Phishing attacks are easily the most common type of email attack. Cybercriminals use phishing to trick individuals or employees into giving up login credentials, account information, or personal information to help them accomplish their mission.
Phishing attacks are popular with the criminal element for a reason—they work. These malicious emails can be pretty convincing, mimicking legitimate companies or colleagues, leading to lost revenue, negative brand image, and in extreme circumstances, forcing companies to cease operations altogether.
What is Phishing?
Phishing is a type of cybercrime perpetrated through email. The email format itself can take on many guises. The objective could be to gain access to an account, give up personal information, or encourage users to download malware or click on a malicious link.
But while many phishing initiatives are sent to hundreds of recipients via bulk email, others are far more sophisticated. Today’s most successful cybercriminals tend to take a well-researched approach, using social engineering techniques designed to manipulate people on a psychological level.
Adding a dire sense of urgency often compels people to act without thinking, making it an easy way for threat actors to achieve their goals quickly and move on before the victim realizes they’ve been had.
What is Spear Phishing?
These more targeted attacks are known as spear phishing. Spear phishing leverages well-researched personal information about the recipient and could appear to come from a trusted friend, relative, colleague, or even their boss.
Spear phishing is often more successful than your average phishing attack as it is more specific. When an attack like this targets an employee at a company, it can have severe and far-reaching consequences. CEO fraud is one such example, where an email appearing to come from a boss, CEO, or higher-up directs an employee to transfer funds from an account under their control.
To prepare for the attack, the criminal does a deep dive on the company, gathering information on who controls what accounts, the chain of command, and so on. They might even pose as a vendor or a bank the company does business with, cloning the person’s email and mimicking the tone of their discourse.
Since the email looks legitimate, the employee completes the task, sometimes to the tune of millions of dollars. One such email, directed at the CFO of a German company, Leoni AG, cost the organization $40 million.
The whole process was completed in minutes, and it’s far from an isolated incident. The FBI estimates that scams using compromised email costs US businesses more than $2 billion every year.
CEO fraud can be even more destructive than other types of phishing attacks, as the information received in the course of deploying the initial attack then serves as fuel for subsequent attacks. The initiative is coordinated and well-planned, so the potential damage is exceedingly high.
How to Protect Yourself from Phishing Attacks
Learning how to recognize phishing attacks is the best way to protect yourself. As you might glean from the example above, it can happen to just about anybody. You can be the smartest person in the room or at your company, and you can still fall prey to phishing—that is, unless you know what to look for.
The best protection you can have against a phishing attack is awareness. True, these emails can be very sophisticated and challenging to detect, but there are ways to avoid taking the bait.
Here are a few tips and best practices to get you started:
- If you receive an email asking you to transfer funds or give up sensitive information, don’t take it at face value. If it seems to be coming from a colleague, contact the person in question directly (not by responding to the email) to verify the validity of the request.
- Even if the sender looks legit, check the email headers and the actual return address.
- Look for spelling and grammatical errors or even tiny differences in logos or branding.
- Do not automatically click on links; check them first to ensure they are not pointing to a fraudulent website.
- Scan all attachments for malicious code.
- Turn on spam filters and whitelist legitimate addresses.
- Enable two-factor authentication.
- Invest in an email security tool that includes phishing detection.
Above all, always think before you act. Do not take emails at face value; even if you think you know where it’s coming from, there are probably slight indications that something isn’t quite right.
Protect Your Business from Phishing Attacks
Think about the source. If the message looks like it’s coming from your boss, would they really ask you to perform that task? There’s no harm in confirming, and you might just save yourself a lot of heartaches.
Protecting all email endpoints in the organization is essential, indicating the need for an advanced email security tool to identify, block, and quarantine even the most sophisticated spear phishing offensives.
However, no matter how good and effective your email security tools are, your first line of defense is awareness and education. Educate your employees on current threats and make sure they know what to do when they think something is “off.”
Sign up today for a full-featured 30-day free trial and give your business an added layer of protection against phishing attacks.
