Phishing
What is phishing and how training can prevent phishing attacks
What is Phishing?
Phishing is a cybercriminal’s attempt to steal sensitive information (usernames, passwords, bank details etc) by using a fake email address to impersonate a legitimate business or website.
Over 85% of global organisations experienced phishing attacks in 2022. It’s one of the most common forms of cyber-attack and the single largest cause of data breaches across the world.
Most people think they can easily recognise a scam email, but the phishing techniques we see today are highly sophisticated, carefully targeted, and can actually be very difficult to spot. At Phishing Tackle, we can help train your staff to be aware of all phishing techniques.
Everyone is vulnerable to phishing attacks – which means security awareness isn’t just the responsibility of your IT or cybersecurity team. Every single employee has a role to play in keeping your data and network safe.
Discover how strong your current defences are with our free and automated Click-Prone® Test, or read on to learn how phishing emails could affect your business.
What is a phishing email?
Phishing emails are a criminal offence. Attackers will often masquerade as popular social networking sites, online shops, banks, credit card companies, or even your own IT help desk, to try and lure you into taking a specific action – sending money, clicking a malicious link, or downloading a dodgy file.
Cybercrime, including phishing attacks, costs the global economy over $2.9 million every single minute. It’s a technique that’s worked since the mid-1990s and is still just as effective today.
Most people think they can easily recognise a scam email, but the phishing techniques we see today are highly sophisticated, carefully targeted, and can actually be very difficult to spot. At Phishing Tackle, we can help train your staff to be aware of all phishing techniques.
How did phishing get its name?
The “ph” spelling of phishing comes from an earlier word for committing telephone fraud: “phreaking.”
The name is a shortened version of “phone freak” and it was used to describe people who spent a lot of time learning how the telephone system worked – some of whom used it to “hack” the system and avoid paying the premium price of long-distance phone calls.
The first global phishing attack
One of the first examples of a global-scale phishing attack – known as ‘LoveBug’ – used an anonymous love letter to arouse people’s curiosity and wreak havoc on computers across the world in 2000. In just 10 days, it cost the global economy over $15bn in damages and lost productivity, proving that phishing emails are a powerful adversary that should be taken very seriously.
Phishing training
Your staff is your cyber defence front line – and it’s up to you to ensure they keep your business as secure as possible.
We provide automated online Security Awareness Training for organisations of all sizes, giving you and your staff a thorough understanding of phishing attacks, cyber security principles and best practices that can help prevent successful attacks.
Our huge library of security awareness training material is always accessible to your users, and we have a vast media section that’s updated regularly with the latest threats and scams from across the globe.
We also offer a Managed Service, for businesses with no time to spare. Simply answer a few questions to build your business profile in just 20 minutes. Once your profile is set up, we can send your first phishing email test that very same day.
Book a demo with Phishing Tackle and discover how our award-winning training can help reduce your business’ vulnerability to phishing, cyber-attacks, and potentially costly data breaches.
Types of phishing
Spam/email phishing
Nearly everyone in the world has experienced spam phishing at some point or another. These generic spam emails can be sent to thousands of people at once due to the low cost and lack of effort required. What makes these phishing attacks so effective is the quantity, rather than the quality of emails sent – giving them the alternate name: “spray and pray phishing”.
Spear Phishing
Spear phishing is more sophisticated. Hackers will spend a long time looking for just the right target and researching their subject before sending a highly personalised email to a single person or a very small group of targets. Click to learn more about spear phishing.
Whale Phishing/Whaling
Whale/Whaling phishing is the same thing as spear phishing, with a specific type of target. It involves a high-level attack aimed at chief executives and senior staff – and is one of the biggest risks currently facing businesses worldwide. The reputation and financial losses for a company that falls prey to a whaling attack can be devastating.
Business Email Compromise (BEC)
The other side of whaling phishing is BEC, often referred to as “CEO Fraud”. The attackers will impersonate high-level staff and ask a low-ranking employee to perform a task, such as sending emergency funds to a travelling manager. BEC attacks require some knowledge of the business structure, but targeting newer and younger members of staff can be a highly effective phishing tactic.
Angler phishing
Angler phishing attacks involve the hacker finding customer complaint details via social media and then impersonating customer service representatives from the real company to extract personal information, credit card details, and other valuable data from their victims.
Vishing
Voice phishing (‘vishing’) is a social engineering technique. Scammers will often call the target using a fake caller ID and pretend to be a representative of a bank or other reputable institution to acquire personal data.
Smishing
SMS phishing (‘smishing’) uses a similar technique to vishing, with attackers using a dummy caller ID to mimic legitimate numbers. These text messages are often alarming, using fear and panic to prompt you to click on a malicious link that then infects your phone.
Social media phishing
In social media phishing, attackers will create a duplicate account and target friends and relatives of their victim. These social engineering techniques can cause these unwitting targets to send money to a specific account set up by the hacker, believing they’re helping loved ones.
Pop-up phishing
Most users install pop-up blockers, but pop-up phishing is still dangerous. For instance, a new pop-up phishing technique involves the “notification” feature of a web browser. When the target visits a website, the browser will display a message saying the website wants to display notifications. Clicking on “Allow” triggers the pop-up to install malware.
Website forgery
Hackers build a replica of a legitimate website with the aim of getting users to provide valuable information that can be used to commit financial fraud, identity theft, or simply provide further data for a bigger attack later.
URL hijacking
This crude phishing tactic attempts to catch people who type an incorrect website URL. For example, they may create a website that is one letter off from a legitimate and well-known one. By typing “paypall” instead of “paypal” you could potentially end up on a malicious site.
