Blog Post September 22, 2022

Could you be the Next Bait for a Phishing Attack?

Phishing Bait

By:
Krystal Rennie, Director of Corporate Communications,
and Brittany Demendi, Corporate Communications Manager

Have you ever received an email informing you that you’ve won an all-expense paid trip to the Bahamas in a raffle you never entered? Or received an email from a streaming service notifying you that your credit card was rejected and to click on the link to update your payment method? You’ve been exposed to a form of phishing. These are examples of email phishing, which use tactics that are untargeted but appear everywhere. By comparison, more targeted versions of phishing are more dangerous and can lead to identity theft, unauthorized access to sensitive data, or the defrauding of funds.

To an organization, phishing is always a severe risk. Phishing is an early-stage and reliable tactic used by hackers to gain access to networks as a part of a larger attack. For example, if you’ve been mentoring a graduate student for weeks and they send you an academic survey would you open it? If your CFO receives formal notification of a lawsuit from a competitor, would you contact the law firm? If your IT department sends a message about service upgrades that require a new log in, would you follow the instructions? These can all examples be examples of phishing.

Cybercriminals commonly use phishing to lure potential victims into performing harmful actions that could put your organization’s data at risk. This technique is the art of manipulating people to give up confidential information by either typing their login credentials to a fake company website or clicking a malicious attachment they thought was an invoice. Because phishing is effective and straightforward, cybercriminals launch thousands of attacks daily and can often be successful.

Five Most Common Types of Phishing Attacks

Regardless of the type of organization, large or small, they will be targeted by cybercriminals attempting a phishing attack. Phishing attacks are getting more difficult to spot, as some attacks will even surpass the most observant employees. Education on these different types of phishing attacks is essential. Below are five common types of phishing attacks:

  1. Spear-Phishing is a targeted attack that aims to steal sensitive data from a specific organization or individual. Cybercriminals lure in the victims with personal information specific to the organization or the employee to seem more legitimate.
  2. Vishing is a phishing attack that occurs over the phone. Calls are usually made using a spoofed ID to make it seem safe to answer. As an example, a hacker could pose as a representative at your bank or credit union and call to alert you that there has been questionable activity on your account. Once they’ve gained your trust, the hacker will ask for your personal account information and can use that information to commit identity fraud.
  3. Whaling is a cyberattack that includes a high-level choice of target in an attempt to steal and misuse private, personal information of senior management at a company/organization. Whaling occurs in the form of emails that are more sophisticated than phishing and are often harder to recognize due to their use of elite corporate language. The email will include personalized information about the target or organization.
  4. Smishing uses SMS to text personal information like credit card information, passwords, and more to appear legitimate and acquire additional information. The text message usually includes a call to action to demand an immediate response or reaction.
  5. Clone Phishing involves receiving a spoofed email that looks identical to one sent by someone you already received emails from. The spoofed email is malicious however, and contains new information along with malicious links or attachments.

Consequences of a Successful Attack

Although the types of phishing attacks vary regarding risk levels, one thing they all have in common is the power to damage a business. Below are a few possible results of a successful phishing attack:

  • Unauthorized transactions
  • Password and username manipulation
  • Account takeovers
  • Identity theft
  • Credit card theft
  • Stolen data
  • Stolen funds
  • Sensitive data sold to third parties

These are just a few examples of what could become compromised when these attacks occur. Companies must invest in the proper Managed Detection and Response platform and Proactive Defense Program to help protect sensitive information and train employees on security awareness.

Be Proactive Against Phishing Attacks, Not Reactive

Equipping employees with the proper knowledge is the best defense when protecting an organization’s data and assets from phishing attacks. In 2019, a major healthcare company reported that one of its employees stopped a phishing attack within 19 minutes, according to Comparitech. Their employee said that they received suspicious emails, and their Security Operations Center was able to take care of it immediately. Creating a security culture within every department, not just IT, is vital.

As phishing emails become harder to detect, investing in security awareness training like a Proactive Defense Program will be the main differentiator between robust risk management plans from the weak ones. The truth is that phishing attacks’ future depends on many factors. Cybercriminals are discovering new ways to step their game up daily and have become more sophisticated with their attacks. That said, it is up to the rest of us to find new ways to combat their tactics. At the end of the day, there is too much at stake if we do not think multiple steps ahead of cybercriminals.