Here’s a sobering statistic: according to the US Cybersecurity and Infrastructure Security Agency (CISA), approximately 90% of all cyberattacks start with a phishing attempt.
Easily the most common source of data breaches globally, over 3.4 billion phishing emails are sent per day. While 90% to 99% of all attempts are blocked or otherwise thwarted, even a single attack can be debilitating: on average, a business that falls victim to just one phishing-induced data breach will lose an estimated $4 million.
Given the frequency and severity of phishing attacks, staying informed is critical. In this article, we break down what phishing is and how it works. We provide examples of phishing in practice, talk about how to identify scams in action, and discuss what you can do to prevent you and your business from falling victim to this all-too-common type of attack.
Phishing is a type of cyberattack that relies on consumer naiveté. Posing as trusted senders, scammers attempt to deceive unsuspecting victims into voluntarily divulging sensitive information.
Phishing attacks can involve different communication channels like email, text message, or voicemail, but they all begin with some form of impersonation or deception. If successful, phishing results in identity theft, account takeovers, or data breaches.
Read MoreDepending on the victim (and the potential for profit), scammers may use one or multiple tactics to bait their recipients. Run-of-the-mill email and text message scams are the most common, but more sophisticated attacks can be specifically aimed at a particular business or individual. Spear-phishing is a good example of a targeted attack.
Other attacks, like whaling, take things a step further by specifically impersonating a company’s CEO or another top executive. These attacks can lead to devastating business email compromise (BEC) scams, potentially costing merchants millions of dollars per incident.
Read MoreSmartphones have become an integral part of people’s lives, and fraudsters see that as an opportunity. A relatively new technique on the scene is smishing: using fake SMS text messages to steal personal data from individuals and businesses.
Smishing is the fraudulent practice of using fake text messages in an attempt to steal confidential information, such as passwords or credit card numbers. This post examines what smishing is, as well as some ways to prevent it, and tricks to identify it before you become a victim.
Read MoreA phishing email is a fake message that appears to be from a trusted source, but which is used to con people into clicking links, giving up information, or sending money.
Phishing fraudsters can target your entire company, trying to hook even a few of your employees. Even worse, scammers might hide behind your good name and try to catch unwary consumers. In this chapter, we look at how crooks create phishing scams, how to recognize attacks, and tips for not becoming a victim.
Read MoreEver get an email from a friend or coworker that just didn’t feel right, but made it super clear that you needed to click a link or download an attachment? Good chance that was a spear phishing attempt.
Spear phishing is a targeted version of phishing. Attackers focus on specific individuals or organizations, typically through misleading emails. The goal is to obtain confidential information, such as login credentials, or plant malware on the victim’s device. This article will teach you everything you need to know about spear phishing, including what it is, how you might be targeted, and how to avoid becoming a victim.
Read MoreWhaling is a fraud tactic that involves a criminal impersonating a trusted source to exploit a top executive; one with access to funds or confidential data. The aim is to trick an executive into misusing company funds or giving up sensitive information.
It’s a surprisingly simple — and surprisingly effective — fraud attempt aimed at businesses. In this chapter, we break down what whaling is, how scammers build their attacks, and why even savvy execs can be fooled.
Read MoreVishing, often called voice phishing, is a form of cybercrime that leverages telephone calls to illicitly obtain sensitive personal information. Scammers employ social engineering strategies to persuade victims into disclosing confidential details, such as bank account access, over the phone. This article will explain everything you need to know about vishing scams, including how they work and how to avoid them altogether.
Read MoreAngler phishing is a social engineering attack where scammers impersonate a company’s customer support on social media and intercept customers.
“Angler phishing” might not be the most well-known cyberscam, but it’s gaining in popularity. One reason is that it doesn’t seem like a scam at all: victims believe they’re actually getting help from a reliable source. In this chapter, you’ll learn how angler phishing happens, why it’s such a headache for merchants, and some common-sense steps you can take to protect your business.
Read MorePhishing can create chaos for the payments ecosystem at large, and result in dramatic losses for cardholders and financial institutions individually. Merchants, for example, ultimately bear the brunt of unauthorized activity involving debit and credit cards, and may experience lost sales, lost inventory, and chargeback fees as a result.
Financial institutions, on the other hand, could incur reputational damage, fines from regulators, and higher operating costs. Phishing attacks aimed at cardholders can lead to identity theft, financial disruption, and emotional distress. They can also trickle down and cause additional losses for merchants.
Read MoreA single phishing attack can have devastating consequences for a business and its stakeholders. For example, Sandworm’s 2015 phishing attack, which was aimed at power distributor Kyivoblenergo, caused over 200,000 Ukrainians to lose power.
Another 2015 phishing attack, this one directed at Ubiqiti Networks, cost that company nearly $39 million in losses. A similar scam that targeted Austrian aerospace and defense company FACC AG resulted in the loss of over 50 million Euros… as well as the termination of the company’s CEO.
Read MoreAlthough phishing attacks are becoming more sophisticated and difficult to spot, you can still rely on some tried-and-true red flags to anticipate some attacks.
Generic greetings, suspicious sending domains, unusual attachments or hyperlinks, and obvious spelling and grammatical errors are telltale signs of phishing. Unusual threats can also be a tipoff, but one of the most common elements is a questionable sense of urgency: insisting the victim must respond immediately to avoid serious consequences.
Read MorePreventing phishing scams requires a comprehensive approach. You’ll need to layer together fraud awareness training, technology, and secure internal policies. Email security and sender verification, along with simulated phishing attacks, can help you safeguard your business from CEO scams and other targeted attempts.
Staff education, combined with restricted access to financial data, are good prevention tools. Phishing incident response plans that emphasize compartmentalization and swift action can help you contain the fallout if you ever do suffer a breach.
Read More
Phishing is a type of social engineering where scammers use deception to con victims into revealing personally identifying information. Common vectors for phishing include emails, text messages, phone calls, and websites.
The easiest way to stop a phishing email is to report the email as suspicious, block the sender, and delete the message. Do not reply to a suspected phishing email, and do not click on links or download attachments included in the email.
One example of phishing is the use of a malicious website, one that is designed to mimic a legitimate one. When a victim attempts to login using the website, their username and password falls into the hands of the scammer. Another example could be an email that appears to come from an authoritative source but demands questionable actions.
If you see unauthorized transactions on your credit card statement, find credit cards or loans on your credit report that you did not apply for, or notice that you’re being locked out of your accounts, your information could have been stolen in a phishing scam.
If you receive a phishing and delete it, you can minimize the risk of identity theft. If you opened the email before deleting it, however, the sender may still be able to see that you opened and read the message, which could prompt further phishing attacks. The best course of action would be to additionally block the sender and report the malicious message to your email service provider.
Phishing is extremely harmful. If you’re the victim of a phishing attack, scammers can sell your personally identifiable information on the dark web, use it to carry out identity theft, or even frame you for crimes you did not commit.
Yes. Phishing is a form of identity theft and can be penalized by fines or jail time under state or federal laws.
