One of the greatest security risks to your business is one that can slip through your door unnoticed. It lurks in emails, text messages, mysterious phone calls, and unsolicited visitors. And as technology evolves, it evolves as well. The risk? Phishing attacks. Inflicting millions of dollars worth of damage to businesses each year, phishing is a pervasive problem from which no business is immune, no matter how big or small. In this article, we’ll discuss what phishing is, how it works, popular phishing attacks, and most importantly, steps you can take to prevent them from doing damage to your company.
What is Phishing?Simply put, phishing is a process that hackers engage in to gain access to sensitive information. Depending on the goal of the attack, hackers may depend on trojan malware or ransomware being installed on computers, other times their targets may offer information freely, unaware they’re even being manipulated. While phishing attacks are typically attempted via email, they can also be performed over the phone, through text messages, over social media, and even in-person. The ultimate goal of phishing is to trick the victim into doing what the scammer wants them to do.
A brief history of phishingThe strange spelling of “phishing” isn’t an accident. In the 1980s, notorious for their abilities to reverse-engineer phones in order to make free phone calls, some of the first underground “hacker” communities were known as “phreakers” (phone+freaks). The “ph” at the beginning of the term “phishing” signifies the cultural link between the old phreaker communities and modern-day hackers, though the term “phishing” didn’t formally emerge until the mid-1990s. The first known phishing attack actually took place in the mid-1990s in an effort to steal usernames, passwords, and credit card information. At the time, America Online (AOL) was one of the most popular internet service providers and offered internet access to millions of Americans. Spotting the opportunity for a massive payday, hackers discovered a way to steal passwords and create randomized credit card information using fancy algorithms. When they were caught, they changed their mode of operation. In the first known instances of email phishing, hackers began sending emails to users posing as AOL employees. In these emails, they asked users to verify their account and confirm billing information. Since this type of attack was so new, the hacker’s victims didn’t know any better. AOL was eventually forced to begin warning users of these schemes. While phishing emails are still an effective form of hacking for attackers today, other methods of acquiring sensitive information quickly emerged. In the early 2000s, hackers began creating copycat websites for banking institutions and popular eCommerce websites in order to gain access to personal and financial information. Over time, different forms of spyware and malware developed as a way to maliciously and covertly get access to private data in addition to, and in conjunction with, phishing attacks.
Phishing as a business IT riskAs technology evolves and new systems of communication are employed around the world, hackers continue to create and optimize their phishing strategies. The FBI estimates that phishing scams cost US businesses an average of $5 billion annually, with thousands of companies being victimized each year. While the aim might be the retrieval of personal data or to plant ransomware, these attacks can also be a way to get a foothold on corporate or government networks in an effort to perform a larger attack in the future. Stolen information can be used for identity theft, trading information on the dark web, blackmail, or even for espionage. And believe it or not, only 3% of hacking attempts exploit technical flaws in computer systems. It’s reported that 97% of phishing attempts are part of a larger social engineering scheme. In fact, 77% of these successful attacks begin with a single phishing email.
How phishing worksWhile phishing might appear to be a fairly straightforward process, it is more than a simple email or message from a stranger. Let’s briefly review the three main stages of a phishing attack and then discuss the role malware plays in helping attackers access sensitive information.
The 3 Stages of a Phishing AttackIn its simplest terms, think of a standard phishing attack occurring in three stages: bait, hook, and catch.
1) BaitIn this first stage, hackers prepare the “bait” for their attack. Depending on the sophistication and style of attack, they may do varying levels of background research on their targets. Most phishing attempts are “quantity over quality,” meaning attackers simply scrape the internet for email addresses to create bulk lists of tens of thousands to millions. In some cases, phishers are more targeted and their research is more involved meaning attackers they detailed research into behaviors, hobbies, known associates, or determining where their targets work or live. Again, preparation and research depend on the type of information they are after. If attackers want to perform a quick financial scam, they might only need access to your and thousands of other email addresses. If, however, they’re looking to initiate a more involved social engineering scheme, attackers may spend weeks doing background research in order to more effectively imitate a known or reputable contact or communication source. For example, let’s assume you operate a B2B business that ships medical equipment to urgent care centers in the rural Southwest. While preparing the bait for a phishing attempt, an attacker might discover a list of suppliers you frequently source from and then make an effort to imitate one of those suppliers. They could do this by using an email address similar to your point of contact at that supplier, any formatting that the company might use in their emails (like HTML headers), that person’s usual email signature, etc.
