What is a phishing attack?
A phishing attack is a fraudulent attempt to gain confidential information from an email user. It generally involves emails that are crafted to imitate a legitimate business, bank or email provider, by replicating the branding and design of their communications. With advanced technology, phishing attacks are becoming increasingly convincing. The purpose is to trick the recipient into freely providing sensitive data, such as:
- Credit card information
- Network information
This kind of cybercrime is widespread and affects both individuals and organisations. Although most directly associated with spam emails, phishing scams can be highly sophisticated. What’s more, the purpose of a phishing attack is not always financial gain.
How a phishing scams works
In the simplest of terms, this is how phishing works:
- A cyber-criminal will use spamming and mass-mailing to gather email addresses from customers or employees of a legitimate business.
- The phisher will then digitally impersonate the company. This will likely involve cloning their website and mimicking their official email addresses.
- The attack begins with a message to the victim, prompting them to divulge their information to the phony website or email address.
- The personal information is then used to commit identity theft and fraud.
Much like an old-fashioned conman, the core precept of phishing is to convince the target that your website or email message is trustworthy and reliable – encouraging them to volunteer their private information. Unaware of the devious techniques cyber criminals use to gain our information, many victims are none the wiser that they have fallen victim to a scam. This nature of cyber-attack has the potential to be incredibly financially and reputationally damaging for a business. It’s important to understand what a phishing attack is and how one may present itself so that you can be protected and prepared.
What is Phishing?
Learn how phishing can harm your business
Key statistics from 2019 can help to illustrate the real threat phishing can pose:
- 32% of all data breaches involve phishing.
- Companies are three times as likely to suffer a digital breach through a social attack (such as phishing and pretexting) than via technical vulnerabilities.
- Malware is present in two-thirds of phishing attacks.
- Click rates for phishing attacks sit at roughly 3%.
- Clearly, phishing is a digital threat which should be taken seriously by both businesses and individuals. So why is phishing still such a successful method of gaining access to people’s information?
One reason may be a lack of understanding around what phishing actually is. Most of us know better than to reply to an email from a foreign prince – but what about opening an email from your favourite on-demand streaming service, entitled ‘Account Deactivated’? Would you consider your actions before clicking on a link in that email? Or would your emotional response override your caution?
It’s not just the gullible and naïve that fall for these scams, phishing can – and does – trick even the most digitally accomplished of people.
Phishing examples and what to look for
Phishing can be executed in numerous different ways, based on who is being targeted and what the hacker hopes to achieve – for example, steal financial details or gain access to a system holding sensitive data. They’ll often come from websites that you use regularly, which can make them tricky to spot. Some examples of email phishing attacks include:
- Deceptive phishing – Where the scammer will rely on close mimicry of a legitimate business’ official correspondence email or website. Past examples have included household names such as Netflix, PayPal and Amazon asking for urgent verification of accounts, or offering unexpected refunds.
- Spear phishing - This is where the attack is highly personalised to the victim, often featuring their name, position and company name. Often these will be cyber-criminals posing as the HRMC – offering a tax rebate, for example – or as a bank, or another trusted institution.
- Whaling attack – Also known as CEO fraud, whaling attacks target CEOs and top executives, aiming to compromise the individual’s email account and use it to commit fraud. These attacks take advantage of the power these individuals wield within their organisations, using an informal approach to inspire trust.
- Pharming – Scammers redirect users of an authentic website to a malicious website, where they are prompted to enter their details. One of the most advanced methods of phishing, it can be incredibly hard to detect if you are being ‘pharmed’ out from a legitimate website to a malicious one.
- Google doc and Dropbox phishing – Some phishing attacks target specific services, such as Dropbox and Google Docs. The victim will receive an email informing them that they’ve been sent a file through one of these platforms and asked to enter their login details – these details will then be used to hijack the account.
Spotting a phishing attack can be tough – especially as spoof websites and email messages become increasingly sophisticated - but it helps to know what to look for. This is where protection and training come into play.
You can identify phishing attacks by looking for phrases such as ‘reset your password’ or ‘verify your account’ in the email. If you receive a suspect email, don’t open any attachments or click any links. If you’re unsure about its validity, you can forward it to the business it is allegedly from so that they can confirm whether or not it is legitimate.
Investing in up-to-date phishing protection software will also help to defend you from malicious scams. A good programme will scan inbound emails for indications of fraud, notifying the recipient of anything suspicious. Look for software that also scans emails for malicious URLS and any weaponised attachments. Furthermore, you could consider cyber insurance, which would cover your business for both current and future cyber risks. This form of insurance can cover the cost of investigating a cybercrime, recovering any lost data and recovering computer systems after a security breach, extortion payments demanded by hackers and any loss of income incurred by a business shutdown.
Phishing email training
For businesses it’s crucially important that all staff are trained to understand the threats of phishing and how to identify potential scams. Whether training is run internally, or by an external training provider, it’s vital information for everyone from the interns, right up to the CEO.
Phishing scams depend on individuals being fooled by scammers’ cons. So by making sure that every member of your business is aware of the techniques that phishers use, and alert to the threat they can pose, you’re adding a much needed layer of protection to your business.
What to do if a phishing attack is done in your name
While businesses need to be clued up about the signs to look for when targeted by phishing attacks under other businesses’ names, it’s also essential that you know what to do if a phishing scam were to be set up in your business’ name.
The most important thing to do when you become aware of a phishing scam masquerading as your business, is to alert your customers. By publishing a list of genuine email addresses used for customer communications on your website, customers can better identify phony email addresses. You may also wish to provide a contact email address for customers to forward on suspicious emails, so that you can quickly identify fishing attacks.
Our cyber and data risk insurance is designed to cover your business for costs associated with data recovery, reputation management, GDPR investigations and business interruption. For more information on the common cyber threats and how to safeguard your business, read the rest of our cyber security and protection FAQs.