What is a phishing attack?


Hiscox banner shape mask mobile Hiscox banner shape

Phishing is a type of cyber-attack in which criminals use email, instant message or SMS to trick people into giving up personal data, usually by clicking a malicious link. Due to advancing technology, phishing emails are becoming increasingly convincing, so this type of cybercrime is on the rise.

Phishing is also a tool that hackers use to launch ransomware attacks, which see organisations locked out of files and held to ransom for access. A phishing attack attempts to trick employees into freely providing data such as usernames, passwords, bank account details and information about the network.

 

 

How and why is a phishing attack performed?


Phishing typically involves the following steps:

  1. A cyber-criminal uses spamming and mass-mailing to gather email addresses from customers or employees of a legitimate business
  2. The phisher then digitally impersonates the company. This will likely involve cloning their website and mimicking official email addresses
  3. The attack begins with a message to the victim, prompting them to divulge information to the impostor website or email address, for example, by logging in
  4. The personal information is then used to commit identity theft, fraud or for other malicious purposes

Phishing is becoming more commonplace in the business world, especially as so many businesses now deal in data. The goal of phishing is usually for financial gain – a hacker might use data to siphon money from your accounts or sell it to competitors on the dark web. 

This isn’t always the case – corporate phishing is sometimes used as a method for ‘hacktivism’, a practice where hackers steal data in order to expose faults in a company’s IT infrastructure or to express opposition to business activities. Sometimes, phishing is also used for corporate spying.

For the affected business, falling prey to a phishing attack means financial and reputational damage. In recent times, the Covid-19 crisis has seen a rise in fresh scams.

Phishing statistics


Receiving a suspicious email is a common occurrence. In fact, companies are now more likely to suffer a digital breach through a social engineering attack (such as phishing and pretexting – a type of scam in which information is stolen under the guise of confirming an identity) than via technical vulnerabilities.

This type of cyber-attack is stealthy and successful because it preys on emotions and instincts of the victim. Though two-thirds of phishing attacks feature malware, no antivirus software can prevent your staff clicking a convincing link.

Click rates for phishing attacks sit at roughly 3% and even the most digitally adept employees can fall prey to emails impersonating clients, suppliers or industry subscription services.

Statistics from the Government’s Cyber Security Breaches Survey 2020 (external link) highlight the threat phishing can pose:

  • Phishing is the most common form of cyber-attack in the UK. Five times more businesses now face phishing than attacks from viruses
  • The proportion of British businesses experiencing a phishing attack has risen from 72% to 86% since 2017. This means almost 9 out of 10 organisations have been targeted
  • Phishing doesn’t only affect the for-profit sphere – 85% of charities faced phishing in 2019
  • Phishing affects small businesses, too – and the average cost of fixing a successful cyber-attack was £3,110 for small and micro organisations in 2019

Phishing examples


Phishing messages often seem to come from familiar websites, making them tricky to identify. But, understanding what a phishing attack is can be the first step to protecting your business.

Phishing is presented in many forms. A hacker intending to steal financial details will often use different techniques compared to someone hoping to gain access to a system holding sensitive data. 

The most common phishing examples include deceptive phishing and spear phishing, both of which typically arrive via email. 

  • Deceptive phishing involves impersonating a legitimate organisation to dupe someone into clicking a link, entering details or making a payment. In the past, scammers have posed as companies such as Netflix, PayPal and Amazon – often with convincing attention to detail. The most famous example came in 2016, when scammers posing as Taiwan-based Quanta Computer swindled tech giants Facebook and Google out of $100m (external link) using fake invoices
  • Spear phishing goes a step further by personalising emails to the victim. These emails often feature a name, position and company name, making them appear legitimate. A spear phishing attack typically poses as a trusted organisation, such as a bank or HMRC. Sometimes, spear phishing campaigns target a certain sector to spy on key players, as was the case in 2020, when targeted emails installed spyware at several oil and gas companies around the world
  • Whaling attacks come from ambitious fraudsters who want to target the highest-paid members of a business. This type of phishing is also called CEO fraud, and it preys on senior business executives. Since gaining access to a C-suite computer, or the sensitive business information such a device may contain, is so valuable to hackers, a whaling email often uses more sophisticated language and imagery than other scam emails. A staggering $12bn was siphoned from CFOs (external link) between 2013 and 2018 across the UK, US and Europe using this technique
  • Pharming is a form of phishing which redirects users from an authentic website to a devious replica site, where they are prompted to enter details. This is one of the most advanced methods of phishing, so it can be hard to tell when you are being ‘pharmed’ out to a fraudulent website. In 2019, British Airways made headlines when a pharming attack went undetected for several months
  • Google doc and Dropbox phishing targets employees who are familiar with cloud-based storage by telling them they’ve been sent a file and requests login details. Most notoriously, millions of Google Docs users across the world were targeted in unison back in 2017

How to prevent phishing attacks


Wondering how to prevent phishing? When it comes to bolstering your cyber security, knowledge is power – so knowing how to spot suspicious signs is the first step.

A sense of urgency is common in many types of phishing emails, as are phrases asking you to ‘reset your password’ or ‘verify your account’. If you aren’t sure about an email’s authenticity, forward it to the business it is allegedly from to check it’s legitimate before clicking any links.

In business, phishing email training is a smart way to ensure all staff know the warning signs. This training can be handled internally or outsourced – either way, the important thing is that every member of your team, from interns to the CEO, stays in-the-know.

The Hiscox CyberClear Academy is an online suite of training modules which comes as part of our cyber and data insurance packages for all team members to access.

Investing in up-to-date phishing software will also help to defend your business from malicious scams. A good programme will scan inbound emails for indications of fraud, notifying the recipient of anything suspicious.

Taking out cyber insurance has the added benefit of financing your recovery from a cyber-attack if the worst should happen and you lose money to cybercrime.
 

What to do if a phishing attack is done in your name


Phishing can attack businesses from both sides, so it’s also important to know how to react if a phishing campaign uses your company name, logo or branding. 

If you notice suspicious emails which claim to be from your business, the first thing to do is notify your customers. Publish a list of genuine customer service and enquiries email addresses on your website so clients can identify the real from the fake. Asking customers to notify you of any suspicious behaviour gives them reassurance and helps you to react to cyber-attacks more quickly.

Our cyber and data risk cover is designed to cover your business for costs associated with data recovery, reputation management, GDPR investigations and business interruption. For more information on the common cyber threats and how to safeguard your business, read our other cyber security and protection FAQs.

Related guides & FAQs


cyber insurance laptop in the dark


What is cyber insurance?

Protecting your business against cyber threats is about being prepared for any eventuality.

Read our cyber insurance FAQs to find out how cover could help your business.

ransomware tablet image


What is ransomware?

It’s a dreaded scenario for any business owner – someone clicks a phishing link, and you find yourself locked out of files holding sensitive client data. What’s more, the hacker is demanding cash.

Read our FAQ guide to learn more about ransomware.

 

SQL injection attack laptop keyboard


What is an SQL injection attack?

This is one of the most common hacking techniques, but do you understand it? SQLs are also known as structured query language attacks. 

Learn more about what an SQL injection attack can do to your databases with our guide.