2) HookOnce an attacker has prepared the bait, it’s time to prepare the hook and cast the lure. Phishing attempts usually require targets to perform a specific action (i.e. click a link, download a file, reply to an email). In an effort to get them to respond immediately, attackers create a false sense of urgency. The intent is often to manipulate their victims into acting quickly without thinking. Again, most phishing attacks are broadly targeted at thousands of people, so often hooks are as simple as “you have a payment past due” or “you have yet to reclaim your refind” style emails, sometimes from companies and vendors you’ll recognize you work with or buy things from. Sometimes not. To continue our example of the rarer, more targeted style of phishing from above, let’s assume the attackers effectively imitate one of your medical equipment suppliers and send you an email indicating there’s a problem processing your payment on file that looks completely legitimate. They continue by asserting that in order to get the shipment out the door in the next hour for on-time delivery, they need you to re-enter your billing information via a “secure page” (that they also created based on their background research to mimic your actual supplier’s website).
3) CatchAfter the attacker’s performed their research and baited their hook, they wait for their targets to take the bait. The attacker’s next steps depend on the nature of the phishing attempt. Most of the time, this means simply waiting for a few thousand targets to click a link in their bait email. From their, they’ll either get credit card or banking information (eg the link goes to a website that asks for this information under the guise of needing to issue a refund or get a payment), or secretly install malware on their targets’ computers to get this sort of information when they enter it into a legitimate site later. Sometimes they’ll be phishing for more information to gain access to your email inboxes or company databases, or they might be seeking banking information in order to perform financial fraud. To conclude our example of a targeted phishing attack from above, say you receive the email from the attacker. After quickly reading through the email, you recall that the urgent care location mentioned in the email had recently placed an order. Without thinking about it, you click the link in the email and enter your credit card information to ensure on-time delivery. With this information captured, the hacker can now make fraudulent purchases using your corporate credit line. While it seems overly simplistic, almost all phishing attacks follow the “bait, hook, and catch” pattern. This basic approach to phishing schemes is all that it takes for an attacker to easily gain access to sensitive information.
MalwareMany phishing schemes depend on malware to assist attackers in acquiring the information they’re after. This can include viruses, trojan horses, ransomware, and spyware. Let’s briefly take a look at each type of malware and how a hacker can use them. Virus – computer viruses work by attaching themselves to an actual program or document in order to execute its code. Many times, viruses depend on macros (specific automated input sequences, like keyboard shortcuts) in order to operate. Attackers might use viruses to corrupt a computer system or intentionally destroy data. Trojan horse – a Trojan horse, or simply “Trojan,” appears to be a legitimate piece of software or a document; however, buried deep within it is a malicious code designed to wreak havoc. Like viruses, Trojans are built to disrupt or damage systems and inflict damage on your network. Ransomware – ransomware is software specifically developed to encrypt data and block access to a computer or network and lock it down until a ransom is paid. Ransomware must be downloaded onto a computer, so it’s often hidden in email attachments or even fake advertisements on websites. Once the ransomware is activated and a ransom has been paid (i.e. cryptocurrency), hackers restore access to blocked data. Ransomware attacks occur every 40 seconds and the FBI estimates there are nearly 4,000 ransomware attacks every day. What’s worse, 20% of victims never get their data back. Spyware – Spyware is malicious software designed to operate on your computer or mobile device without you being aware. It gathers information about you including emails you send and receive, websites you visit, username and password information, and more. Like other malware, spyware often piggybacks on other legitimate programs, lurks unsuspectingly in email attachments, marketing advertisements, or appears safe like a Trojan. However, spyware can also attach itself to your system via other security vulnerabilities, such as software bugs. Spyware is difficult to remove because it is difficult to identify. Your computer or mobile device could be infected and you likely won’t even know it.
Common types of phishing attacksPhishing attempts are typically a part of a larger social engineering scheme, an effort to manipulate, influence, or deceive targets into doing the attacker’s bidding. As a result, there are many ways attackers can accomplish their objectives. Now that we’ve covered the basics of what phishing is and how it works in general, let’s take a look at some of the most common types of phishing attacks.
