Phishing is when an attacker deceives you into sharing sensitive information or providing access to important accounts or computer systems. Phishing can be through any communication channel, be it email, phone, text or even social media. The target is tricked into performing an action such as clicking a malicious link, downloading malicious files, sharing sensitive information or sending money.
While the list below is not exhaustive, the more common phishing attacks include:
- Email phishing: Attackers disguise themselves as a reputable person or a legitimate organization. They trick their target using a convincing pretense such as an account being compromised, nearing expiry or in danger of being deactivated. Or there may be an urgent request (e.g. to buy gift cards).
- Spear phishing: A personalized message targeting a specific individual or organization using personal information about the target such as interests, purchases and recent online activities.
- Whaling: Spear phishing that targets a big ‘phish’ such as senior executives or other high-profile individuals. They are chosen for the potential high pay-off, be it money or access to systems.
- Clone phishing: Attackers insert themselves into an existing otherwise legitimate conversation by copying a legitimate email (usually obtained from a prior breach) and modifying it to contain malicious content. The attack may appear to be a resend or update of the original email.
- Voice phishing or vishing: Attackers make automated phone calls typically claiming fraudulent activity or failed delivery attempts. Caller ID is spoofed to appear from a legitimate institution or from a local number.
- SMS phishing or smishing: Similar to email phishing, except the bait message is delivered via text messaging or other mobile messaging service.
Components of a phishing attack
The Canadian Centre for Cyber Security identifies three key steps in a phishing attack: the bait, the hook and the attack.
Whether an email, call or text, each message has been manipulated to appear legitimate in the hope targets will take the bait and fall for the scam.
Once the link is clicked, the target is redirected to the scammer's specially-crafted site. Once the attachment is opened, malware begins to execute. Once the number is pressed during the phone call, the target is connected directly to the scammer. In each case, the target is hooked.
The attacker has now stolen credentials and can now access the victim's account. Depending on the victim's role within the target organization, this may include access to sensitive data or critical systems. With malware installed, the attacker can gain control of the victim's device to steal data or initiate a ransomware attack. Or the victim may have sent money to the attacker. Even though the attack may be complete for now, the victim may remain vulnerable to future attacks.
How to protect yourself
Here are various steps you can take to protect yourself and your business from phishing attacks:
- Stop, look and think. If the answer is "yes" to any of the below, the message may not be legitimate.
- Did the message come from a strange email address? Is the domain name spelled incorrectly?
- Are there spelling and grammar errors, or is the formatting off?
- Are you being asked to act urgently?
- Verify links before clicking. Hover over the link to see if the URL matches what you expect. Best practice is not to trust links supplied in unsolicited emails but to visit the site using a well-known address or a trusted search engine. Also, don’t click “unsubscribe” on a spam/phishing email as this only alerts the attacker they have a “live” address.
- Avoid sharing sensitive information. Remember: legitimate businesses, financial institutions and governments should never ask for personal or confidential information over the phone, social media, email or text.
- Verify the message through a separate channel. If you’re unsure about legitimacy, contact the suspected source directly using a different or trusted method (e.g. the number on the back of your credit card, a number or email address obtained directly from the company’s website, or best, speak to someone in person).
- Use your email provider’s junk filters. Be extra careful with emails landing in junk / spam folder.
- When in doubt, report and delete.
Organizations should establish policies and procedures pertaining to phishing and to cyber security generally. Staff should report suspected phishing messages to their IT department or IT services provider. Schedule periodic phishing awareness training to ensure your team knows what to look for. Read more about proven cybersecurity best practices.
Beat phishing with Highway 99 Technology Solutions
Be aware. Never click the link from an email or text. Verify information through a separate, trusted method. Ultimately, if it looks too good to be true, it probably is.
Highway 99 can help. As part of our managed IT services we ensure your junk mail filtering is working to protect your firm from spam and phishing attacks. Contact us today to learn more about how we can help protect your organization against phishing and other types of digital threats.
Get the IT Support Your Business Deserves
"*" indicates required fields