What is Phishing?
Phishing is a form of malware targeting weaknesses in humans and technical weaknesses in organizations and networks. Currently, phishing attacks continue to make front-page news on a daily basis.
When the COVID-19 pandemic broke loose, cybercriminals were out seizing the moment, and they started attacking every sector/vertical. It was a perfect storm with organizations having their workforce working remotely, and unfortunately, far too many organizations were letting their guard down and not providing cybersecurity training during that time, which in retrospect was a huge and sometimes costly mistake. The healthcare industry, in particular, was hit hard, and it has caused a loss of $20.8 billion in downtime.
We have learned that no matter how small or large your organization is, it seems like it is not if you might be hit, but rather when you will be attacked. Are your employees up to the task of being able to identify a phishing scam? Are your employees trained on how to report a phish? These two areas are critical to keeping your organization secure and not being held hostage by cybercriminals.
Phishing by the Numbers
Cybercrime has exploded, with 75% of organizations around the world experiencing phishing attacks. Did you know that more than 306 billion email messages are sent every day worldwide, and approximately 70% of cyberattacks start with phishing emails? Phishing attacks account for more than 80% of reported security incidents. Another staggering number is that CEO fraud or business email compromise (BEC) has grown to a $26 billion scam.
The only way to properly defend your organization is to train your employees with simulated phishing scams and follow up with remedial training. Then repeat that process monthly to ensure that your employees are your last line of defense when your security controls fail.
So, to answer the question “what is phishing,” the sections below explain the different types of phishing and how they’re playing out in the online world.
What’s New: Phishing Sophistication
Spear phishing is very precise and is tailored to an individual victim. This is what makes it so dangerous. In fact, 91% of cyber attacks start with a spear-phishing email, and it is the preferred method of phishing attacks by hackers. That means the cybercriminal has done research before launching the attack, and the scam is tailored to the victim(s).
Unlike general phishing scams, spear-phishing is designed to target victims who have something of value to the attacker – money, data or access to information. Spear phishing is not only the fastest-growing version of phishing but has also increased in sophistication in the last few years as attackers take advantage of new technologies to hide their tracks. These technologies include email spoofing, Caller ID spoofing and IP spoofing.
Another new technology allows phishers to use server-parsed HTML (SHTML) attachments, a file format most often used by web servers, to direct a victim to a malicious site upon clicking on the attachment. This begs a reminder to always check the file format of an attachment and the URL of a linked site to confirm you ended up where you intended.
To learn more about the different spear-phishing techniques and how to spot them, read GLS’ article, What is Spear Phishing?
Spoofing is when a cybercriminal disguises an email address, sender name, website URL or phone number – often by changing just one letter, symbol or number – to convince you that you are interacting with a trusted source.
For example, you might receive an email that appears to be from a co-worker, a company you’re doing business with, or even a family member – but it isn’t.
As the FBI reports: “Criminals count on being able to manipulate you into believing that these spoofed communications are real, which can lead you to download malicious software, send money or disclose personal, financial or other sensitive information.”
BEC is another phishing technique that has seen exponential growth. According to the FBI’s 2020 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 19,369 BEC/EAC (email account compromise) complaints with adjusted losses of over $1.8 billion. The FBI reports this as one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business – both personal and professional.
BEC is a type of spear phishing whereby a scammer identifies a target using online information about an organization or an individual. The target generally has the ability to execute financial transactions or provide valuable data. The scammer then assumes the identity of someone who has authority over the target, such as an executive within the organization. Through emails that appear to come from that authority, the scammer begins to slowly gain the target’s trust, leading to a request for the target to instigate a business transaction, such as a wire transfer, or to share confidential data.
BECs often use the same elements as general phishing attacks – targeting mid-level personnel, using spoofed email domains and addresses, emphasizing time-sensitive transactions and sometimes specifying a need for secrecy. Since the assumed identity is often the company’s CEO, especially with small- and medium-sized businesses, BEC is also referred to as CEO fraud.
Another growing problem is tech support fraud, an attack involving a criminal who claims to provide customer, security or technical service or support to defraud unsuspecting individuals. We have all heard about or experienced criminals posing as support or customer service reps, offering to resolve issues such as a compromised email account or bank account, a software license renewal or a computer virus.
Recently, criminals are posing as customer support for financial institutions, utility companies and virtual currency exchanges. Many victims report being directed to make wire transfers to overseas accounts or purchase large amounts of prepaid cards.