EmailsPhishing’s origins in email and it makes sense – it’s an indirect medium that makes it easy for attackers to quickly deceive their targets. Estimates project there are nearly 270 billion emails sent every day with roughly 135 million of those being phishing attempts. There are several ways attackers leverage phishing emails to deceive their recipients. Let’s briefly look at a few of them:
- Lucrative offers – if it’s too good to be true, then it probably is. Lottery winnings, free products, massive inheritances, or other lavish prizes are offers designed to grab your attention so you’ll open the attacker’s email.
- Sense of urgency – with most phishing attempts, the idea is to get you to react quickly without thinking about it. In order to do that, attackers try to create a false sense of urgency to provoke a response. They may pose as your bank and threaten to freeze your account, encourage you to make a payment to a “utility company” before time runs out, or something similar.
- Attachments are a feature of many phishing emails. As mentioned above, they can contain different forms of malware designed to harm your system. If you receive an email with an attachment and you don’t know the sender or it seems at all suspicious, don’t open it!
- Hyperlinks – many phishing attacks don’t need you to reply to the email as much as they need you to click a URL link inside of the email. The websites these links take you to may look like a legitimate website (i.e. your company’s financial institution) but they’re really imitation websites designed to capture personal information.
WebsitesAs demonstrated above (i.e. AOL), attackers can effectively use imitation websites to accomplish their objectives. Whether it’s a website for a popular banking institution, eCommerce site, or social media platform, attackers are incredibly skilled in finessing an imitation website to look like the real thing. The differences are usually subtle. One character might be different in the URL or a pop-up window may immediately appear when it doesn’t normally. Internet Explorer, Mozilla Firefox, and other web browsers offer plug-ins or extensions that can help you easily identify phishing websites.
SmishingAnother channel growing in popularity for phishing attacks are applications used for mobile messaging. These include native apps on Apple and Android devices as well as Facebook Messenger and WhatsApp. SMS phishing, also known as “Smishing,” works like other phishing attempts. The attacker creates their bait (fake offer > URL), sends it to their target via an SMS message (hook), and waits for a response. Once the victim clicks the link (catch), it operates like other phishing attacks. For example, an attacker might send an “automated” message indicating you have a delivery package on the way with a URL to track the delivery. However, when you click the URL, it takes you to a fraudulent website or even downloads malware. Just one more reason implementing effective mobile device security is essential for today’s SMBs.
VishingWhen a phishing attempt occurs over the telephone, it’s referred to as “vishing.” Attackers pose as an employee or representative of an actual company and make an effort to acquire their target’s personal information. While senior adults are common targets of vishing attacks, unsuspecting and untrained employees at every level of your business can quickly become the victim of a vishing attempt. If someone calls you and begins asking for personal or sensitive business information over the phone, ask them if you can call them back. Cross-check the number online and see if it’s been reported for scams or if it’s a legitimate number for the business that’s calling. And if someone you’re unfamiliar with emails you and asks you to call them at a certain number, do an online search to verify its legitimacy. A little bit of research can go a long way in preventing you or your business from falling victim to a vishing attempt.
Social mediaSocial media platforms are a popular medium for phishing attempts. These include Facebook, Twitter, Instagram, TikTok, Snapchat, YouTube, and more. Scammers create fake profiles, sometimes posing as well-known influencers, and then approach their targets via direct messaging tools on these platforms. While fake profiles for celebrities are quickly flagged, for lesser-known individuals, that is not the case. Scammers can be known to operate a social media profile for years before making a phishing attempt. Over time, they create a false sense of trust and authority with their followers they then use to their advantage. The social media accounts of most celebrities and influencers are verified via the platform and are easily identified. But be wary of direct messages asking for money, for you to click-thru to a URL, or to download an app. Social media accounts are notorious for being hacked, so even if a message is from someone you know, as with phishing emails, be quick to identify suspicious or out-of-character behavior.
Spear-phishingOne of the more sophisticated types of phishing attempts is known as “spear-phishing.” This type of phishing attack is aimed at a specific individual or group. When directed at a CEO, CFO, or another high-level employee of a company with access to sensitive information, it’s also referred to as “whaling.” In this type of attempt, attackers don’t send generic phishing emails or messages to their attackers. Instead, they customize everything to the individual they’re targeting. They may pose as a legitimate vendor the organization uses or a person the CEO or CFO knows professionally. The more detailed and specific the attacker can be, the higher their chances of success. Again, the goal is to get the victim to unsuspectingly do the bidding of the attacker. Spear-phishing can yield significant losses for a business. When scammers successfully pose as legitimate sources, they can con victims into wiring large sums of money into their accounts. Called Business Email Compromise, it’s reported that nearly $700 million is lost to businesses every month due to these types of scams, which often begin as a spear-phishing attempt.
