Most people are familiar with phishing attacks. After all, they’re one of the most common forms of data breach around.
At their most basic, phishing attacks are attempts to steal confidential information by pretending to be an authorized person or organization. Standard phishing is not targeted. It relies on achieving a few successes out of hundreds or thousands of attempts. But because it’s so cheap to pull off, both in terms of effort invested and cost to conduct, even one person taking the bait make a campaign worth a malicious actor’s time.
But phishing has evolved. “Standard” phishing as we commonly think of it is now only a subsection of tactics carried out to achieve the same end: to swipe confidential information from an unsuspecting target in order to extract something of value.
To better be on guard across the diverse group of tactics that fall under the umbrella of phishing, users should be familiar with the ways these attacks are conducted.
If standard phishing is akin to trawling the High Seas to catch users indiscriminately, spear phishers are out for the trophy catch. Where most phishing attacks cast a wide net, hoping to entice as many users as possible to take the bait, spear phishing involves heavy research of pre-defined, high-dollar target—like a CEO, founder, or public persona—often relying on publicly available information for a more convincing ruse. When the target is sizeable enough, the CEO of a large, publicly traded company say, spear phishing is sometimes called ‘whaling.’
SMS-enabled phishing uses text messaging to delivering malicious links, often in the form of short codes to obscure the ultimate destination of a link, to ensnare smartphone users in their scams. The term is a portmanteau of SMS and phishing, and it’s an attractive method for cybercriminals because oh the high engagement rates for texts. According to some sources, SMS open rates are around 98% compared to 20% for email. Messages are often are often disguised as sweepstakes winnings, flash sales, coupon codes, and requests for charitable or political contributions.
Business Email Compromise (BEC)
One of the most expensive threats facing businesses today, business email compromise involves a phony email, usually claiming to be someone from within or associated with a target’s company, requesting a payment or purchase be made (often of gift cards). A “confidence game” according to the FBI, BEC attempts are often accompanied by a sense of high urgency to discourage critical thinking. Of the $3.5 billion the FBI estimates businesses lost to cybercrime in 2019, nearly half ($1.7 billion) was blamed on business email compromise.
Search Engine Phishing
In this type of attack, cyber criminals wait for you to come to them. Search engine phishing injects fraudulent sites, often in the form of paid ads, into results for popular search terms. These ads often promise amazing deals, career advancement opportunities, or low interest rates for loans. Remember, if it seems too good to be true, it probably is. Often, the only difference between the scam result and the one you’re looking for is a .com that should be a .org or a .org that should be a .gov. Be on the lookout for strange endings to URLs. It may be just a country-specific domain, but they can also be hiding something more sinister.
Protecting Yourself from Phishing Attacks
Protecting yourself from phishing attacks starts with knowing what’s out there. But while staying vigilant will keep most attackers at bay, no one can be 100% secure on their own. That’s why it’s important to use an antivirus that relies on up to date threat intelligence that can block these threats in real time as they are clicked. Also, it is imperative for businesses to train their users on the types of phishing attacks employees could fall for.
For more types of phishing attacks, real-world examples, and more tips for keeping yourself or your business safe from such attacks, download the 11 Types of Phishing Attack eBook.