COVID-19 pandemic lockdowns caused a brief slowdown to this type of fraudulent activity, but victims still reported increases in incidences and losses due to tech support fraud. In 2020, the IC3 received 15,421 complaints related to tech support fraud from victims in 60 countries. The losses amounted to over $146 million, representing a 171% increase in losses from 2019. The majority of victims are over age 60 and experienced at least 84 percent of the losses (over $116 million).
Have you ever read or answered a sharing survey on Facebook? Or replied to a personal question on Instagram? Social media can be a great way to connect with friends, but reports to FTC’s Consumer Sentinel Network suggest that social media websites and apps have become popular hangouts for scammers. Posts and comments are turning social media platforms into ideal phishing venues. Publicly shared personal details put you at risk of becoming phishing targets – sometimes only because they have shared enough information that the scammer can easily create a profile and story to trick the target. Also, there is the added bonus for phishers, as they may also earn a commission from another source for getting a user to click on a link.
As a best practice on social media, lock down your security controls and only share information with people who you want to know what you are doing. Be aware of posting information about going out of town, as this opens up the possibility of your home being robbed while you are away. This includes posting pictures while you are gone; instead, wait until you return home to post travel shots. Attackers may also phish for personal details in Comments sections or chats in social media.
According to the FBI, cases are on the rise involving adults who threaten or coerce teens and children into sending explicit images online. This crime is called sextortion. As the FBI reports:
“Sextortion can start on any site, app or game where people meet and communicate. In some cases, the first contact from the criminal will be a threat. The person may claim they already have a revealing picture or video of a child that they will share if the victim does not send more pictures. More often, however, this crime starts when young people believe they are communicating with someone their own age who is interested in a relationship or with someone who is offering something of value. The adult will use threats, gifts, money, flattery, lies or other methods to get a young person to produce an image.
“After the criminal has one or more videos or pictures, they threaten to share or publish that content, or they threaten violence, to get the victim to produce more images. The shame, fear and confusion children feel when caught in this cycle often prevents them from asking for help or reporting the abuse. Caregivers and young people should understand how the crime occurs and openly discuss online safety.”
Back to the Question: What is Phishing?
Phishing is a catch-all name for deception scams that rely on social engineering to trick a victim into sharing sensitive information. Although phishing scams can take many forms, most people think of phishing as a mass email with a fraudulent request to reply to the message, click a link and enter personal information on the resulting website or open an attachment that could contain malware.
Phishing emails may impersonate a vendor you trust, a service provider, a colleague, or even a family member. The sensitive information requested might be a username and password, birthdate, social security number, credit card number, etc.
Smishing is phishing by SMS text messaging apps. All types of phishing scams – basic phishing, spear phishing, BEC, whaling, etc. – can have a texting component. Scammers can spoof texting IDs, telephone numbers and caller IDs to make it appear that messages are coming from known colleagues or trusted organizations. In addition, be aware that team collaboration tools like Slack and Microsoft® Teams have become the latest venue for SMiShing scams.
Always research and verify text message legitimacy, just as you would with any other message type. Also, remain on guard and never click embedded links.
Vishing is phishing by telephone. It can be mass-audience phishing – for example, a common voicemail message supposedly from the national tax agency threatening legal action if overdue tax payments are not made immediately. Another example is the “IT support scam” where a phisher randomly calls employees of a company offering to help with “the IT issue they reported.” Eventually, they reach someone who had reported an issue, and they infiltrate the company as they provide supposed help.
Vishing can also be spear phishing. Sometimes scammers choose a target from a long list of possibilities; other times, vishing is used to gather specific information for a BEC or whaling scheme in the making. The best way to protect yourself is to never share any sensitive information when someone initiates a phone call with you. Look up the number from a trusted source and return the call yourself.
Whaling is phishing that targets the “big phish.” Company executives sometimes lack attention to details when juggling many priorities that keep them very busy and under pressure. Their quick decision-making is an art that makes them successful, but it can also render them susceptible to con artists who impersonate trusted colleagues (other c-suite executives, board members, attorneys, etc.). Perpetrators may request large payments for a task or project that seems legitimate at the time. It is only upon further scrutiny of the details that the scam is uncovered – usually too late. When successful, whaling often leads to the largest type of phishing payday for the scammers.
See what's phishy with your company
What Can YOU Do About Phishing?
As you become more familiar with what is phishing, it’s important to report attempts or breaches to help crack down on cybercriminals. To report spoofing or phishing attempts – or if you have been a victim – file a complaint with the FBI’s Internet Crime Complaint Center (IC3).
Online anti-phishing training from Global Learning Systems teaches employees about phishing and social engineering threats using an interactive, scenario-based format. The inclusion of gamification and achievement elements engages the user while building understanding of how the attacks work and how to handle them.