Phishing is a form of fraud in which an attacker impersonates a reputable entity or person, via email or other means of communication. Attackers often use phishing emails to distribute malicious links and attachments that can damage a target system or further the attacker’s goals. Some can even extract login credentials and account information from a victim’s device.
Phishing is very commonly used as part of cyber attacks. It is much easier to trick someone into clicking on a malicious link in a seemingly legitimate phishing email, than it is to penetrate a company’s cyber defenses. This makes it important for any organization to understand phishing to learn how to detect and prevent it.
This is part of an extensive series of guides about hacking.
In this article
How Phishing Scams Work
Phishing attacks rely on social networks or digital communication methods. Some methods use emails, while others rely on SMS text messages or direct messages sent over social networks.
Phishers can use openly available sources to gather background information about victims’ personal and professional histories, interests, and activities. They often do this through social networks such as LinkedIn, Facebook and Twitter. These sources can be used to reveal information such as a potential victim’s name, title, and email address. Attackers can use this information to create convincing phishing emails.
Victims often receive messages that appear to come from known contacts or organizations. The goals of the message is to convince the user to open a malicious attachment, click a link to a malicious website, or reply and give the attacker sensitive information. When the goal is to lure users into visiting fake websites, the goal is typically to trick victims into revealing personal and financial information such as passwords, account IDs and credit card information.
While many phishing emails are poorly crafted and obviously fake, cybercriminal groups are increasingly using the same techniques that professional marketers use to identify the most effective types of messages. So phishing attacks are getting harder to detect and prevent.
Types of Phishing Attacks
Email Phishing
Most phishing attacks are sent via email. Scammers can register fake domains that mimic real organizations and send thousands of generic requests.
These fake domain names often contain character substitutions, such as using the digit “0” instead of the English letter “o”. Another technique is to use an organization’s name for the local part of your email address (e.g. [email protected]), and configure the email so that the sender’s name appears as “Your Bank” in the recipient’s inbox.
There are many ways to spot phishing emails, but a clear sign is that the message asks the recipient to click on a link, download an attachment, or provide sensitive information, and creates a sense of urgency.
Spear Phishing and Whaling
Like common phishing attacks, spear phishing uses emails from trusted sources to trick victims. Spear phishing does not cast a wide net—it targets specific individuals or personas like IT managers, human resources officers, and finance professionals, who have a higher level of access within the organization.
Whaling is a similar technique, which focuses on a specific target that is very lucrative to the attacker. Instead of targeting broad groups like departments or teams, these attackers go after high-level targets like top-level executives. By impersonating senior executives such as CEOs or CFOs, attackers can convince members of an organization to disclose valuable and sensitive information to attackers.
Successful whaling attacks require highly detailed background investigations. When the attacker compromises the identity of a “whale”, they use their authority to try to convince employees and other whales to carry out actions beneficial to the attacker.
Smishing and Vishing
In smishing and vishing, phone communication replaces email as the attacker’s method of communication. Smishing involves criminals sending text messages (with similar content to email phishing), while vishing involves phone conversations.
In a typical vishing scam, the criminal pretends to be a figure of authority—for example a police officer or fraud investigator. They instruct the victim to provide sensitive details, such as payment card details or proof of their identity, and might coerce them into performing actions like transferring funds.
Quishing
QR codes, or “quick response” codes, provide a contactless way to access information without entering a web address. Cybercriminals are now making use of this for attacks known as quishing. Connecting to fraudulent websites via QR codes bypasses traditional defenses, such as the Secure Email Gateway (SEG), which scans for malicious links and attachments.
Phishing scams typically start by sending the victim the QR code (usually via email). A common tactic is to invite people to access important content via QR codes. Victims then use their camera to access the QR code, open a browser and are taken to a malicious site.
Learn more in our detailed guide to Phishing types.
Clone Phishing
In a clone phishing attack, instead of impersonating a user or organization to make a specific request, the attacker copies a legitimate email previously sent by a trusted organization. However, they replace the link included in the original email with a link to a deceptive site, tricking users into entering credentials for use on the real site.
