Practically every business in the world is vulnerable to phishing. According to Proofpoint’s 2022 State of the Phish Report, 83% of respondents fell victim to a scam attack last year.
What makes phishing so frustrating is that most of us know what it is and how it works, but we still get caught out.
Scammers have a handful of tricks up their sleeves to fool people into clicking malicious links or handing over their personal information, and they use the same approach time after time.
Each phishing campaign might differ superficially – with the pretext referring to one organisation or another – and the attackers’ finding new ways to bypass security filters, but their phishing techniques rarely change.
Unfortunately, these slight adjustments are often enough to catch us out. Thanks to timeless strategies or carefully orchestrated social engineering tactics, each new campaign looks genuine enough to trick overworked or negligent employees.
We help you see through fraudsters’ tactics in this blog, as we take a look at five of the most common phishing scams that you’re likely to receive.
1. Email phishing
Most phishing attacks are sent by email. The crook will register a fake domain that mimics a genuine organisation and sends thousands of generic requests.
The fake domain often involves character substitution, like using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’.
In other cases, the fraudsters create a unique domain that includes the legitimate organisation’s name in the URL. The example below is sent from ‘[email protected]’.
The recipient might see the word ‘Amazon’ in the sender’s address and assume that it was a genuine email.
There are many ways tospot a phishing email, but as a general rule, you should always check the email address of a message that asks you to click a link or download an attachment.
2. Spear phishing
There are two other, more sophisticated, types of phishing involving email.
The first, spear phishing, describes malicious emails sent to a specific person. Criminals who do this will already have some or all of the followinginformation about thevictim:
- Theirname.
- Place of employment.
- Job title.
- Email address;and
- Specific information about their jobrole.
You can see in the example below how much more convincing spear phishing emails are compared to standard scams.
The fraudster has the wherewithal to address the individual by name and (presumably) knows that their job role involves making bank transfers on behalf of the company.
The informality of the email also suggests that the sender is a native English speaker and creates the sense that this is a real message rather than a template.
3. Whaling
Whaling attacks are even more targeted, taking aim at senior executives. Although theendgoal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler.
Tricks such as fake links and malicious URLs aren’t helpful in this instance, as criminals are attempting to imitate senior staff.
Whaling emails also commonly use the pretext of a busy CEO who wants an employee to do them a favour.
Emails such as the above might not be as sophisticated as spear phishing emails, but they play on employees’ willingness to follow instructions from their boss.
Recipients might suspect that something is amiss but are too afraid to confront the sender to suggest that they are being unprofessional.
4. Smishing and vishing
With bothsmishingand vishing, telephones replace emails as the method of communication.
Smishinginvolves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation.
One of the most common smishing pretexts are messages supposedly from your bank alerting you to suspicious activity.
In this example, the message suggests that you have been the victim of fraud and tells you to follow a link to prevent further damage. However, the link directs the recipient to a website controlled by the fraudster and designed to capture your banking details.
5. Angler phishing
A relatively new attack vector, social media offersseveralways for criminals to trick people. Fake URLs; cloned websites, posts, and tweets; and instant messaging (which is essentially the same assmishing) can all be used to persuade people to divulge sensitive information or download malware.
Alternatively, criminals can use the data that people willingly post on social media to create highly targeted attacks.
As this example demonstrates, angler phishing is often made possible due to the number of people containing organisations directly on social media with complaints.
Organisations often use these as an opportunity to mitigate the damage – usually by giving the individual a refund.
However, scammers are adept at hijacking responses and asking the customer to provide their personal details. They are seemingly doing this to facilitate some form of compensation, but it is instead done to compromise their accounts.
Your employees are your last line of defence
Organisations can mitigate the risk of phishing with technological means, such as spam filters, but these have consistently proven to be unreliable.
Malicious emails will still get through regularly, and when that happens, the only thing preventing your organisation from a breach is your employees’ ability to detect their fraudulent nature and respond appropriately.
Our Phishing Staff AwarenessCourse helps employees do just that, as well as explaining what happens when people fall victim and how they can mitigate the threat of an attack.
This online courseuses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
You and your team will receive the expert guidance you need to detect phishing attacks and respond appropriately, protecting your organisation from a costly data breach.
The course content is updated quarterly to include recent examples of successful attacks and the latest trends that criminals use.
Get started
A version of this blog was originally published on 9 July 2019.