News reports about personal information being stolen from large companies make data theft seem abstract to the average person.

The sheer size of the identity theft seems unreal, often numbering in the millions.

The ongoing issues make it clear that no industry is safe from the threat of cyber attacks.

How does this continue to happen to large companies? Should not they be more prepared to defend themselves against a data breach? Can you truly feel safe conducting personal business online that involves providing sensitive information about yourself?

Everyone needs to be aware of the social engineering tactics thieves use to hit us at vulnerable points. They disguise themselves as things we trust. That lowers our defenses, leading us to give out personal information to those not acting in good faith. No one is invulnerable to the threat of data thieves.

Large businesses make prime targets due to their size and the number of people they employ. It only takes one person’s click on a link to put a firm at risk for a breach. It is vital that people understand how their daily activities expose themselves and their company to phishing scams.

You will not know anything is wrong until it is too late.

What is a Phishing Attack?

The term phishing defines attempts by outside parties to gain access to private information about users. Hackers are looking for passwords, credit card numbers, bank account info – anything capable of being used to access data about you. This identity theft gets used for financial gain or to steal valuable information for use as a tool of disruption.

Most successful phishing campaigns end with the user downloading malware into their system. The term malware covers various types of malicious software designed to gain access to information on a user’s device.

Common Types Of Malware

ransomware being held for cash payment

Hackers come up with new types of malware every day. Certain types endure and remain popular as a way to get to the sensitive information.

Computer Viruses – Code or software engineered to disrupt the way a device functions. They attach themselves to legitimate programs for code execution, often corrupting or destroying system files along the way.

Trojan horse – Disguises itself as a legitimate program within an email. They open the door to access the user’s information once executed.

Spyware – These programs embed themselves in your device to record your activities. They track sites you visit and capture any personal details entered by you.

Worm – These programs require nothing from your system. They are self-sustaining and duplicate themselves everywhere without needing human interaction.

Botnet Malware

Hackers in recent years started using computer networks designed to take control of devices in your home or business to launch malicious attacks. Remote controllers manipulate these malevolent botnets to turn your devices against you.

The laptop you use for work become a tool to steal your information. New technology like Amazon Echo speakers also presents new frontiers for hackers. The growing attacks on IoT (Internet of Things) devices make the consequences of phishing more severe.

The threat of botnets increased in 2017 with over 40% of automated login attempts to websites being malicious. The hospitality sector was the hardest hit with an 82% malicious login rate. Botnets leverage the fact that most people use the same account credentials to access multiple sites.

After obtaining credentials, the botnets attack site after site. This only stops once the user becomes aware of the theft and changes their information. A report from the cloud delivery firm Akamai notes the evolution of botnets over the past year. Attackers shifted to higher-capacity server-based botnets that were bigger and more flexible.

Ransomware

The rise of ransomware in the last decade brought a new type of danger to deal with. This software locks users out of the files in their system. Hackers demand payment in exchange for removing the malware and giving back access.

Sony Pictures found itself the victim of such an attack in 2014 and again in 2017. It is not just businesses being targeted. The government of the town of Yarrow Point in Washington grappled with frequent ransomware attacks throughout 2017.

How Phishing Plays Out

credit cards being stolen online with phishing tactics

Things have come a long way since the days of the Nigerian prince scam emails. Hackers use more sophisticated phishing email methods.

They come with stolen or altered business logos to trick the recipient. Or they infiltrate social networking platforms, disguising themselves as a friend or someone who shares your interests.

Popular Points of Attack

Social Media

Phishing attacks tend to go after a large pool of targets on platforms like Facebook or other favorite social media sites. You receive a request from a friend asking you to respond to a quiz. It asks questions like “What are your favorite vacation spots close to home?” or something equally innocuous.

The information you give out may seem like nothing. You might reference where you live and places you like to visit. Hackers need only a small bit of data to gain more information about you. That is enough to figure out your passwords and hack your personal accounts.

Thieves use the pictures posted to your Instagram or Snapchat account as sources of information. Korean officials at the recent 2018 Winter Games warned people not to post pictures of their tickets since they contained a barcode. Hackers could scan the pictures and capture all of their personal data.

