It has been already well-established for years now that phishing is one of the top online security concerns for organizations. In fact, according to statistics phishing and ransomware cause the majority of the most catastrophic cyber incidents to date. By contrast, a not-so-close third would be basic security which looks like weak password security. What makes phishing so worthy of note and a topic that is constantly in focus at the world’s most elite cybersecurity conferences is that, in comparison with high-level cyber-attack threats like ransomware, there is a stark contrast with phishing because it is, in essence, such a primitive scam. More specifically, by far the simplest attack technique that affects an enormous amount of people, organizations, and governments each year. However, it is a primitive scam that works and has worked for a long time now. Oftentimes, phishing is also referred to as a social engineering scam.
It is key to understand how phishing works, how much influence it has in cybercrime damages caused to organizations in every imaginable sector (and to regular internet users), and most importantly what needs to be done to stop it.
What is Phishing?
Phishing is an attack vector (technique) used exclusively by criminals in the digital realm for financial gain. It is the digital version of a common scam you could experience on the street orchestrated by a group of people, for example. There is no limit to the attack surfaces phishing can affect (meaning online platforms), which is one of the reasons why it is so concerning. It preys on human gullibility and naivety, which is a second reason why it is so successful to this day regardless of its almost nonexistent level of sophistication.
The concept of phishing received its name from the popular sport, fishing because it is essentially a snarky, simple process of luring someone to take a bait that is dangling in front of them. The way phishing works is easily comprehensible, and the most popular way is phishing attacks via email. A malicious email is sent out where the sender masquerades as someone else, where the content of the email is tailored to trick the victim, and the email includes a malicious attachment or link. Once the victim clicks the link, the data on the user’s computer can be compromised with malware or malicious downloads. If a hyperlink is included in the link, it is also a way for cybercriminals to lure victims into giving up their data or allowing access to their systems.
According to law enforcement institutions like the FBI and others, phishing was the most commonly reported cyber attack in 2020, and phishing incidents are multiplying each year. Statistics show that almost all phishing attacks (around 96% of them) are delivered via email. The remaining 4 percent of social engineering attacks are what are called; vishing and smishing (over the phone and via text message, respectively.) The most elite types of phishing attacks are called spear-phishing, which involve a more professional approach from cybercriminals and are tailored to hit organizations or high-profile targets (and not the general public.)
Technical Analysis of a Phishing Attack
As far as emails are concerned, the most common email subject lines that can be sent to any of us, as well as commonly used for BEC (Business Email Compromise) are the following;
- An urgent request for something
- An important message
- A call for attention or action
- A call for payment of some sort
The most common infected email attachments are confirmed to be the following;
- .exe files
- Office documents
- Compressed RAR archives or ZIP files
A phishing attack aims to do the following;
- Steal credentials like PINs, usernames, and passwords
- Steal personal or medical credentials such as addresses, names, and insurance information
- Include a link to a fake (spoof) scam website
According to statistics, around $20,000 in financial losses is lost to phishing attacks every minute. Millions of phishing emails are sent out every year that are part of an automated process that aims to steal as much information as possible, most often for financial gain.
How to Protect Yourself From Phishing
Protecting oneself from phishing involves several steps and digital safety practices that must be followed through and through. This involves recognizing a phishing scam and secondly acting on securing yourself and your sensitive information. This means;
- Always check from whom you are receiving an email
- Avoid urgent emails at all costs
- Do not use third-party email clients
- Never download compressed attachments or click on shortened links
- Re-read any emails you are instinctively not sure about
- Check for spelling errors in the content of the mail and the sender information
- Mark any strange emails as spam
- Avoid using public WiFI and opt for mobile data instead if you are traveling
- Verify that the sites you visit always include HTTPS and genuine SSL certificates
- Never click on pop-ups if you come across them
- Use a browser like Brave browser that intrinsically blocks malware and interception
There are also other ways to protect yourself from phishing emails that involve the use of some common sense and with the aid of some cybersecurity tools. Today, most of us use Gmail, and by and large it has a sufficient enough mechanism to protect against scams and phishing, however do not rely fully on this. You could look into using a more secure email client like Proton for your most sensitive conversations. Secondly, keeping all of your system software updated will ensure that you have the latest software fixes that recognize phishing. You should also look into running a premium anti-malware program with real-time scanning capabilities in the background at all times. Additionally, using multi-factor authentication when accessing your email will also add a layer of security that will prevent future compromises. Finally, a Virtual Private Network or VPN will secure your most vulnerable and critical entry point which is the network itself. If you browse the internet on mobile most of the time then you may search for cheap mobile proxies to ensure security.