Pharming
Pharming is a sophisticated attack that is more difficult to detect. Malicious attackers hijack the Domain Name Server (DNS) that translates URLs from natural language to IP addresses. Then, when the user enters a legitimate website address, the DNS server redirects the user to the IP address of the fake, malicious website.
Evil Twin
Evil twin phishing attacks use fake WiFi hotspots, which appear to be legitimate, and can intercept data in transit. If someone uses a fake hotspot, malicious actors can perform man-in-the-middle and eavesdropping attacks. This allows an attacker to collect data such as login credentials and sensitive information transmitted over the connection.
How to Detect a Phishing Message
Due to its effectiveness, phishing is very commonly used in cybercrime. One of the most effective defenses against phishing attacks is educating users on the signs of an attack.
There are a few ways to identify phishing emails:
- Email domain mismatch—if an email claims to be from a reputable company or a trusted sender, but the email comes from a different domain, such as gmail.com or googlesupport.ru, it may be fraudulent. Attackers also use subtle differences in spelling that can make domains appear legitimate—for example, replacing o with 0 or “m” with “rn”.
- First time sender or rare sender—receiving an email from someone for the first time could be a sign of phishing, especially if they are outside the user’s organization. Many email systems warn users about new senders and encourage them to double-check their identity before proceeding.
- Urgent action or threats—users should be suspicious of emails that interest them to click a link, call, or open attachments immediately. The email might claim that the user must act now to receive a reward or avoid punishment. This false sense of urgency is a common tactic of phishing scams.
- Spelling and grammatical errors—professional companies and organizations have full-time editorial staff to ensure that their clients receive high-quality, professional content. Emails that contain obvious spelling or grammatical errors should be treated with suspicion. These errors could be the result of non-professional writers, poor translation from foreign languages, or in some cases deliberate misspelling to circumvent spam filters.
- Non-personalized messages—the organizations a user works with typically contact them by name. If an email starts with a generic “Hello” or “Dear Sir,” this is a warning sign.
- Unexpected links or attachments—when users suspect a fraudulent email, they should not open any displayed links or attachments. Instead, they should hover the mouse over the link without clicking and verify that the address matches the expected link destination.
Here are a few steps users can take if they believe they have received a phishing email:
- Avoid clicking any link or attachments in the email.
- Independently verify the content of the message:
- If the email is supposedly from an organization the user works with, they should open a new browser tab, navigate directly to that organization’s website, and check the information there. Alternatively, they can call the organization.
- If the email is from a known contact person, the user can contact them directly by calling or sending a message, to check if the request really came from them.
- Report the message to the organization’s security team, or the email provider.
- Delete the message, and if possible, flag it as a malicious or spam message in the email system.
6 Ways to Protect Your Business from Phishing Attacks
Provide Security Awareness Training
Providing training to boost security awareness can be an effective way to protect against phishing attacks because it helps employees understand the risks of phishing and how to recognize and prevent these attacks.
During security awareness training, employees can learn about the different types of phishing attacks and how they are typically carried out. They can also learn about best practices for avoiding phishing attacks, such as being cautious when clicking links or entering sensitive information online, verifying the authenticity of emails and websites before interacting with them, and reporting suspicious emails or websites to the appropriate authorities.
By understanding the risks and knowing how to identify and prevent phishing attacks, employees are better equipped to protect the organization from these types of threats.
Disable Pop-Ups
Disabling all pop-ups is a simple measure that can prevent phishing attacks. Many attacks use pop-up windows to trick users into entering sensitive information. Pop-up blockers can make this easier, ensuring that employees cannot interact with these types of phishing attacks, reducing the risk of a successful attack.
Conduct Phishing Attack Tests
Mock phishing attack tests help security teams evaluate the effectiveness of security awareness training programs and help end users better understand attacks. Even if your staff is good at spotting suspicious messages, you should test regularly to simulate a real phishing attack. After a simulation, identify gaps in the process and employee education and take steps to improve phishing security measures.
