What Is Phishing? How Does Phishing Work?

Phishing has become a well-known term in the world of cybercrime and defense. This is because phishing cyber attacks can be so damaging.

Suffering a phishing attack is bad news for your business.

But what exactly is phishing? What happens during one of these attacks?

We’ll break it down for you, delivering you the insight you need to bolster your own security processes against unscrupulous hackers.

What Is Phishing?

Phishing is a type of cybercrime that targets individuals by email, telephone, or text message in an attempt to lure the target into revealing sensitive information.

This sensitive information is often personal information such as:

  • Usernames
  • Passwords
  • Email addresses
  • Phone numbers
  • Account numbers
  • Banking information
  • Credit card numbers

They can then use this information to access accounts, steal identities, download sensitive data, and wreak havoc on your finances.

How Do Phishing Attacks Work?

There are a number of different types of phishing attacks that are used today.

The most common type of phishing involves the receipt of a message — usually an email — that forms a point of access between the hacker and your business.

This includes the following:

  • A link within the email or message that leads to an unsecured webpage or fake website. This webpage may make further requests.
  • An attachment to the email containing a Trojan or another piece of malicious software that will trawl the user’s computer for information.
  • Deceit, or spoof, that makes the email receiver believe they are talking to someone they can trust. This means the user may hand over information in confidence — confidence that turns out to be misplaced.
  • A phone call. In some cases, brazen phishing scammers may make contact over the phone, impersonating an entity such as a supplier, a distributor, or another department, and fraudulently extract information in this way.

When it comes to Trojans and other pieces of malicious software, there may not be a specific objective in mind. Instead, hackers may simply hope that the software goes undetected, picking up as much data as possible in the long term.

Phishing Techniques

Less well known are the terms spear-phishing and whaling.

These concepts relate to the techniques deployed by a hacker, as well as the objectives they have in mind.

Spear Phishing

In a spear phishing attack, a hacker targets a specific individual that they consider to be a weak point or a gatekeeper for particularly sensitive information.

They then target this staff member using one of the methods discussed above to get the data they need.

Whale Phishing

In a whale phishing attack, the technique is a little different.

Here, phishers go after a “whale” — i.e. a member of upper management or an executive — and aim to acquire high-level information.

They may have a specific objective or they may just seek to gain as much valuable data as possible.

The Aftermath of a Phishing Attack

The specifics of the aftermath of a phishing attack really depend on the value and amount of data loss.

However, there are some common events that typically follow a damaging attack:

  • Your business reputation is damaged as you have not been able to secure client or employee data
  • You may undergo a review to check that your data security policies match up to state and federal regulation to protect against future data breaches
  • You carry out an internal review to implement better safety and security practices going forward
  • You introduce better training for staff at all levels so they know how to identify an attack

Creating an Effective Anti-Phishing Strategy

Phishing attacks are becoming increasingly savvier. Each time the tech safety world catches up with a cybercriminal’s approach, they think of a new trick.

If your business has survived phishing attacks so far, it may be due to luck rather than having an effective anti-phishing strategy.

If this is an area of IT security that you don’t spend much time thinking about, here’s how you can make your approach more effective.

Educate Your Staff on Phishing

Your employees are your biggest vulnerability when it comes to phishing. At the same time, they can be one of your first lines of defense.

Make sure your employees have a high index of suspicion when it comes to emails they don’t recognize. In a lot of cases, suspicious emails will seem random, they’ll contain unexpected links, or they may just seem odd.

Although educating your employees may seem time-consuming, you’ll be rewarded for your efforts later.

Around one in every 99 emails[1] is a phishing email. That means your employees could be batting off a handful of attacks each week.

Investing in their education is worth your time and resources.

Secure Your Browsers

In the event that an employee does click on a suspicious link, you need to decrease the likelihood that it’ll cause harm.

Add extensions to your browsers that only allow HTTPS websites to run. As a result, those that are not secure and those that have expired security certificates won’t leave you vulnerable.

As a side note, it’s important to update your browsers too. Make sure your IT team prioritizes browser updates, as failing to do so could increase your vulnerability to phishing.

Perform Software Updates

When you’re prompted to update your software, you’re patching a vulnerability. All software is released with vulnerabilities, but they’re not usually discovered until after the release.

In response to those vulnerabilities, your software provider will create updates. Updating your software patches portals of entry that cybercriminals could use.

In addition to responding to automatic updates early, make sure you perform routine maintenance to look for them. As a result, you’ll reduce the number of threats that unpatched programs pose to your organization.

Run Employee Simulations

One of the best ways to assess whether your education efforts have taken hold is to run an employee simulation. You can either do this during the training or as a random exercise afterward.

As a part of your simulation, send your employees an email that represents current phishing tactics. If they click on a link in the email, make sure it opens to a screen detailing what the tactic was and how to avoid it in the future.

Cybercriminals are constantly changing their approach, so make sure you look for details of the latest trends and run simulations that reflect them.

For example, in Q3 of 2018, social engineering attacks had risen by 233%[2]. Changes in trends suggest that phishers are changing their approach too.

Look at Alternative Sources

Phishing doesn’t just occur by email. Cybercriminals will use other sources too, such as social media apps.

Make sure your employees know to execute caution when using apps such as Facebook messenger.

If they’re going to be really strict about their efforts, they won’t accept friend requests from people they don’t know.

We All Think That a Phishing Attack Will Not Fool Us — That We Are Too Smart for the Hackers.

However, it is not a case of “being smart” or “not being smart”.

Instead, it is a case of recognizing the range of techniques that malicious hackers deploy and having the right procedures in place to stop those hackers in their tracks.

With a multifaceted approach, you’re more likely to guard yourself against phishing attempts. Just makes sure you change your tactics from time to time too.

Speak to our team today to learn more.

 Sources:
[1] https://smallbiztrends.com/2019/07/phishing-statistics.html
[2] https://www.proofpoint.com/us/resources/threat-reports/quarterly-threat-analysis