Although it is something that almost every person with an email account (or simply a mobile phone) has come across at one stage or another, many people still are still unsure as to what is phishing. Phishing is among the most straightforward forms of cyber-attack for a criminal to carry out. That being said, it is one which can provide these criminals with every piece of information they need to infiltrate every aspect of their unfortunate targets’ personal and working lives.
Usually carried out over email, although it has now spread to social media, messaging services and apps, a basic phishing attack tries to trick the victim into doing what the scammer wants. That can range from handing over passwords to make it easier to hack a company or altering bank details so that payments go to fraudsters instead of the correct account.
The aim and the actual mechanics of the scams can vary from attack to attack. Targets might be tricked into clicking a link which brings them to a fake webpage with the aim of persuading them to enter personal information. It’s estimated that 1.4 million of these websites are created on average every month!
Other attempts involve tricking users into downloading and installing malware onto their device – for crafty approach to theft – or inadvertently installing ransomware, providing the scammer with much more profit and quicker.
More complex phishing schemes rely on a long game, with hackers using fake social media profiles, emails and more to build a relationship with the victim over months or even years in certain cases where specific individuals are targeted for specific data which they would only ever hand over to people they trusted.
Data conned out of targets can be as simple as an email address and password, to financial data such as credit card details or online banking credentials or even personal data such as date of birth, address and a social security number.
All of that can be used to carry out fraud in the hands of hackers, whether its identity theft or using stolen data to buy things or even selling people’s private information on the dark web. In certain cases, it’s done for blackmail or to embarrass the victim.
In other cases, phishing is one of a number of tools used for espionage or by state-backed hacking groups to spy on opponents and organisations of interest in order to get a glimpse of classified information.
What’s frightening about phishing is that anyone can be a victim, from the Democratic National Committee, to critical infrastructure, to commercial businesses and even individuals.
Regardless of the ultimate goal of the attack, phishing revolves around scammers tricking users into giving up data or access to systems in the mistaken belief they are dealing with someone they know or trust.
An effective way to protect your organization from phishing is to educate employees. Education should have no exceptions and involve all employees – high-level executives are often a target. The training should include teaching each them how to recognize a phishing email and the process to take when they receive one. Simulation exercises are also a great way to assess how your employees react to a staged phishing attack.
Unfortunately, phishing attacks cannot be prevented by any single cybersecurity technology can. Instead, organizations must take a layered approach to reduce the number of attacks and work on reducing their impact when they do occur. Network security technologies that have proved very useful in the prevention of phishing attacks include email and web security, malware protection, user behavior monitoring, and access control.