Cybercriminals use increasingly sophisticated methods to steal data and commit fraud. Yet, it’s often the most straightforward scams that prove most lucrative. Phishing scams are among the most common types of fraud. A successful phishing scam against your business could subsequently lead to data breaches and all the associated consequences.
IBM says the average cost of a data breach is almost $4 million.
Worryingly, despite businesses investing significant sums in training and awareness programs for their teams, Verizon says users open nearly a third of phishing messages. Unfortunately, we don’t know how many of these lead to someone clicking a link or sharing sensitive information. However, this is likely to be a considerable proportion of recipients, too.
What is phishing?
Phishing is a type of fraud most often categorized as a cybercrime, as they often occur via email, text message or social media. However, phishing can also happen over the phone, either in person or by automated robocaller systems.
Phishing involves criminals posing as legitimate businesses or persons to get you to part with sensitive details. Often criminals are after your bank or credit card details, or information like passwords. Crucially, phishing scams don’t necessarily need you to give details for them to work. For example, merely opening a scam email or text message can be enough to trigger malware that subsequently harvests saved passwords from your web browser.
Once scammers have the data they want, they use this for financial gain. Criminals may sell the information on to other criminals or try to use your details themselves to make purchases or transfer cash out of your bank.
Top six most common methods of phishing
You and your colleagues need to be aware of the following popular phishing techniques cyber criminals employ to better protect your organization against attack.
1. Email phishing
Most phishing scams happen via email. We’ll look into how to recognize such scams shortly. It’s also worth knowing about specific types of targeted phishing, like the next two techniques.
2. Spear phishing
Spear phishing is a targeted scam, which often takes place in two parts. After acquiring information about you, scammers will send malicious communication. Sometimes a direct threat, highlighting the things they already know about you.
Spear phishing scams are designed to scare you into sharing additional information with the cybercriminals.
Whaling is a specific type of phishing targeting senior-level employees.
It’s often subtle and will be done by criminals impersonating other people in senior roles, like accountants or lawyers, or even colleagues.
This is the specific name given to phishing scams conducted by SMS message.
Vishing, or voice phishing, is the name given to phishing scams that take place over the phone.
6. Angler phishing
Angler phishing is a scam that typically sends malware via social media platforms’ direct messaging functions. Social media users might be sent fake URLs or be told they’ve been mentioned in a status update and when they click, the link downloads malware to their device.
Have you ever got a weird “$50 discount at Wal-Mart” from a friend? If so, this is because they’ve probably fallen for an angler phishing scam that has enabled the criminals to send it to all their friends and connections.
How to recognize an email phishing scam
Have you ever got an email claiming to be from the IRS, PayPal, or Netflix that clearly didn’t come from them?
This is a phishing scam!
Phishing scams to business email addresses will often be from various sources. Most people don’t use their business email for Netflix. Such a fraud would therefore be pretty obvious and easy to spot.
Although the “best” phishing scams look legitimate, which is why they’re often so successful, there are many common characteristics that will help you recognize them.
Here’s what to look out for:
1. What time was the email sent?
Did you receive an email supposedly from a colleague in the same time zone at 1 a.m.? While many of us love the flexibility of working from home, if you don’t usually receive emails from this person at such an hour, this is potentially phishing. Solutions such as UEBA help organizations to automatically detect this kind of unusual behavior.
2. What does the subject line say?
Phishing scams often use subject lines that look like replies to get you to open them. Look out for subject lines like “RE: Your last message.” If you receive an email with such a subject line and you didn’t send an initial email to the person or organization it’s from, delete it. Chances are this is a phishing scam that will attempt to install malware on your system as soon as you open the email.
Another common trick is for scammers to use “clickbait” style subject lines but for the email content to have nothing to do with the subject. Use preview features on your email program so you can identify and delete these straight away if they make it to your inbox.
3. Look out for these content red flags
Phishing emails often use some or all of the following tactics:
- Offering something that you weren’t expecting but it is plausible that you could receive, like a refund on a specific product or service.
- Offering something too good to be true, such as emails where someone’s uncle died and left $30 million that they wanted to share with you.
- Calls to action toward a dubious link.
- Contain information about you to unnerve you into taking action. One phishing scam might often obtain commonly used passwords. A second will follow up, making it clear they know your passwords and demand cash.
4. Are there attachments?
Attachments are often the biggest red flag from a business perspective, particularly when businesses work exclusively in the cloud.
If your business has a policy of using OneDrive or Dropbox, but a “colleague” sends physical attachments, it’s probably phishing.
If you typically send attachments, look out for unusual file types or receiving files you didn’t ask for.
5. Where will the hyperlinks take you?
Some phishing scams make themselves obvious by including long text hyperlinks for you to click.
Where a scam is more sophisticated and masks a link with a call-to-action button, you can still hover over the button to see where the link will take you.
Look out for;
- links that will take you somewhere different from where the email says it will.
- links that have typos in them, often to appear legitimate.
- emails that include links and no other content or information.
