company’s data breach procedures to help protect both employees and customers. Also, report the attack to the Federal Trade Commission.
4. Use the experience as a teachable moment and provide training to staff on how to help prevent a future attack. 

Learn more about how Shred-it^® can help your company improve its information security program.

^{**This article is for general information purposes only and should not be construed as legal advice on any specific facts or circumstances.}