What is Phishing? Tips to Identify and Prevent Cyber Scams
Written by: Black Kite
Last year, 74% of companies experienced a successful phishing attack. As phishing attempts become harder to detect, this gateway to many cyberattacks continues to threaten the global cyber ecosystem. Knowing what to look for is the key to mitigating attacks before it’s too late.
Phishing is defined by NIST as a technique to acquire sensitive data through fraudulent solicitation. The perpetrator usually masquerades itself as a legitimate business or authoritative person. Although the overall goal to steal data is the same, not all phishing attempts look the same, or come from the same source.
1. Mass Email Campaigns Across Corporate Entities
The average cost of a phishing attack is $4.65 million in 2021— a large price to pay for a single employee’s click on a fraudulent email. Threat actors know the more access to confidential data, the higher the reward. Industries that are most at risk for a phishing attack include financial institutions, social media, SaaS/ webmail, and payment.
Human error accounts for 90% of cyber breaches. Despite human error accounting for 90% of cyber breaches, most (97%) employees are unable to recognize a sophisticated phishing attempt. Awareness training on behalf of a company can be the initiative that saves a company from compromising confidential information through network phishing.
2. Spear Phishing: An Analysis of Your Personality
One of the top three reasons why individuals click on phishing scams is because it “looks legitimate.” Spear phishing is an effective tactic that targets an individual with information that is specific to them, making the messaging look more legitimate.
Online phishing is more than just email scams. There are fake recruiters over LinkedIn stealing SSNs, fake calendar invites that download malicious software, private messages on social media that include fraudulent links, text messages that try to extract personal information, and more.
Social engineering in information security is the psychological manipulation of a target to get them to communicate confidential information. Cybercriminals are using social engineering to piece together information from targeted individuals and computer systems to equip them with the information needed to carry out a successful cyber breach.
Social engineering phishing attempts have evolved from general information farming to case-by-case personality analysis. Instead of names of people you keep in contact with, services you use, etc., a cybercriminal can hyper-target an individual by using their behavior to determine the type of cyber attack that would be most effective.
Be mindful of what you post on social media. A cybercriminal doesn’t need to do much legwork if the target has posted personal details online. When you post all of your thoughts, interests, and habits, it makes it easier for attackers to know what will get you to act.
3. Smishing: Phishing Goes Mobile
Smishing is another form of phishing where threat actors use mobile phones as a method to extract sensitive information. Attackers use SMS because targets are more likely to open a text message and are less likely to assume it’s a malicious attempt to obtain information.
Smishing messages are typically made to look like they are sent from a reliable source such as a bank, government agency, delivery service and utility company. The message often asks to confirm information so the sender knows that the phone number is active. They can then move forward with their attack.
Tips to Identify and Prevent a Phishing Scam
The ability to identify a phishing message is the key to avoid falling for a scam. In fact, 97% of employees are unable to identify a sophisticated phishing attempt. Companies can easily implement phishing awareness across their organization. An 87% improvement in phishing email clicks was observed among companies after the first year that phishing awareness was addressed.
- Protect email security: If an email seems off, hover your cursor over the sender’s name. You will be able to see what the actual email address is. It may look like a trusted address but will often include a typo or hyperlink to a different address.
- Think before you click: Don’t click on links or downloads you weren’t expecting to receive. If it seems like normal communication, it never hurts to follow up through another means of communication and ask the sender if they sent the message. If a brand you order from sends you a link about suspicious account activity, go through their official website, not the link.
Another tactic is to hover over links to see what the actual address is. If it is a shortened address (bit.ly) or a long and convoluted link, consider that it may be a phishing attempt. - Be aware of the most common phishing messages: Immediate password check required, billing information out of date, payroll has been delayed, updated vacation policy, and confidential information about COVID-19.
The Federal Trade Commission outlines four steps to avoid phishing:
- Protect your computer with security software.
Setting email systems to update automatically will install new patches to protect against outdated vulnerabilities that threat actors use to infiltrate systems.
- Protect your mobile phone by setting software to update automatically.
Updates include protection against new forms of malicious activity.
- Protect your accounts by using multi-factor authorization (MFA).
MFA adds an extra layer of protection to your account, making it difficult for threat actors to gain access even if your username and password have been compromised. Examples of MFA components include an authentication code sent to another device and a fingerprint or face scan.
- Protect your data by backing it up.
Back up your data to a cloud or an external hard drive outside your home network.
If you ever find yourself rushing into completing unexpected tasks, or providing a bit more information than makes sense in a certain context, stop and think about it. Phishing is constantly evolving, and although it would be virtually impossible to avoid these situations entirely, adopt an awareness-first mindset by understanding where these vulnerabilities lie.
Detect if your domain name is being used in phishing scams with Black Kite’s free Phishing Domain tool.
Curious if you have been a victim? Check out our free cyber intelligence services to find out.
Resources
[1] Statista, 2021.
https://www.statista.com/statistics/1149219/share-organizations-worldwide-phishing-attack-country/
[2] SecurityBoulevard, 2021.
https://securityboulevard.com/2021/01/how-to-avoid-the-phishing-bait-in-2021/
3] Expert Insights, 2021.
https://expertinsights.com/insights/50-phishing-stats-you-should-know/
[4] Verizon, 2021.
https://www.verizon.com/business/resources/reports/dbir/
[5] Phish Labs:
https://www.phishlabs.com/blog/quarter-phishing-attacks-hosted-https-domains/
[6] Safety Detectives, 2021.
https://www.safetydetectives.com/blog/what-is-smishing-sms-phishing-facts/
[7] Securelogix, 2021.
https://securelogix.com/news/vishing-explained-how-voice-phishing-attacks-scam-victims/