With the growing complexity of security features designed to protect vital personal and business information, cyber criminals also continue to get better at capturing it.
According to a recent internet crime report released by the FBI, phishing was the most common cyber crime in 2020 after nearly doubling in frequency. After examining the data, it was determined 75% of organizations around the world experienced some kind of phishing attack in 2020. Stateside, 74% of organizations experienced a successful phishing attack. This is 30% higher than the global average, and 14% higher than last year. So what is phishing and how are cyber criminals doing it?
Phishing is a form of cyber crime designed to obtain sensitive information through malicious emails, text messages, and websites made to look real. The most common technique used is deceptive email phishing, which is when an attacker creates a fake email address to appear as belonging to a legitimate company. They will use this email to contact a list of potential victims and prompt them to click links to false websites designed to steal information or login credentials.
A more targeted email phishing approach is called spear phishing, which involves background research on part of the attacker. They scour company websites and social media profiles to determine names, locations, phone numbers, and job titles to create personalized emails that seem more legitimate. Similar to deceptive phishing, a malicious link or attachment is included to lure the recipient in.
Cyber criminals will also go after “bigger fish” through whaling techniques. Whaling is one of the most targeted phishing schemes and focuses on presidents, CEOs, and other C-suite executives. Unlike other forms of phishing, whaling involves email communication appearing to come from other high-level business professionals to further deceive the recipient. These emails typically contain strong senses of urgency and request financial information, sensitive data or money.
If the right precautions aren’t taken, anyone can find themselves a victim of a phishing attack and the consequences could be severe. According to the FBI’s Internet Crime Report, in 2020, business email compromise scammers made more than $1.8 billion, a number which far exceeds any other cyber crime. How can you ensure you, or your organization, doesn’t become compromised by a phishing attack? Below are some example phishing emails and ways to spot potential scams.
(Photos courtesy of IT Governance UK and SecurityMetrics.com)
Five tricks to avoid falling victim to a phishing attempt:
- Check spelling - In the examples above you will see many spelling and grammar errors, indicating these might not be legitimate. Cyber criminals exist all around the globe, which results in language barriers and incorrect translations in their messages.
- Look at the email address - Phishing emails are most commonly sent using correct sender names, but incorrect email domains. Incorrect domain names could include spelling errors, random words and numbers or will come from a generic email domain such as Gmail. Most reputable organizations have their own email domain and company accounts.
- Never click links or attachments - All phishing emails will contain some method of capturing your information typically found in suspicious links or attachments. If you are unsure of link validity, you can hover your mouse over the link to see the destination. The same precautions should be taken with suspicious attachments. You should never open an attachment if you are unsure of its legitimacy and never ignore pop-up warnings about them either.
- Be cautious of generic introductions - If you receive an email with a generic introduction such as “Dear Sir / Madam,” or “Dear Customer”, you might want to think twice before reading further. If a company you routinely do business with is reaching out, their communications most likely will include your name and possibly your account information.
- Steer clear of intimidation techniques - Many scammers know email recipients might not act on something if there isn’t an immediate need to do so. Because of this, a common technique used is to intimidate recipients or attempt to instill a sense of urgency. These tactics are more likely to cause a recipient to take action. If the rest of the message doesn’t seem valid, it’s always better to be safe than sorry.
One of the best ways to combat the growing threat of phishing techniques on an organizational level is to offer training in a business environment.
With INE’s Cyber Security Awareness training, we can enroll your team in phishing training and deploy a phishing simulation to their emails at various times with themes of your choosing. Once the emails have been sent, you can track and monitor employee activity to determine who opened an email, who clicked a link, and more. In addition, you can receive alerts regarding employees with high-risk activity so you can take immediate action and develop a more secure corporate culture.
To learn more about INE’s Cyber Security Awareness Training for businesses, please click here. If your organization has an existing INE Business Plan and would like to sign up for the free training, please click the link below!