What is Phishing?
Phishing attacks target victims over email and text messages. The goal of phishing is to deceive the victim into sharing confidential information or downloading malware onto their device.
To execute the phishing attack, hackers create spoofed login pages of popular sites that are designed to steal credentials. The hacker’s goal is to pressure the victim into clicking this compromised link and giving up their password.
The toll of phishing on society is immense:
- According to the 2020 Verizon Data Breach Investigations Report, phishing and stolen credentials were the top two threat actions in breaches.
- More than half of cybersecurity professionals saw an increase in email phishing attacks since the coronavirus pandemic began.
- Phishing attacks affected 85 percent of all active organizations.
- Users opened 30 percent of phishing emails.
- Hackers designed 57 percent of all phishing attacks for credential theft.
How Phishing Works
Phishing provides an easy and effective way for hackers to breach confidential information. The hacker’s goal is to obtain confidential information, such as financial information, confidential documents, and personally identifiable information like credit card numbers.
Passwords are the ultimate prize, because they provide long term access to company assets and other victims, creating pressure to demand a ransom from the victim.
A successful phishing attack typically occurs in six steps:
- The victim receives a fake email impersonating a popular software provider like Office 365, Workday, ServiceNow, G Suite, Salesforce, etc.
- The phishing email claims that there is a problem with their account and that verification is required.
- The victim panics and clicks the link to solve the purported issue.
- The victim lands on a spoofed login page that the hacker designed to capture credentials.
- The hacker receives the victim’s credentials and uses them to take over the account.
- The hacker uses this compromised account as leverage to spread more phishing attacks, send malware, or hold a ransom.
Examples of Phishing
All phishing attacks deceive their victims into sharing confidential information. But did you know that phishing can also happen over text message and phone calls, not just email? Hackers can also use different components of the email message — like attachments and the sender address — to make their credential harvesting attempts more successful.
- Domain spoofing: When hackers spoof a website name or email address to convince the recipient that the phishing email comes from a trusted source.
- Business email compromise: When hackers take over an email account after a successful phishing attack and use it to inflict more damage at a company.
- Spear phishing: When specific individuals receive targeted phishing emails.
- Whaling: When hackers use spear phishing tactics to target executives or other high-profile victims.
- Clone phishing: When hackers create copies of pre-existing emails and replace attachments or links with malicious content.
- Smishing: When hackers use text messages to launch phishing attacks instead of email. The SMS text usually has a link to a phishing site or malware download. If not, it will directly request personal information from the victim, who replies back if they fall for the scam.
- Vishing: When hackers use phone calls and voicemail messages to scam victims. They will impersonate a legitimate service or colleague in the hopes of extracting sensitive or confidential information.
- Deactivation scares: Hackers send emails to victims claiming that an essential service like their bank account has been deactivated. To reactivate their account, the victim must click on a link to verify their identity. Of course, this is a phishing link to a spoofed login page that captures their credentials.
How to Protect Against Phishing Attacks
Phishing attacks are a constant threat. One in every 99 emails is a phishing attack,
- Eliminate passwords: The ONLY way to ensure the prevention of password-based attacks is through eliminating passwords. Learn more about passwordless authentication today and keep your most critical applications secure.
- Anti-phishing software: Anti-phishing software scans incoming emails for indicators of phishing. These indicators include typos, extensions, relationship between sender and recipient, and more.
When the anti-phishing software detects a threat, it either blocks the phishing email from the inbox or removes it retroactively. Although catch rates for anti-phishing software have improved over the years, they can’t detect and prevent 100% of phishing emails.
- User awareness training: Organizations will partner with user awareness training providers to reduce the human element of phishing attacks.
These training programs offer videos, quizzes, and other interactive modules that teach employees to identify common traits of phishing. Global results from these simulations reveal that one-third of employees would fall for a phishing attack.
The training programs will partner with the organization to send out simulated phishing emails to test the employee’s awareness in a real-life situation outside of the training curriculum.
Although anti-phishing software and user awareness training help reduce the phishing problem, they do not protect vulnerable credentials to the very accounts they’re trying to protect.
Credential-harvesting phishing attacks will always be an issue as long as online accounts are password-protected. If you want to eliminate the threat of stolen credentials for good, get rid of passwords forever.