Here’s a sobering statistic: according to the US Cybersecurity and Infrastructure Security Agency (CISA), approximately 90% of all cyberattacks start with a phishing attempt.
Easily the most common source of data breaches globally, over 3.4 billion phishing emails are sent per day. While 90% to 99% of all attempts are blocked or otherwise thwarted, even a single attack can be debilitating: on average, a business that falls victim to just one phishing-induced data breach will lose an estimated $4 million.
Given the frequency and severity of phishing attacks, staying informed is critical. In this article, we break down what phishing is and how it works. We provide examples of phishing in practice, talk about how to identify scams in action, and discuss what you can do to prevent you and your business from falling victim to this all-too-common type of attack.
Phishing is a type of cyberattack that relies on consumer naiveté. Posing as trusted senders, scammers attempt to deceive unsuspecting victims into voluntarily divulging sensitive information.
Phishing attacks can involve different communication channels like email, text message, or voicemail, but they all begin with some form of impersonation or deception. If successful, phishing results in identity theft, account takeovers, or data breaches.
Read MoreDepending on the victim (and the potential for profit), scammers may use one or multiple tactics to bait their recipients. Run-of-the-mill email and text message scams are the most common, but more sophisticated attacks can be specifically aimed at a particular business or individual. Spear-phishing is a good example of a targeted attack.
Other attacks, like whaling, take things a step further by specifically impersonating a company’s CEO or another top executive. These attacks can lead to devastating business email compromise (BEC) scams, potentially costing merchants millions of dollars per incident.
Read MorePhishing can create chaos for the payments ecosystem at large, and result in dramatic losses for cardholders and financial institutions individually. Merchants, for example, ultimately bear the brunt of unauthorized activity involving debit and credit cards, and may experience lost sales, lost inventory, and chargeback fees as a result.
Financial institutions, on the other hand, could incur reputational damage, fines from regulators, and higher operating costs. Phishing attacks aimed at cardholders can lead to identity theft, financial disruption, and emotional distress. They can also trickle down and cause additional losses for merchants.
Read MoreA single phishing attack can have devastating consequences for a business and its stakeholders. For example, Sandworm’s 2015 phishing attack, which was aimed at power distributor Kyivoblenergo, caused over 200,000 Ukrainians to lose power.
Another 2015 phishing attack, this one directed at Ubiqiti Networks, cost that company nearly $39 million in losses. A similar scam that targeted Austrian aerospace and defense company FACC AG resulted in the loss of over 50 million Euros… as well as the termination of the company’s CEO.
Read MoreAlthough phishing attacks are becoming more sophisticated and difficult to spot, you can still rely on some tried-and-true red flags to anticipate some attacks.
Generic greetings, suspicious sending domains, unusual attachments or hyperlinks, and obvious spelling and grammatical errors are telltale signs of phishing. Unusual threats can also be a tipoff, but one of the most common elements is a questionable sense of urgency: insisting the victim must respond immediately to avoid serious consequences.
Read MorePreventing phishing scams requires a comprehensive approach. You’ll need to layer together fraud awareness training, technology, and secure internal policies. Email security and sender verification, along with simulated phishing attacks, can help you safeguard your business from CEO scams and other targeted attempts.
Staff education, combined with restricted access to financial data, are good prevention tools. Phishing incident response plans that emphasize compartmentalization and swift action can help you contain the fallout if you ever do suffer a breach.
Read More
Phishing is a type of social engineering where scammers use deception to con victims into revealing personally identifying information. Common vectors for phishing include emails, text messages, phone calls, and websites.
The easiest way to stop a phishing email is to report the email as suspicious, block the sender, and delete the message. Do not reply to a suspected phishing email, and do not click on links or download attachments included in the email.
One example of phishing is the use of a malicious website, one that is designed to mimic a legitimate one. When a victim attempts to login using the website, their username and password falls into the hands of the scammer. Another example could be an email that appears to come from an authoritative source but demands questionable actions.
If you see unauthorized transactions on your credit card statement, find credit cards or loans on your credit report that you did not apply for, or notice that you’re being locked out of your accounts, your information could have been stolen in a phishing scam.
If you receive a phishing and delete it, you can minimize the risk of identity theft. If you opened the email before deleting it, however, the sender may still be able to see that you opened and read the message, which could prompt further phishing attacks. The best course of action would be to additionally block the sender and report the malicious message to your email service provider.
Phishing is extremely harmful. If you’re the victim of a phishing attack, scammers can sell your personally identifiable information on the dark web, use it to carry out identity theft, or even frame you for crimes you did not commit.
Yes. Phishing is a form of identity theft and can be penalized by fines or jail time under state or federal laws.