Emails

Email remains a popular choice for most attackers. They mimic a popular brand or institution reaching out to you to help you resolve an issue. The official-looking communication asks you to confirm a password or other account information.

More sophisticated deceptive phishing emails make the sender address match those of people or businesses you communicate with regularly. They contain malicious attachments or links designed to deliver malware to your device.

Fraudulent Websites

Hackers build fake websites designed to steal your information. For example, people searching for a site that lets them update a passport get fooled by a login page that appears legitimate. The credentials they enter end up being used to compromise other personal accounts.

Scammers also lure visitors to these sites by creating fake ads on sites like Google or Craigslist. Bitcoin users fooled by fake ads on Google have been frequent victims of theft in recent months. The problem got so bad that Facebook recently banned all ads related to cryptocurrencies from their site.

False Advertisements

Websites make a significant amount of revenue by designing ads that get your attention. Hackers use this to their advantage by embedding these ads with malware. Clicking on the ads allows the software to embed itself in your system and go to work.

How Does Phishing Work?

sign that says malware alert with phishing attacks, spyware and scams

General phishing involves casting a wide a net as possible hoping a few people will take the bait. Attackers turn to more targeted methods when going after certain companies. They also look to rope in specific individuals with access to valuable information. Below are the most common phishing types:

Spear Phishing Attacks

Cyber attackers use this phishing technique to target particular businesses. They go beyond sending out mass emails or blanketing random sites with ads. They tailor their efforts toward people who work in an industry they find valuable.

Target became the victim of such a breach in 2013 when information on nearly 40 million customers was stolen during a cyber attack. Hackers went after a third-party vendor used by the company. They captured their credentials and used them to access the customer information from a database using malware downloaded from a malicious attachment.

Whaling

John Podesta, the chairman of Hillary Clinton’s presidential campaign, found out about whale phishing the hard way. His account received an email purporting to be a Google alert letting him know his system had been compromised. It was urgent that his credentials be reset immediately at the link provided.

His assistant did just that after receiving erroneous information from their IT person that it was legitimate. That is all it took for malicious spyware to be released into their systems. Thousands of document and emails were stolen by Russian hackers.

Whaling phishing attempts target high-level executives with credentials giving them access to a wide range of information. Factors like human error and bad advice play a big part in the success of these type of attacks.

Clone Phishing

Cloning involves mimicking a trusted site a user frequents. People receive emails warning them about an issue with their account. Hackers create an entire malicious website that looks like the one the user logs into regularly.

The attackers hope to fool users into providing them with personal credentials. Some users of the popular internet message board Reddit fell victim to clone phishing. A clone of the site popped up with the apparent intent of tricking people into thinking they were logging into the regular Reddit site.

Phone and Text Phishing

Not all attacks come over the internet. Many businesses use automated voice messages to alert people to things like an upcoming doctor appointment. Hackers use this method to leave voicemails warning you about an issue. They may reference your bank account or a company you’ve obtained services from.

Hackers employ similar methods using text messages. This allows them to send you malicious links directing you to a phishing website. Once you get there, they mask the address bar with a picture of a real URL to fool you into thinking you are on a real site.

The Facts Behind Phishing

A report from the Anti-Phishing Working Group (APWG) showed that companies responding to their survey experienced a steady stream of phishing scams during the first half of 2017. The most targeted business sectors were:

  • Payment Providers
  • Financial Institutions
  • SAAS/Webmail
  • Cloud Storage/Cloud Hosting

Popular Phishing Methods – First Half of 2017

Responses to the APWG survey showed the below methods being used the most:

Emails – The most popular tool for attackers at an average of 98,723 per month.

Websites – Attempts using this method averaged 48,516 per month.

Phishing URLs – Averaged around 18,113 attempts per month.

Hackers targeted a small number of brands at an average of 443 times per month. APWG contributor PhishLabs noted an uptick in free web hosting sites being used to build malicious websites. They do this to lend credibility to the site being built by using an established provider.

76% of companies experienced some type of phishing attack. That number rose in the first quarter of 2017 to 81% for US companies. Businesses saw a rise in malware infections of 49%, up from 27% in 2016.

