Phishing Attacks: A Definition
A phishing attack is when a fraudster sends an email to trick the recipient. The idea is to persuade the target into giving up sensitive information, for instance, your corporate network credentials, or perhaps to authorize some type of financial transaction. You’ve probably seen phishing emails in your personal inbox too, for example, the notorious “Nigerian Prince” who wants to make sure you get your share of his inexplicable fortune.
Phishing attacks started in the 1990s and are still going strong. The vast majority of data breaches against businesses today begin as phishing attacks or other forms of “social engineering,” a fancy term for manipulating unwitting victims. It’s the work of scam artists, part of an arsenal that includes counterfeit, forgery, and lies of all kinds. Phishing attackers play on human emotions like fear and urgency, so victims will take action before they stop and think—clicking a link to activate malware, filling out a login form with user name and password, or greenlighting the transfer of funds to a bogus account.
Phishing Emais with Malicious Links
Sometimes a phishing attack is simply an email with an embedded link. When you click, you either unknowingly activate malware or are directed to a webpage that looks perfectly legitimate but is designed to harvest your information.
Phishing Attacks with Malicious Attachments
Phishing attackers often send emails with attachments containing malware. When you click, look out. Many times phishing attackers use popular document types such as Microsoft Word or Excel or even Adobe PDFs. They take advantage of the trust people place in popular business tools.
Business Email Compromise (BEC)
A BEC phishing attack is good old fashioned fraud. BEC emails typically don’t use malware but simply try to manipulate the target into sending money. Traditionally, BEC phishing attacks try to get employees in the finance department to authorize wire transfers, for instance, to a “vendor” or “partner.” The phishing attackers might pretend to be the CEO or CFO to spur quick action.
Data Entry Phishing Attacks
In this type of phishing attack, the attacker wants you to do the heavy lifting. The phishing email might contain a link to a fake login page, where you supply your network credentials so you can perform an allegedly legitimate action, for example, reading and agreeing to a new corporate policy.
Why Phishing Attacks Are a Growing Problem
There are a number of reasons why phishing attacks are such a massive problem.
Phishing Attacks Are Easy to Launch
Phishing attackers strike with emails because it’s easy and effective. Email addresses are easy to get and, when you think about it, emails are basically free to send. With minimal effort, phishing attackers can gain access to valuable data. Victims of phishing attacks can find themselves dealing with malware infections, identity theft, and data loss.
Phishing attackers also target employees’ email, social media, and other accounts to compromise them and then use those accounts to launch attacks. Attackers sometimes try to obtain permissions to modify and compromise connected systems, like point-of-sale terminals and order processing systems. Some of the biggest data breaches, like the infamous Target breach back in 2013, start with a phishing email aimed at a connected system, maybe belonging to a vendor or another third party. When successful, phishing attackers can establish a beachhead in business systems and build on it.
Even Basic Phishing Attacks Can Deceive Recipients
Although phishing emails have been around for more than two decades, awareness of them has not prevented phishing attacks from growing. The FBI reports that successful phishing attacks were costing U.S. business half a billion dollars each year—and those are just the attacks organizations reported. Many more go unreported due to concerns about reputational damage.
Phishing Attacks Constantly Utilize New Tactics
Phishing is constantly evolving, so it’s important to be aware of the latest trends in phishing attacks. For example, whereas the percentage of phishing emails harboring “ransomware”—malware that locks down computer systems until a ransom is paid—has declined in the past couple of years, the IT security industry has identified an increase in the percentage of phishing emails with the goal of crypto-jacking the user´s computer. “Crypto-jacking” is the unauthorized use of a computer to mine cryptocurrency. Phishers deceive users into downloading cryptocurrency mining software, which runs quietly in the background. The proceeds are sent to the phishers, while the cost of paying for the extra processing power used by the computer or a cloud server is absorbed by the business.
Technology Alone Cannot Stop Phishing Attacks
Face it, all nets have holes. That includes the latest and greatest perimeter security technology, for example, secure email gateways. Cofense has found that 90% of the phishing emails reported to us by customers’ users were active in environments using email gateways. There is no silver bullet. Some phishing attacks will always get through and lurk in employees’ inboxes like ticking bombs.
It only takes one employee to disclose the log-in credentials to their corporate email account for a phishing attacker to pounce, taking remote control of the account and send phishing emails to colleagues, other businesses, and customers on the employee’s contact list.
As the employee’s account is regarded as a genuine source, the phishing emails will not be detected by email filters and the recipients will be more likely to interact with them. This could multiply the degree of damage done by the phishing email, not only to the business itself but also to customers and vendors.
You Need Educated Employees to Stop Phishing Attacks
Once a phishing attack gets by the email gateway and reaches employees’ inboxes, the employees themselves – the attack’s actual intended targets – are the final defense. If they aren’t educated and conditioned to spot and report all forms of phishing, employees are the weakest link. But that doesn’t have to be the case. A phishing awareness and education program can not only help to stop attacks but supply vital threat intelligence to your security teams.
Phishing simulation is recognized as best way to condition employees against phishing, especially when the simulation platform can identify the types of phishing emails and emotional triggers employees tend to fall for. This enables personalized training that makes every employee aware of their weaknesses and more alert to phishing attacks.
Cofense Can Help Protect You Against Phishing Attacks
According to Gartner, Cofense PhishMeTM, our phishing simulation platform, is the “most recognized security awareness and simulation solution” for conditioning employees and raising awareness of phishing attacks. The platform is part of a suite of solutions from Cofense that empowers employees to quickly identify and report phishing emails and in turn enable response teams to mitigate threats.
If you have responsibility for IT security, employee training, or compliance, and would like to know more about defending your business against phishing attacks, get in touch with us. Our team will be happy to answer your questions or walk you through a free demo of the Cofense suite.
Frequently Asked Questions
Phishing is a fraudulent attempt that appears to be from a reputable source to get a user to interact with a malicious mechanism. This could be a delivered via an email with a link, attachment, third-party website, or other communication platform in an attempt to gain access to personal credentials.
Phishing attack threat actors have become smarter. They may use conversational or spoofed emails, texts, or other communications from a seemingly reputable source to gain a user’s trust and then deliver malicious payloads—or lure them into a costly financial transaction.
While you cannot completely prevent phishing, you can add sophisticated phishing protection and detection technology to help identify and quarantine attacks as well a condition and train your user’s on what to look for and report suspicious messages.