How to identify and avoid phishing attacks
Advancing digitalization and the increasing use of online services in private and business contexts have led to an increase in the number of phishing attacks. Phishing attacks are now among the most common threats on the Internet and cause serious consequences. In Germany, the damage caused by phishing amounts to over 200 billion euros per year. And the trend is rising. In addition to the financial losses that can result from the theft of credit card data, bank data or access data, phishing can also lead to business interruptions, cause data protection breaches and damage the company's reputation.
What phishing is exactly
Phishing is a form of Internet fraud in which scammers attempt to steal sensitive information such as passwords, usernames, credit card information, or other confidential data from users. They do this by creating fake emails, text messages or websites.
Shipping companies or government agencies where recipients ask you to open an attachment that contains a virus or malware. Or you are asked to click on a link that redirects you to a fake website that looks exactly like the real one, where you are supposed to enter confidential information.
A phishing attack is said to occur when:
- the attack is carried out via an electronic means of communication
- the attacker pretends to be a trustworthy person or company in order to mislead the victim
- the main objective is to obtain confidential information such as login credentials or credit card numbers from the victim.
Phishing is derived from the analogy of fishing, where bait is used to deceive unsuspecting Internet users.
Why phishing is a problem
Phishing is one of the most common and successful threats on the Internet and has serious consequences for both individuals and businesses.
According to Bitkom phishing attacks cost the German economy 203 billion euros a year. In 2018/19, the figure was "only" 103 billion. Thus, in Germany, every 9th out of 10 companies is a victim of data theft, espionage or sabotage. The authors of the Bitkom study state that digital attacks will continue to increase.
Of the more than 1,000 companies that were representatively surveyed across all industries on behalf of the digital association Bitkom, the following were affected
- 63% of theft of sensitive data (up 3 percentage points)
- 57% of spying on digital communications (up 5 percentage points)
- 55% were affected by sabotage of systems or operating processes (up 3 percentage points).
affected. More than half (51%) of these attacks are carried out by organized criminals and gangs. Three years ago, this share was just 21%.
Phishing attacks are becoming more sophisticated and harder to detect as scammers use more sophisticated techniques to fool their victims. This makes it harder for users to detect and avoid phishing attacks.
Effects of phishing attacks
Due to the multiplication of cyber threats, the business world is increasingly at risk. Cyber-attacks represent the biggest business risk for entrepreneurs, business managers and leaders, according to Allianz Riks Barometer 2022 - an annual survey of corporate insurance professionals.
Impact on private individuals
Attackers usually try to obtain payment and identity data or passwords directly from private individuals by phishing. Another method is the clandestine downloading of malware, for example ransomware, which demands a ransom after encrypting data or is used to form botnets. Such botnets make it possible to control the PC remotely and use it, for example, as a starting point for another wave of infections.
Impact on businesses
In the business sector, phishing attacks usually target the entire company rather than individual employees - although the attack takes place via employees, because humans represent the weakest link in the security chain. In this case, employees are specifically targeted with phishing emails in order to give them elicit important information. For cyber criminals, not only large companies whose sales are tempting are on the victim list, but also small and medium-sized businesses, which often feel "safer" because they are less well-known. The consequences are:
- Paralysis of the entire operation and business process
- interruption of operations
- Blocking of systems and data
- Financial damage through access to accounts, extortion but also through recovery/resolution of the damage
- Loss of data
- DSGVO violations
- Image loss
What types of phishing there are
Phishing attacks can come in different forms and vary depending on the cybercriminals' goals and interests. For example, some types of phishing attacks aim to steal personal information such as usernames and passwords, while others aim to obtain financial information such as credit card numbers and banking details.
Phishing emails are the most common attack method used by hackers to get ransomware into businesses. The hackers fake a legitimate sender, such as your bank, and send this phishing email to a large number of recipients. The attack's chances of success increase with the size or notoriety of the supposed sender. The phishing email addresses a topic that seems credible and evokes a strong emotional response, such as fear, curiosity, or a sense of urgency. The email asks you to reveal sensitive information, such as Social Security numbers, bank account numbers, credit card numbers, or login credentials. Alternatively, you may be asked to download a file that will infect your device or network. A common approach of phishing emails is to ask you to click on a link to update your profile. However, the link takes you to a fake website where you enter your information. Or you may be asked to open an attachment that seems legitimate (for example, "invoice2022.xlsx"), but transfers malware or malicious code to your device or network.
