Phishing: The #1 Cyberattack

Phishing is a type of online scam where cybercriminals send fake emails, text messages, or phone calls that look like they’re from legitimate sources like banks or government agencies. Their goal is to trick you into sharing personal information such as your passwords, credit card numbers, or Social Security info. To make matters worse, it not only relies victims to volunteer personal information, it acts through increasingly technical and deceptive ways.

phishing


Types of Attacks

Email Phishing

One of the most widely recognized forms, this attack involves attempting to illicitly acquire sensitive information through an email designed to mimic a legitimate organization. This type of attack avoids targeting a specific individual and can execute on a large scale.

Malware Phishing

A deceptive cyberattack method that combines elements of phishing and malware distribution. In this attack, cybercriminals craft seemingly legitimate emails, messages, or links to deceive recipients into taking actions that lead to the inadvertent installation of malware on their devices. These attacks are delivered via email, text message, social media

Smishing

Instead of emails, they send you SMS text messages with fake links. Clicking on these links might direct you to fake websites or even infect your phone with malicious software. This technique has also spread to other messaging apps such as social media platforms.

Voice Phishing

This variety relies on traditional methods of deception in order to convince victims to offer up personal information, such as banking or credit card information. Attackers will often pose as employees of various organizations from utility companies to insurance providers. To make matters worse phone numbers can be “spoofed” allowing callers to appear to be calling from a reputable business phone number.

Search Engine Phishing

This form of attack involves cybercriminals creating deceptive websites with the intention of gathering personal information and facilitating unauthorized payments. These fraudulent sites can appear within organic search results or even as sponsored advertisements for commonly used search terms.

FAQs

How common is phishing?

Earlier this year, the FBI’s Internet Crime Complaint Center released statistics for 2022.  With a total of 800,944 reported complaints in 2022, phishing took the top spot with a whopping 300,497 complaints. The report underscores the persistent evolution of cyber-enabled crimes, which are growing increasingly sophisticated on a global scale.

How do phishing emails get my email address?

Attackers gather email addresses through methods including exploiting data breaches to acquire user databases, utilizing social engineering tactics to trick individuals into revealing their addresses, employing automated tools to scrape publicly available sources like websites and social media profiles, guessing common email address patterns, extracting addresses from infected computers via malware or botnets, mining employee directories on company websites, leveraging third-party leaks, creating fake surveys or promotions, buying addresses on the dark web, and compiling publicly accessible information.

What happens if you answer a phishing email?

If you don’t provide information, or click a malicious link, simply opening or replying to an email or text message could confirm to attackers that your email address is active and that you’re susceptible to their tactics. This might lead to receiving more attacks or becoming a target for more sophisticated attacks.

What is an example of how phishing works?

Let’s say you receive an email that appears to be from your bank, informing you of suspicious account activity and urging immediate action. The email includes a link to your bank’s website for addressing the issue. Without realizing the sender’s email address has a typo or a similar but not identical domain, you click the link due to security concerns. It leads to a site resembling your bank’s, prompting you to log in for verification. Unbeknownst to you, it’s a fake site crafted to steal your credentials. Attackers now armed with your info can access your account, siphon funds, make unauthorized transactions, or gather more data.

How can phishing be prevented?

No approach can guarantee absolute protection, but by staying informed and practicing cautious online behavior, you can significantly reduce the risk of falling victim to phishing attacks.

Educate yourself about phishing and common techniques | Verify the sender’s identity and don’t click on links or open attachments from unknown senders | Use multi-factor authentication (MFA) | Keep your software updated | Use a reputable security suite | Be cautious with personal information | Scrutinize urgent messages | Regularly monitor your accounts | Report suspicious messages | Train your team to recognize phishing attacks

What are recent examples of phishing?

Twilio, a customer engagement platform used by hundreds of businesses fell pray to an attack in mid 2022. In this breach, employees’ login credentials were stolen in a smishing attack. The attackers sent text messages that appeared to be from Twilio, the company’s authentication provider. The messages contained a link that, when clicked, redirected the employees to a fake Twilio website. The employees who clicked the link then entered their login credentials, thus handing them over to the attackers. The attackers then gained access to Twilio’s internal systems and customer data.

In July 202, a phishing scam successfully hacked an employee’s email account at Allegheny Health Network. Subsequently, the attackers utilized the employee’s credentials to gain access to the personal and health information of approximately 8,000 patients. This data encompassed names, dates of birth, dates of service, medical record numbers, medical history, mailing addresses, phone numbers, driver’s license numbers, and email addresses.

To learn how your company can prepare for phishing attacks, Contact Us Today!