Use a DLP Solution
Data Loss Prevention (DLP) solutions are designed to help organizations prevent sensitive data from being accidentally or intentionally leaked or compromised. These solutions can be effective in protecting against phishing attacks in a couple of ways:
- DLP solutions can monitor outgoing emails and block or alert on emails that contain sensitive information or that are suspected of being part of a phishing attack. This can help to prevent sensitive data from being inadvertently shared with attackers, and can also help to disrupt ongoing phishing campaigns.
- DLP solutions can also be configured to block access to known malicious websites, which can help to prevent employees from falling victim to phishing attacks that involve fake websites.
- DLP solutions can often integrate with other security systems, including firewalls, security information and event management (SIEM) systems, and identity and access management (IAM) tools. This can help to create a more comprehensive and effective security posture for an organization.
Avoid Using Business Emails for Personal Purposes
Using company email for personal reasons can increase the risk of a phishing attack, as attackers may be more likely to target employees who use their company email for both work and personal communications. There are a few ways in which this practice can increase the risk of a phishing attack:
- Personal emails may be more likely to contain sensitive information: This includes login credentials or financial information. If an attacker is able to access an employee’s personal email, they may be able to obtain sensitive information that could be used in a phishing attack.
- Personal emails may be less likely to be scrutinized: Employees may be more likely to trust emails that come from their personal accounts, and may be less cautious about verifying the authenticity of these emails before interacting with them. This can make it easier for attackers to launch successful phishing attacks.
By using company email only for work-related purposes and maintaining separate personal email accounts, employees can help to reduce the risk of a successful phishing attack.
Implement a Security Reporting Policy
A reporting policy can help to ensure that employees know how to report suspicious activity, such as phishing emails or fake websites. This can help to disrupt ongoing phishing campaigns and prevent other employees from falling victim to the same attack. The policy should cover:
- How to report suspicious activity: The steps employees should take to report suspicious activity, such as forwarding a phishing email to a designated email address or contacting the IT department directly.
- What types of activity to report: For example, phishing emails, fake websites, and other types of cyber threats.
- How to identify suspicious activity: Guidance on how to recognize suspicious activity, such as tips for identifying phishing emails or fake websites.
- How to handle sensitive information: Restrictions on handling passwords or financial data.
Learn more in our detailed guide to Phishing prevention.
Implement an Email Protection Solution
As cyber crimes escalate, companies need to fortify their cyber security systems even more substantially. Get ahead of these types of phishing by having a dependable email security provider, allowing your team to focus on what matters.
Start today with Perception Point’s email security platform. We offer comprehensive email security that eliminates threats before they reach your employees. Our end-to-end advanced cyber threat detection protects your enterprise against modern-day phishing scams.
Stay on top of the latest email security trends through our other blog posts and resources.
Phishing is a form of fraud in which an attacker impersonates a reputable entity or person, via email or other means of communication. Attackers often use phishing emails to distribute malicious links and attachments that can damage a target system or further the attacker’s goals. Some can even extract login credentials and account information from a victim’s device.
Phishing attacks rely on social networks or digital communication methods. Some methods use emails, while others rely on SMS text messages or direct messages sent over social networks.
– Email Phishing
– Spear Phishing and Whaling
– Smishing and Vishing
– Quishing
– Clone Phishing
– Pharming
– Evil Twin
There are a few ways to identify phishing emails:
– Email domain mismatch
– First time sender or rare sender
– Urgent action or threats
– Spelling and grammatical errors
– Non-personalized messages
– Unexpected links or attachments
– Provide Security Awareness Training
– Disable Pop-Ups
– Conduct Phishing Attack Tests
– Use a DLP Solution
– Avoid Using Business Emails for Personal Purposes
– Implement a Security Reporting Policy
– Implement an Email Protection Solution
See Our Additional Guides on Key Hacking Topics
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of hacking.
Ransomware
Authored by Perception Point
- What Is Ransomware? Attack Types, Examples, Detection, and Prevention
- How Ransomware Attacks Work: Impact, Examples, and Response
- Windows 10 Ransomware Protection: What You Should Know
Malware
Authored by Perception Point
Advanced Persistent Threat
Authored by Cynet