Spear phishing is a more advanced form of mail phishing in which the attacker specifically targets individuals or groups of individuals rather than sending a mass email to a large number of recipients. These individuals, who usually have access to sensitive data or network resources, are elicited and studied by the spear phisher in advance. The information located about the targeted individuals is used to create a personalized email that appears credible and convincing. The email may contain information known only to the recipient, such as internal information about the company or personal information. Alternatively, the attacker may use a fake email address that resembles that of the real sender to gain the recipient's trust.
The goal of spear phishing can vary, it can be stealing credentials, infecting the recipient's device with malware or stealing financial information. Due to the personalized nature of spear phishing attacks, they can be more difficult to detect than traditional mail phishing attacks.
SMS-Phishing = Smishing
SMS phishing, also referred to as smishing, is a type of phishing attack in which a scammer sends an SMS message to your cell phone in order to trick you into revealing sensitive information or clicking on a malicious link. The content of the SMS message may be similar to phishing emails and aim to convince you that you need to take urgent action to solve a problem or get a reward.
The SMS may contain a link that takes you to a fake website or may include a link with a malware file that, when downloaded, infects your cell phone and allows the scammer to access your device and steal sensitive information.
Because SMS messages can be perceived as more personal and urgent than emails, victims are often more inclined to respond to the messages. SMS phishing attacks are also harder to detect than phishing emails because it is more difficult to verify the sender of an SMS message.
Whaling (emails to executives)
Whaling is a specific form of phishing attack that aims to target high-level individuals in a company or organization, such as executives, board members, or other decision makers. Unlike traditional email phishing, which targets a broader group of people, whaling focuses on specific individuals.
Whaling attacks typically use personalized information to gain the trust of targeted individuals and trick them into revealing sensitive information. The attacks can occur via email, SMS, or other channels and can masquerade as legitimate business communications, such as an inquiry from a business partner.
The goals of whaling attacks range from disclosing confidential company information to installing malware or ransomware. Because whaling attacks focus on executives, they can be harder to detect than traditional phishing attacks because they tend to be more personalized.
Internal phishing, also known as "insider phishing," is a type of phishing attack carried out by an internal employee or someone with access to confidential information within your organization. Unlike external phishing, where an attacker operates from outside the organization, internal phishing uses the trust and authenticity of internal communication channels to carry out the scam.
An example of internal phishing could be an employee sending an email purporting to be from the company's IT department asking recipients to update their credentials. Internal phishing attacks are also harder to detect than external attacks, so it's important to conduct comprehensive cyber security training for your employees and ensure that internal security policies and practices are maintained to prevent internal phishing attacks.
Pharming is a type of phishing attack in which fraudsters manipulate the DNS (Domain Name System) configuration to redirect victims to a fake website. Unlike other phishing techniques where the fraudster creates a fake website, pharming manipulates the victim's DNS configuration to redirect the victim's computer to a fake website without the victim realizing it.
The goal is similar to phishing attacks: You are supposed to enter your personal data such as usernames, passwords or credit card information into the fake website, which is then "sucked" by the cyber criminals. Pharming attacks can also be used to install malware on the victim's computer or integrate the computer into a botnet.
Vishing = phone phishing
Vishing is done over the phone and scammers try to grab sensitive information from you by pretending to be a trusted person or institution. The name "vishing" is a combination of "voice" and "phishing", as it is a type of phishing attack that takes place over the phone.
The perpetrators usually use fake phone numbers and identities to deceive their victims by posing as representatives of government agencies, banks, insurance companies or other organizations. The scammers may also use techniques such as "spoofing," in which they manipulate caller ID to impersonate a trusted person or institution. In very sophisticated cases, they may even use the name and phone number of an actual organization to gain their trust.
Social media phishing
Social media phishing is a form of cyber-attack in which attackers try to steal sensitive information from users on social media by creating fake profiles or pages to gain users' trust.
Attackers use various techniques to deceive you, such as fake friend requests to collect personal information or fake links to trick users into downloading malware or revealing their credentials.
Another common social media phishing attack is trying to trick users into installing fake apps that pretend to have useful features but actually contain malware or steal personal information.
If you suspect that you have fallen victim to a social media phishing attack, you should immediately report the scam to the relevant online platform and change your credentials to protect yourself from further attacks.
How to recognize phishing
The biggest challenge for companies and employees is recognizing a phishing email. Phishing emails rarely have obvious flaws that immediately tell you it's a phishing attempt. For this reason, it is increasingly important that you and your employees proceed with an attentive mind when opening and reading.
Suspicious email address or URL
Don't rely solely on knowing the sender of an email by name. It is equally important to check the sender's email address to make sure it is actually from that person. Especially in the case of e-mails purporting to come from a financial institution or government agency, you should check the sender's address carefully. Reputable organizations usually use official email addresses that end with their organization's name and a well-known top-level domain.