Content injection
Hackers who gain back-end access to a legitimate website will sometimes add malicious links to authentic content already on the site. This content injection can be subtle and hard to detect, leading users to unknowingly click on the link and potentially be infected.
Evil twin
Evil twin attacks involve the use of fake public Wi-Fi hotspots. These open Wi-Fi systems appear legitimate, but once a target connects to it a hacker can perform Man in the Middle (MITM) attacks and intercept data sent over the connection, including passwords, bank details, and other confidential information.
Is phishing the same as smishing?
Smishing is a different – but increasingly popular – type of phishing, which uses SMS text messages to target people. Along with phishing emails, it’s another way cybercriminals can effectively trick individuals into clicking links and revealing valuable personal information.
There are apps that can ‘cloak’ a number and make it look like you’ve been sent an SMS message by a legitimate company, so it’s worth taking the time to process any strange texts using the steps we’ve outlined above.
The impact of phishing attacks on your business
Phishing attacks can cause devastating damage to an organisation’s infrastructure and reputation.
With cyber-attacks almost doubling in recent years, businesses have lost billions as a direct result of phishing.
You may think most people wouldn’t be fooled by an anonymous email love letter – but it’s worth remembering that over 90% of successful data breaches in 2022 started with a phishing attack.
Just one human mistake can breach even the strongest of security and technological defences, resulting in loss of data and – consequently – loss of customers, reputation, and revenue. Other consequences of a successful phishing attack can include:
Identity theft
Client information theft
Theft of funds
Credit card fraud
Loss of intellectual property
Installation of malware and ransomware
Just one human mistake can breach even the strongest of security and technological defences, resulting in loss of data and – consequently – loss of customers, reputation, and revenue. Other consequences of a successful phishing attack can include:
- Identity theft
- Client information theft
- Theft of funds
- Credit card fraud
- Loss of intellectual property
- Installation of malware and ransomware
What are the signs that you've been sent a phishing email?
There are a number of warning signs to look for in any unexpected or suspicious email that could suggest it’s a phishing attack – from the address it’s sent from to urgent demands for information.
Hackers rely on a combination of technology and psychology to convince people to click links, open attachments or surrender their valuable personal information.
Dodgy email address
Many phishing emails use fake email addresses styled to look like they belong to a genuine business.
They take advantage of the fact that most email providers will only display the sender’s name, hiding the actual email address.
They might be sent from a public domain (@gmail.com for instance), or you may also notice spam/suspicious email addresses that mimic a legitimate website or use typos to try and deceive people.
For instance, ‘service.pay@paypall.com’.
Generic greetings
If you’ve given a legitimate business your full name, you can usually expect them to use it in their communications. Be wary of any email that begins with "Dear sir/madam".
Poor spelling and grammar
Professional businesses usually have a copywriting or editorial team who will proofread all communications to ensure customers receive high-quality and well-written content.
If an email is littered with spelling mistakes and grammatical errors, it’s a strong sign that it’s a scam.
Urgent call to action
Does the tone of the email subject and content feel alarming or threatening – like you must act immediately?
This is a common phishing tactic where hackers work to create a sense of fear or panic, to rush you into clicking a link or revealing more information than you should.
If you’re unsure whether the warning is legitimate, contact your bank or the company directly via the official channels on their website.
How to prevent phishing
While it’s not possible to block 100% of phishing emails, you can (and should) train your users to better spot them and not interact with any of these malicious attacks.
As hackers use increasingly sophisticated techniques to fool you into parting with your sensitive information, there is no singular guaranteed method to fully prevent all types of phishing reaching your users.
With proper cyber security awareness training and education, you can greatly reduce the chances of a successful phishing attack affecting your organisation.
Phishing emails can range from the easily noticeable to the almost impossible to distinguish, so people should treat all emails, websites, links and even public Wi-Fi connections with caution.
Some other techniques to help detect phishing emails include:
Think before you click. Hover over any and every link before you click on it to check whether the URL is legitimate and safe.
Don’t overshare online. Be very careful about what you post on social media. Hackers can be meticulous in their research, and every detail you offer up online could potentially contribute to a successful phishing attack. This could include birth dates, anniversaries, names of family or close friends…
Use strong passwords. Don’t repeat passwords across platforms, and make sure every password is long and includes a mix of numbers, symbols and both uppercase and lower-case letters. Use a secure password manager if you can’t keep track.
Install anti-virus software. Firewalls and anti-popup toolbars can help protect against online malware and phishing attacks.
Report spam to the National Cyber Security Centre. If you do get sent a phishing email (or text), forward it to the NCSC. You may be able to help prevent future cyber-attacks.
Employee Awareness Training. Awareness is the first step to any change, and providing phishing training to your employees will help protect your business, your customers, and your financial interests.
Some other techniques to help detect phishing emails include:
- Think before you click. Hover over any and every link before you click on it to check whether the URL is legitimate and safe.
- Don’t overshare online. Be very careful about what you post on social media. Hackers can be meticulous in their research, and every detail you offer up online could potentially contribute to a successful phishing attack. This could include birth dates, anniversaries, names of family or close friends…
- Use strong passwords. Don’t repeat passwords across platforms, and make sure every password is long and includes a mix of numbers, symbols and both uppercase and lower-case letters. Use a secure password manager if you can’t keep track.
- Install anti-virus software. Firewalls and anti-popup toolbars can help protect against online malware and phishing attacks.
- Report spam to the National Cyber Security Centre. If you do get sent a phishing email (or text), forward it to the NCSC. You may be able to help prevent future cyber-attacks.
- Employee Awareness Training. Awareness is the first step to any change, and providing phishing training to your employees will help protect your business, your customers, and your financial interests.