Phishing attacks are a form of social engineering where a cybercriminal imitates a trusted entity and tricks an individual into opening a fraudulent email, SMS, or instant message. This message is designed to deceive the victim into sharing sensitive information or clicking a link that will run malicious code.
In the past year, 83% of all cyberattacks in the UK were phishing attacks. Unfortunately, if these lead to a data breach or ransomware attack, this can be devastating for businesses, and they often result in a loss of customers. The phishing methods that cybercriminals use are becoming more complex, so it is important to understand these methods to be able to spot them before your business falls victim to a cyberattack.
Bulk phishing is the most common form of phishing attack. This is where a cybercriminal sends a large number of fraudulent emails to employees and individuals. Although they are not tailored to the victim, they can be effective as if enough emails are sent, eventually someone will open one.
Examples of bulk phishing attempts include emails relating to winning a prize, issues with the user’s account, or emails stating that a password has expired and needs to be changed. Some of these can easily be spotted due to poor grammar, spelling and design of the email, however others are nearly indistinguishable from an official email. You should always check where an email has come from and look for different spellings of the email address or URLs in the text. If you are ever in doubt, it is always safer to not open an email.
Spear phishing is an attack where the cybercriminal has researched their target and found personal information to be able to tailor the attack to them. This is typically more successful than bulk phishing as when an email contains personal information it lowers the target’s guard, making them more likely to open a malicious link or file.
These emails may include the victim’s name, or place of work, imitating a supplier or third-party technical support requiring the user to send their password for security purposes. Spear phishing attempts can be difficult to spot, however you should always verify suspicious requests in person if possible and never share your password with others.
Whaling is a form of spear phishing where the attacker targets a company’s executives in order to steal login credentials. This can be devastating for a company, as an executive’s account often has a high-level access to the network along with employee and customer data. Threat actors may also use a spear phishing attack to gain access to an employee’s email account then use their account to phish the executive as they are more likely to trust an email from an employee than an unknown individual.
It is important for an entire company to aware and educated about cybersecurity, especially executives, and there should be policies and software in place to avoid high level employees being phished.