5 Types of Phishing and How To Spot Them A Mile Away
When most people hear the term "fishing", they picture being out on the water with some bait and a friend, taking in the sights while reeling in some big ones. Phishing with a "ph" is much less pleasant, and with this type of phishing, you and your employees become the ones that have to be careful not to take the bait. Learn more about what phishing is, various types of phishing, and an easy way to prevent phishing attacks and hacks within your company.
What is Phishing?
Phishing is a method cybercriminals use to obtain personal information, such as usernames, passwords, and even social security numbers, from unsuspecting victims by posing as a trustworthy entity. There are numerous phishing tactics, and cybercriminals have begun employing even more complicated tactics to appear credible and steal information that can be sold to other cybercriminals or used to steal individuals' identities.
Although "phishing" is admittedly a silly name for these types of cyber attacks, the actual practice of phishing is no joke. Numerous companies have accidentally handed over information to hackers that resulted in millions of dollars of lost revenue, but taking time to learn more about phishing can protect you from these types of attacks.
Although there are dozens of specific strategies cybercriminals may employ, here are six of the most common ones to watch out for:
1. Email Phishing
John is having a typical day at work, when he receives an email from an unknown email address. The subject is "Urgent" and the body of the text states that the person emailing is from the IT department. This "IT professional" requests that the recipient clicks the link within the body of the email that will take him to a login page, where he is to enter his credentials. Failure to do so, the email states, could result in the recipient being locked out of his account for several days, which would make getting any work done impossible.
John obliges, not knowing the link was actually to a fake login setup by a hacker, who now has his login information and can use it to obtain personal information. Hundreds of other people in the company received the same email, and a dozen or so obeyed its orders, compromising their accounts.
The above scenario is an example of the most common type of phishing, email phishing. This is where a hacker sends out a mass email that appears to be from a real person or organization, asking the recipient to click a link, respond with information, or open an attachment. These types of attacks are often nicknamed "spray and pray" due to the fact that the hackers hope several people among the sizable email list they used will respond.
2. Spear Phishing
Martha, the supervisor for the Quality Assurance branch of the company, finds an email in her inbox with the following message:
My name is Rebecca Smith, and we met at the fundraising gala last month. I have a picture of you talking to one of our largest donors, and I would like to put it in our fundraiser's newsletter next month. Would you please view the picture I have attached to this email and let me know if you're willing to let me use it?
The above email is part of a spear phishing attack, where a hacker personalizes emails and sends them to a select few individuals with more specific information to appear more legitimate. This hacker may have seen on Martha's LinkedIn page that she attended a gala last month, making it seem like a credible request.
Patricia, the CEO of the company quickly scans her email and sees a message that her company is getting sued for fraud, a very serious allegation that fills her with anxiety. The email encourages her to click on the link to learn more information about the lawsuit in order to prevent it from getting worse. Wanting to be proactive for the sake of her company, she clicks the link.
This type of attack is referred to as whaling, as it attacks higher ups in a company to seize even more sensitive information than lower level employees. Every employee within an organization must be careful about how they use their email, but business owners and other higher-ups must take email security even more seriously to avoid becoming the victim of a whaling attack.
4. Business Email Compromise
Now that the hacker has Patricia's login name, thanks to the link she clicked about the lawsuit, the hacker can now email other employees from her account. The employees, of course, think these emails are legitimate requests from Patricia to provide sensitive information or wire money to accounts like they would on a normal business day.
Business email compromise, sometimes known as CEO fraud, can be a particularly dangerous form of phishing, as it can be difficult for employees to notice that the emails are fake when they come from their boss, or an email address that looks just like a higher-up's. This type of phishing is very sophisticated, and email threat protection software is less likely to catch and prevent dangerous emails like these from spreading.
5. Clone Phishing
Robbie gets an email from one of his favorite stores that provides a 20% coupon on his next purchase. A few minutes later, he receives an exact replica of that email in his inbox that also contains the message, "this is a duplicate email due to errors with links and attachments. Please disregard the previous email and use the coupon from this one instead." Robbie shrugs it off, and clicks on the attachment that contains what he thinks is his coupon, but actually gives a hacker access to his computer and files.
Clone phishing is perhaps one of the most difficult types of phishing to detect, especially when they contain exciting offers and you just received an email from the credible source a few minutes earlier.
Preventing Phishing Attacks With Zix
Phishing attacks are scary for individuals and companies as a whole, but its best to avoid clicking on links or attachments from any emails that seem out of the ordinary or are from an unrecognizable email address. If you aren't sure about an email, you can always ask your company's IT department for insight about particular emails that seem sketchy. You should also refer to the Federal Trade Commission's guidance about recognizing and avoiding phishing scams.
Perhaps the easiest way to prevent phishing attackes, however, is by using Zix. Zix Email Threat Protection uses multiple layers of defense to keep your employees' emails and accounts safe from hackers and other cybercrime.
If you're ready to speak with a security specialist about how Zix can help your company avoid phishing attacks, please contact us today!