Be wary of emails that come from senders with foreign domains or contain suspicious characters or letters. These may indicate that it is a fake email. Scammers often use fake email addresses to make it appear that the email comes from a trusted source.
Calls for haste or urgency
Urgent action or alleged missed deadlines are a psychological trick and are very common in phishing attacks. It tries to pressure you into opening attachments or clicking on links. Words such as immediately, urgently, within 24 hours or immediately are important warning signals.
Unusual attachments or links
If you do not know a sender, it is advisable not to open the included attachment or download the corresponding file. Even though the attachment probably looks "normal", it may contain ransomware which, if opened, will spread to your PC and the entire network. Links follow the same principle: At first glance, they look like trustworthy links to "normal" websites. Even if the logo, image or short description make it look like a genuine site, they are fake websites whose forms are intended to enter personal data.
Requesting personal or confidential data
If you are asked by an e-mail to disclose sensitive data, such as the PIN of your ATM card, it is quite likely an attempted phishing attack. Serious requests for log-in data, accounts or similar do not take place via e-mail.
Grammar and spelling errors
Until recently, phishing emails were recognizable at first glance by their obvious grammatical errors, but this is no longer the case today due to translation programs and chatbots. Nevertheless, strange-sounding texts or orthographic deficiencies are an identifying feature for phishing.
Phishing attacks are often carried out on a large scale, with a large number of recipients receiving the same e-mail. Instead of personal salutations, general phrases such as "Dear Sir or Madam" or "Dear Customer" are used. This should also make you wonder, because your customers or authorities do not write mass e-mails and address you personally.
Mails in foreign language
If you receive an English email from your financial authority, you can assume that it is a phishing attack. Unless you have an international business relationship, you should be wary of all foreign language emails.
You can see how creative cyber criminals are when writing phishing emails by looking at the examples at the BSI (German Federal Office for Information Security).
How to protect yourself from phishing
Take a holistic approach to phishing and cybersecurity with effective protection from advanced technologies. AI-powered tools protect you from phishing, ransomware, or malware: URL and attachment protection and content control are essential features to securely protect your email gateway from outside threats.
Security software/email filter
Mimecast solutions protect against any type of phishing threat by scanning incoming emails in real-time and using AI to look for signs of fraud in the header, domain or message content. Mimecast's email security solutions are suitable for:
- Enterprises with complex email environments: Email Security, Cloud Gateway
- Organizations looking to protect their M365 environment: Email Security, Cloud Integrated
Use of strong multi-factor authentication
MFA (multi-factor authentication) is a sustainable way to protect against phishing attacks. MFA requires your users to authenticate via another factor in addition to a password or PIN, such as an SMS with a confirmation code, biometric authentication, or a security token app. This makes it more difficult for attackers to take over a user account or access enterprise systems, even if they stole the user's password.
Note, however, that many MFA systems are not sufficient to protect against all types of phishing attacks. Attackers can, for example, sniff out the second authentication factor by intercepting the SMS. The solution from the market leader AuthN by Idee protects you much more reliably - without the need for additional hardware or software and a second device.
AuthN by Idee's solution is not only phish resistant but proven phish proof (Graphic: Not only Phish Resistant but Phish Proof MFA | AuthN by IDEE (getidee.com)
Phish-proof multifactor authentication (MFA) is a multi-step authentication process that ensures the entire user identity lifecycle, including registration, proof of identity, authentications, recovery, re-identification, and account termination, are immune to phishing attacks.
Training and sensitization: awareness training.
A majority of cyber breaches happen due to human error, so the human factor is the biggest target for phishing attacks. Attackers try to exploit people's weaknesses and behaviors. Phishing attacks rely on social engineering, which means attackers try to manipulate people to get them to disclose sensitive information or perform malicious actions.
Through training and awareness training, you can better prepare your employees to recognize phishing attacks and respond appropriately to minimize the risk of successful attacks.
Training and security education are usually lengthy, not memorable and associated with employee blockages. Not the new training concept from Mimecast: With funny, entertaining, extremely short Hollywood-quality sessions, keep your employees up to speed on cyber security and make your employees a strong firewall. The clips show email attack types and how you should proceed. The clips are constantly refreshed to reflect the most advanced state of cybercrime: effective and easy, because a dashboard lets you evaluate and track progress. When you increase your employees' security awareness and knowledge:
- measurably reduce your risk
- promote your security culture
- identify risks in real time