What is a phishing attack?

A phishing attack typically involves the following steps:

1. A cyber-criminal uses spamming and mass-mailing to gather email addresses from the customers or employees of a legitimate business
2. The phisher then digitally impersonates the company. This will likely involve cloning their website and mimicking official email addresses
3. The attack begins with a message to the victim, prompting them to divulge information to the impostor website or email address – for example, by logging in
4. The personal information is then used to commit identity theft, fraud or for other malicious purposes.

Phishing is becoming more commonplace in the business world, especially as so many businesses now deal in data. The goal of phishing is usually for financial gain – a hacker might use data to siphon money from your accounts or sell it to competitors on the dark web. 

This isn’t always the case – corporate phishing is sometimes used as a method for ‘hacktivism’, a practice where hackers steal data in order to expose faults in a company’s IT infrastructure or to express opposition to business activities. Sometimes, phishing is also used for corporate spying.

For the affected business, falling prey to a phishing attack means financial and reputational damage. In 2020 and 2021, the Covid-19 crisis saw a rise in fresh scams.

Although sometimes hard to spot, phishing attacks often have common features. These can be useful signs to look out for in emails.

You might notice you’ve been addressed in an unusual way, that a logo may look strange or a spelling mistake in the email text. The offer could sound too good to be true, or the email may contain a sense of urgency.

Five signs of a phishing attack (external link) are:

1. Unusual greetings or mistakes – does the email contain grammatical or spelling errors? Is it addressed to you personally or generically? Language such as ‘colleague’ or ‘customer’ may be a sign the email isn’t what it seems.
2. Email address or URL discrepancies – is the sender trying to mimic your client, supplier, or another organisation? Check the sender’s name and email address to verify these match your expectations, as well as the URLs behind any links.
3. Graphics errors – do logos and graphics look similar to the official source? Inspect these closely. You might spot mistakes that reveal the email as part of a phishing scam.
4. A sense of urgency – phishing attacks often contain threats that prompt urgent action. It might be a bank saying it needs your details within a set time – and the account will be closed without this. Official sources will never ask you to share personal information via email.
5. Tempting offers – phishing scammers may use ‘too good to be true’ tactics to get you to click a link. It could be a free holiday or discounted designer items – or, for a small business, a tempting grant, loan, or investment opportunity.

Receiving a suspicious email is a common occurrence. In fact, this type of social engineering is how most cyber attackers gain access to an organisation’s networks, according to a recent government report[2]. Social engineering may be a phishing attack or pretexting – a type of scam in which information is stolen under the guise of confirming an identity.

This type of cyber attack is stealthy and successful because it preys on the emotions and instincts of the victim. Unfortunately, no antivirus software can prevent your staff clicking a convincing link.

Even the most digitally adept employees can fall prey to emails impersonating clients, suppliers, or industry subscription services.

Statistics from the government’s Cyber Security Breaches Survey 2022 (external link)[3] highlight the threat phishing can pose:

• Phishing attacks are the most common form of cyber attack in the UK and provide the highest threat vector for businesses
• 63% of businesses and 70% of charities consider phishing attacks to be the most disruptive types of attack
• British businesses experiencing a breach or attack in the past 12 months reported a rise in phishing attacks from 72% to 83%
• Phishing doesn’t only affect the for-profit sphere – 87% of charities faced phishing during 2021
• Cyber training is becoming increasingly important – 93% of businesses and 89% of charities have engaged with the government’s ‘10 steps to cyber security’ guidance
• Training or mock phishing exercises are undertaken by both businesses (29%) and charities (25%).

Phishing messages often seem to come from familiar websites, making them tricky to identify. However, understanding what a phishing attack is can be the first step to protecting your business.

Phishing is presented in many forms. A hacker intending to steal financial details will often use different techniques compared to someone hoping to gain access to a system holding sensitive data. 

The most common phishing examples include deceptive phishing and spear phishing, both of which typically arrive via email. 