Other phishing stats suggest that spear phishing accounted for 53% of phishing campaigns worldwide. That number went up to 57% for the United States. Phone calls and text messages, on the other hand, accounted for 45% of phishing attempts worldwide.

Popular Phishing Methods

How To Protect Yourself Against Phishing

It only takes one moment of inattention to make yourself or your company the victim of identity theft. While there is no an easy way to prevent phishing, a multi-pronged approach to combating the threat can minimize the risk. 

1. Protect Your Inbox

The best defense is a good offense. Stop potentially damaging emails from entering company inboxes by using strong email spam filters and following email security best practices. Most security software companies offer versions compatible with both computer and mobile devices.

Your software should automatically scan any links or attachments. This prevents new or unrecognizable URLs from sneaking past company safeguards. New computer security threats show up every day. Hackers also continuously work to evolve and hide malware. Keeping your software updated and running continuously is essential.

2. Analyze Web Traffic

Attackers love to find vulnerable points when users access personal accounts on their work computers. Check any access attempts to non-company websites or email servers. It does no good to have top-level security on a work email account, only to have someone download malware by clicking on a Facebook ad.

3. Raise Employees’ Security Awareness

Human error still accounts for the majority of data breaches. Hackers only need one person in an organization to click on the malicious link in an email to cause damage. Multiple steps should be taken to train employees on how to recognize phishing and handle them appropriately.

First of all, employees need to understand that they are all potential victims of cybercrime. They need to be educated on the most common threats and best practices of protection. Companies should provide comprehensive training on how to recognize a phishing message, social engineering tactics, and suspicious web addresses.

The training should also cover identity management, as well as cloud security and mobile security best practices to enable employees to protect themselves.

A. Test Employees on how to identify a phishing email

Target specific people within different areas of your company with test phishing emails. Track those who correctly identify suspicious emails versus those who do not. Interview them to gain insight as to why they did or did not recognize the problems within. Use that feedback to modify or redesign your cyber security training courses.

In addition to testing employees, you should also regularly check the stability of your critical infrastructure. If you are hosting your data with a third-party data center provider, you should ensure it provides advanced protection against the most common threats such as DDoS, phishing, and ransomware attacks.

If your entire infrastructure is managed internally, you need to ensure you have all these systems in place to keep your data safe. You should also consider running a penetration test every once in a while to be confident about your platform’s security.

B. Communicate Effectively Between Departments

One of the easiest ways to manage passwords is with a corporate password management solution.

Make sure your employees understand recommended cybersecurity best practices and receive frequent reminders about their importance. Coordinate across all departments so that everyone gets the same education.

C. Use A Variety of Teaching Methods

Everyone absorbs information differently. Some prefer visual cues, while others like thing documented in a manual to refer back to. You also have those who prefer to gain knowledge audibly. Provide your employees with different options to obtain online security education.

D. Make It Personal

Employees often cannot comprehend how their actions could hurt the entire company. Bring it down from an abstract and show how it affects them. Demonstrate how the damage done by malicious software impacts their job.

E. Create a Phishing Tutorial On What Not To Share

Cyber thieves continuously scour social media for information posted by employees of companies they are targeting. 

Advise them to avoid sharing information like:

  • Birthdays
  • Personal Address
  • Phone Numbers
  • Vacation Days
  • Online Banking and Credit Card Details

Attackers use this information to guess at passwords they use to access accounts at work. Letting people know when you will be away from your computer gives hackers a window of opportunity to target you while you are not there.

F. Establish a System to Report Threats

Inform employees on what to do if they encounter a fraudulent email. They should report even if they are unsure if the message is a threat. They should also beware random text messages seeming like official communications from the company.

G. Celebrate Due Diligence

Show employees your appreciation for following security protocols. Prepare a luncheon or off-site event to show your company’s appreciation for the dedication shown by workers to keeping company information safe.

what is a phishing attack

Raise Your Company’s Phishing Awareness

The best defense against all types of phishing attacks is learning what to watch for.

Learn about the deceptive phishing tactics used to get personal information. Do not let your company become one of the statistics being used as a warning to other businesses.