How to prevent phishing attacksWhile they pose a significant risk to your business, there are several steps you can implement to help mitigate phishing attacks targeting your company. Let’s take a look at a few of them below. 1) Security Awareness Training Your best line of defense against phishing attacks is continued education. Phishing attempts are only successful because of human error, which means your employees need to be taught how to spot them before they fall victim to an attack. Conduct regular security awareness training, including enrolling your employees in courses that help them identify phishing attempts. As a part of this training, you can even conduct phishing simulations to help them understand how they should respond in real-world situations. 2) Email Security In addition to security awareness training, bolster your email security. Be certain spam filters are active on email accounts across your network, make it easy for employees to report phishing scams, and be zealous when it comes to password security. 3) Disable Macros A popular way for attackers to install malware or spyware on your computer is by delivering a Microsoft Office document that requires macros to run. Macros are shortcuts or specific keystrokes that make routine commands easier to implement (i.e. print, save, undo). By disabling macros, you mitigate the risk of malware being unsuspectingly installed on an enterprise device in the case an employee accidentally opens an infected attachment. Be sure to make this a default setting and enforce it in your group policy. 4) Implement Multi-Factor Authentication Another effective step in protecting yourself from being hacked via phishing attempts is to enable multi-factor authentication on all accounts. In the event you do fall victim to a phishing attack and accidentally hand over your email address and password, you have a second line of defense since you need another device in order to authenticate access. Microsoft reports this simple tactic blocks 99% of attempted hacks. 5) Encrypt Sensitive Data Encryption converts all the data on your network and devices into something only accessible via an authentication key. By encrypting your data, you provide an additional layer of security in the event you’re compromised due to a phishing attack. 6) Employ SSL Certificates Secure Socket Layer (SSL) certificates indicate information transmitted between a user and a website is encrypted and secure. These certificates are identified by “https://” at the beginning of a URL address. Other times, it’s indicated by a lock or the word “secure” in the browser bar. Websites without encryption only have “http://” at the beginning of the URL address and often read “not secure” in the browser bar. If your company’s website collects any sort of personal information from its users (emails, passwords, credit card information, etc.), you need an SSL certificate to ensure their information is transmitted securely. Additionally, Google now uses SSL as a ranking signal. Without one, your website will be harder to find in search results. 7) Provide Securely Hosted Payment Pages In addition to SSL certificates, if your business collects payment information via the web, it’s important to provide securely hosted payment pages (HPP) for your users. These are typically hosted by a third-party and can either be embedded into your website or redirect users to a secure platform to process payments. An HPP is already secure and PCI-certified, helps you avoid sensitive credit card information from passing through your servers, and reduces your liability in the event credit card information is stolen. 8) Ensure Security Policy Covers Phishing Prevention Measures Lastly, ensure your security policy clearly covers phishing prevention measures. This includes requiring security awareness training, establishing password requirements, mandating two-factor authentication, and policies regarding mobile device security.
SummaryPhishing is intentionally designed to trick, manipulate, and force an attacker’s targets into surrendering personal and sensitive information. Sometimes phishing attacks are quick financial ploys, whereas other times, they are a small piece of a larger social engineering attack to bring down an enterprise. It’s vital for your small business to proactively train its employees to identify and prevent phishing attempts in their tracks, including establishing detailed security protocols to mitigate the risk of exposing sensitive data. To summarize:
- What is phishing? Phishing is the process that hackers engage in to gain access to sensitive information. These scams victimize companies of all sizes and cost US businesses an average of $5 billion per year.
- How does phishing work? Standard phishing attacks occur in three stages: bait, hook, and catch. Many phishing schemes depend on malware to assist attackers in acquiring the information they’re after, including viruses, trojan horses, ransomware, and spyware.
- Types of phishing attacks – Typically, phishing attacks are attempted via email or fake websites imitating other popular sites. Hackers might also use SMS messages, voice calls, social media apps, or more targeted initiatives, called spear-phishing.
- How to prevent phishing attacks – Effective ways to mitigate risks associated with phishing include Security Awareness Training, heightened email security, disabling of macros on popular software programs, and implementing multi-factor authentication. Companies can also encrypt sensitive data, enable SSL certificates on websites, host secure payment pages, and strengthen security policies.