Cybersecurity has taken the center stage in recent times. Apart from the worrying frequency of cyber-attacks, the different modes and innovativeness of cyber attackers make cyber-attacks a real menace to small and medium businesses. Phishing, pronounced as you'd pronounce "fishing", is one of the mischievous techniques used to mount a cyber-attack.
Typically, hackers phish through emails. Given the prevalence of the use of emails and personal mobile devices for business communication, phishing is a technique that's set up to trick people to give out sensitive data. Small and medium businesses are often the target of phishing attacks. Phishing attacks account for 22% of all cyber breaches that affect small and medium businesses.
For small and medium businesses, phishing attacks lead to data loss and financial risks. One reason phishing attacks have continued to haunt small and medium businesses is their inability to spot them. This is partly because of the passiveness of small and medium businesses towards cybersecurity as well as the ever-evolving innovativeness of cyber attackers.
This article explains the various techniques that malicious actors use for phishing attacks and practical ways to spot them.
Never mind that "phishing" appears to be a misspelling of "fishing", the working model remains similar. A vivid picture of phishing is to view it as a baited hook (phishing mail) thrown out in a sea full of fishes (the target) hoping the target takes the bait. Phishing is a cyber-attack that tricks people to give out sensitive details such as bank and credit card details, personally identifiable numbers (PII), and passwords by mimicking an authentic source. It can be done through emails, text messages, websites, or even phone calls.
Usually, phishing attacks come from a trusted source such as your bank or your work organization, or a government agency. Also, phishing attacks are often laced with a story trying to convince you to drop sensitive information. A good example of this is the phishing attack attempt on Netflix which encouraged customers to "update their payment details". As it turned out, the link provided in the email wasn't from Netflix. Pieces of information derived from phishing attacks are used to commit fraudulent acts or gain unauthorized entry into private accounts.
Cyber-attackers are getting increasingly creative with their phishing techniques. As a small and medium business looking to avoid phishing attacks, it's important to understand the various phishing techniques used by cyber attackers. Listed below are the most common phishing techniques that affect small and medium businesses:
1. Email Phishing
In the business world, email phishing is the commonest phishing technique given the high use of the internet for business transactions and communication. Email phishing involves the impersonation of trusted organizations, such as your bank or credit card providers to steal sensitive data or force you to install malware on your device that'll enable malicious actors to gain unauthorized access to sensitive data. Email phishing is often conducted randomly.
2. Spear Phishing
Unlike email phishing, spear phishing is a well-researched cyber attack designed to trick a specific individual or business to give out sensitive information. Spear phishing involves the use of spoofed addresses to trick potential victims of the authenticity of the email source. For small and medium businesses, spear phishers may target employees by mimicking senior personnel to steal sensitive data for fraudulent purposes.
3. Whale Phishing
Whale phishing, also known as whaling, is a type of spear phishing that's directed towards high-value individuals such as CEOs or other top-level officials. Using fishing allegories, whaling is directed towards the "big fish". Whaling often targets less secured "big" officials that use unsecured email addresses for business transactions and communications.
Whaling is a meticulous cybercrime directed towards only a few people. In 2008, whaling cybercriminals targeted CEOs with fake FBI subpoenas. Although the success rate of the whaling mischief was 10%, it translated to roughly 2000 victims— a decent return!
The use of mobile phones for personal use and business purposes has grown due to digitalization. Smishing, otherwise known as SMS phishing, occurs via text messages. Smishing attackers thrive on exploiting the trust and emotions, not necessarily the technicality of potential victims.
Smishing attackers usually include a malicious link in text messages to con people to give out sensitive details. As small and medium businesses drive towards Bring Your Own Device which requires the use of smartphones and other personal devices, smishing attacks have been on the rise as 81% of mobile phishing occur outside emails.
5. Business Email Compromise
Also known as email account compromise, this is another email phishing common to small and medium businesses. Business email compromise works by cybercriminals impersonating known sources to make requests such as asking for quick money wiring, purchasing gift cards, or asking for personal credit card numbers. Such is the popularity of the technique that it accounted for nearly half of cyber-related breaches in 2019.
Common business email compromise techniques used by cybercriminals include:
- Altering legitimate email addresses (e.g., email@example.com vs firstname.lastname@example.org) account to deceive people.
- Spearheading emails: Spearheading emails are used to trick people to reveal vital information. Also, spearheading emails allow cybercriminals to install malware into your systems. Malware is generally used to steal vital information or used to gain unauthorized entry to accounts.
How to Spot Phishing
Understanding phishing techniques is one thing, knowing how to spot them is another story. In this section, you’ll learn about practical and effective steps to identify phishing techniques:
1. Public Email Domain
This is a constant trick used by cybercriminals to con people easily. Businesses rarely use a public domain name such as "@gmail.com", rather the email address of legitimate businesses always matches the name of the organization. E.g., Google's email address ends with "@google.com”.
One way to spot phishing emails is to check that the email address matches the sender of the mail, especially if the sender is a public organization or business. Also, ensure you check for spelling errors in the domain name. A high-profile example of phishing mail is shown in the PayPal phishing scam email (picture below). Notice the grammatical errors in the messages.
2. Juicy Offers
Cybercriminals thrive on the ignorance of victims. One way to spot a phishing attempt is that the offers are usually too good to be true. Phishing criminals often attempt to offer extraordinary offers to trick people to open a malicious link or website.
3. Attachments, Hyperlinks, and Links
Hyperlinks hovering over emails or websites are one of the default methods cybercriminals use to steal your data. Links, hyperlinks, and attachments are often disguised as payment links, login attempt links, or in some cases, impersonating a governmental agency to steal personal data. To ensure that you're not clicking the wrong link or downloading the wrong file, always double-check the story behind the links. You should also look out for grammatical and spelling errors in the hyperlinks and links.
Every day cybercriminals develop newer and sophisticated methods to steal sensitive data. Increasingly, malicious actors are gaining unauthorized access to private accounts for fraudulent purposes through several phishing techniques. With phishing, cybercriminals have a variety of methods to bypass security systems.
To build cybersecurity systems that'll help you secure your devices, NWTechnology is the cybersecurity aid you need. We will help your business with unique solutions that will ensure you stay on top of your cybersecurity game. Our services include cybersecurity auditing and compliance, and incidence planning that'll provide adequate security for your business devices and business software. Contact us now to book a session with us