If you do click a link, you’ll often be taken to a website that looks like a poorly designed version of the real thing. It’s easy to put up a website page that looks like PayPal, but there’ll often be flaws that indicate it isn’t a legitimate website.
6. Who else was the email sent to?
Phishing emails are often sent to thousands of people at once. Usually, you can see the recipients in the CC area.
Look out for emails where you’re CC’d into something you didn’t ask or sign up for and can see everyone else’s email address.
7. Where did the email come from?
The source of the email is often a dead giveaway that you’re looking at a phishing scam!
Look out for emails that;
- are from an unusual email address, someone you don’t know, or someone with whom you wouldn’t ordinarily communicate.
- are from outside your company and are unrelated to your job role.
- appear to be from an internal email address but seem unusual or out of character.
- come from suspicious-looking email addresses.
Remember to look at the sender’s email in the “From” box and not who your email client says it is from. Some programs even allow scammers to put legitimate email addresses as their own, so you will need to be doubly vigilant.
How to recognize SMS and telephone phishing
SMS phishing in a business context is easy to spot. How often does your CEO send SMS messages asking you for figures or specific information?
You should also look out for messages;
- from unusually long phone numbers.
- that say you’re entitled to a refund of some description.
- that ask you to reactivate or validate a product or membership.
Telephone phishing typically involves a call from someone pretending to be from a specific organization and asking for you to confirm things like bank details or passwords to “clear security.” Legitimate callers will never ask for this information over the phone, so hang up. Criminals will often use robocallers and fake call ID data to make a call seem legitimate. If criminals know your location, it is also common for them to call from a “local” number to increase the chances of you taking the call.
Why do phishing scams increase during times of uncertainty?
In 2020, there was a significant increase in phishing scams owing to the COVID-19 pandemic.
Periods of uncertainty and crisis are the perfect time for cybercriminals to exploit anxiety among people. If individuals have been laid off from their jobs and are struggling for cash, the chances they’ll click on a link promising them a tax refund increases massively.
Businesses, especially in the finance sector and government organizations also typically see more phishing attempts during such times. Increased applications for loans, for example, put more significant pressure on lenders, who in some cases may not be as diligent as they usually are. The increased pressure makes them vulnerable both to phishing and other types of cybercrime.
How to prevent phishing attacks and falling victim to scams
Whether you’re reading this guide in a personal or business context, the ways to prevent phishing attacks and falling victim to such scams are similar.
In addition to having an awareness of what these scams look like, as detailed earlier, ensure you have the following in place:
- Email spam filters, which will stop most phishing from reaching your inbox. However, cybercriminals are increasingly skilled at getting around filters, so you must remain vigilant.
- An up-to-date security system for your devices or network. In a business context, if your teams work remotely or use work functions on their mobile devices, you should insist they have adequate protection on these, too.
- Use tools like Should I Answer? and similar apps to identify potentially fraudulent incoming calls and SMS messages.
- Set up multi-factor authentication on all accounts where possible. Even if scammers do acquire access data, they may struggle to use it.
- Limit access to sensitive data to as few people as possible in your business. The fewer people who can be targeted by scammers for gain, the less likely you are to have someone fall victim affecting your business.
- Create backups of your data and ensure you store them independently from your main home or business network.
Businesses should also ensure specific policies are in place to reduce levels of risk, including using software to monitor all emails received from outside an organization, such as from freelancers or contractors, and having a “no attachments” policy.
What should you do if you receive communication you suspect is phishing?
The best thing to do is to delete the communication immediately and not interact with it in any way. Ensuring email preview features in your mail client are switched on will enable you to identify potential phishing without opening an email and triggering a malware download. Mark the email as spam in your email client, too.
If you receive a suspicious-looking email from a source that you might expect to hear from, you shouldn’t click a link or call any numbers in the email. Instead, go directly to the website and log into your account to check any messages or take whatever action the email says. If the communication was legitimate, you will be able to perform the necessary action upon logging in. If there is nothing to do with your account, you know the email was a scam.
If your business has a specific internal system or policy for manually reporting a phishing attempt, notify this via the appropriate means.
What should you do if you respond to an email or another communication you later realize is a phishing scam?
If you have opened an email that you subsequently realized was phishing, you should run an immediate security scan. If your security software is up to date, any malware download will likely have been blocked anyway.
If you have submitted information to a website you believe to be a scam, you should take action depending on what you submitted. You might need to notify your bank or credit card provider, who may block your card or place an alert on your account to perform additional checks for unusual activity. If you’ve submitted something like a password or used a specific password to “sign-in” to a phishing site, change the password for this site and any other site where you use the same password.
As with receiving a communication, if you’ve submitted any business or customer data and suspect you’ve been scammed, you should report this via your internal procedures.
Don’t fall victim to phishing scams!
Here at LogPoint, we can help you protect your business and team members from phishing scams. From common scams like CEO fraud to phishing scams that target the customer data you hold, find out more about how our SIEM solution can stop your business from falling victim to fraud.