• Deceptive phishing involves impersonating a legitimate organisation to dupe someone into clicking a link, entering details, or making a payment. In the past, scammers have posed as companies such as Netflix, PayPal and Amazon – often with convincing attention to detail
• Spear phishing goes a step further by personalising emails to the victim. These emails often feature a name, position, and company name, making them appear legitimate. A spear phishing attack typically poses as a trusted organisation, such as a bank or HMRC. Sometimes, spear phishing campaigns target a certain sector to spy on key players
• Whaling attacks come from ambitious fraudsters who want to target the highest-paid members of a business. This type of phishing is also called CEO fraud, and it preys on senior business executives. Since gaining access to a C-suite computer, or the sensitive business information such a device may contain, is so valuable to hackers, a whaling email often uses more sophisticated language and imagery than other scam emails
• Pharming is a form of phishing which redirects users from an authentic website to a devious replica site, where they are prompted to enter details. This is one of the most advanced methods of phishing, so it can be hard to tell when you are being ‘pharmed’ out to a fraudulent website
• Google doc and Dropbox phishing targets employees who are familiar with cloud-based storage by telling them they’ve been sent a file and requests login details.

Sometimes, attacks make headlines. Examples of notable phishing events include:

• Deceptive phishing – in 2016, scammers posing as Taiwan-based Quanta Computer swindled tech giants Facebook and Google out of $100m (external link) using fake invoices
• Spear phishing – in 2020, targeted emails installed spyware at several oil and gas companies around the world
• Whaling – a staggering $12bn was siphoned from CFOs (external link) between 2013 and 2018 across the UK, US and Europe using this technique
• Pharming – In 2019, British Airways made headlines when a pharming attack went undetected for several months
• Cloud phishing – Most notoriously, millions of Google Docs users across the world were targeted in unison back in 2017.

Wondering how to prevent a phishing attack? When it comes to bolstering your cyber security, knowledge is power – so knowing how to spot suspicious signs is the first step.

Be wary of urgency and trigger phrases

A sense of urgency is common in many types of phishing emails, as are phrases asking you to ‘reset your password’ or ‘verify your account’.

If you aren’t sure about an email’s authenticity, forward it to the business it is allegedly from to check it’s legitimate before clicking any links.

Implement staff training

In business, phishing email training is a smart way to ensure all staff know the warning signs. This training can be handled internally or outsourced. Either way, the important thing is that every member of your team, from interns to the CEO, stays in the know to avoid phishing attacks.

The Hiscox CyberClear Academy is an online suite of training modules which comes as part of our cyber and data insurance packages for all team members to access.

Invest in phishing software

Investing in up-to-date phishing software will also help to defend your business from malicious scams. A good programme will scan inbound emails for indications of fraud, notifying the recipient of anything suspicious.

Taking out cyber insurance has the added benefit of financing your recovery from a cyber-attack if the worst should happen and you lose money to cybercrime.

Phishing can attack businesses from both sides, so it can also be important to know how to react if a phishing campaign uses your company name, logo, or branding. 

Notify your customers

If you notice suspicious emails which claim to be from your business, the first thing to do is notify your customers.

Quality, clear communication could make a huge difference for maintaining your reputation during this time. Your customers will appreciate having the situation explained to them – this may be key to retaining their business.

Clarify official business email details

Publish a list of genuine customer service and enquiries email addresses on your website so clients can identify the real from the fake.

Swiftly providing this information can be helpful for your customers. Cyber incidents are inconvenient for everyone involved, so try to make recovery as smooth as possible for your clients and partners.

Inform customers to report suspicious activity

Asking customers to notify you of any suspicious behaviour gives them reassurance and helps you to react to cyber attacks more quickly.

The sooner both customer and organisation are empowered with knowledge, the better. This can even help to prevent potential breaches entirely. The customer will also feel they have more control over the situation if they’re quickly informed.

Arrange business insurance

Our cyber insurance is designed to help cover your business for costs associated with data recovery, reputation management and optional support with the cost of related disruption. Optional cyber business interruption cover can help in different ways depending on your business' annual turnover.

For more information on the common cyber threats and how to safeguard your business, read our other cyber security and protection FAQs.

[1] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022

[2] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022

[3] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022