In the past year, we’ve seen a sharp increase in the number of phishing attacks performed against businesses. Most companies don’t feel prepared to protect themselves against these types of scams. The growth of phishing attacks in both frequency and sophistication poses a significant threat to all organizations. It’s essential that all companies know how to spot some of the most common phishing scams to protect their information. It takes the awareness and understanding of all employees within an organization to be successful. In this vlog, we’ll review some of the most common types of phishing attacks your organization is susceptible to.
The most common type of phishing scam is deceptive phishing. Deceptive phishing refers to any attack where fraudsters impersonate a legitimate company and attempt to steal people’s personal information or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing the attackers’ bidding.
For example, PayPal scammers might send out an attack email that instructs them to click on a link to rectify a discrepancy with their account. In actuality, the link leads to a fake PayPal login page that collects a user’s login credentials and delivers them to the attackers.
The success of deceptive phishing hinges on how closely the attack email resembles a legitimate company’s official correspondence. As a result, users should inspect all URLs carefully to see if they redirect to an unknown website. They should also look out for generic salutations, grammar mistakes, and spelling errors scattered throughout the email.
Not all phishing scams lack personalization – some use it quite heavily.
For instance, in spear phishing scams, fraudsters customize their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender.
The goal is the same as deceptive phishing; lure the victim into clicking on a malicious URL or email attachment, so that they will hand over their personal data.
Spear phishing is especially prevalent on social media sites like LinkedIn, where attackers can use multiple sources of information to craft a targeted attack email.
To protect against this type of scam, organizations should conduct ongoing employee security awareness training that, among other things, discourages users from publishing sensitive personal or corporate information on social media. Companies should also invest in solutions that are capable of analyzing inbound emails for known malicious links/email attachments.
Spear phishers can target anyone in an organization, even top executives. That’s the logic behind a “whaling” attack, where fraudsters attempt to harpoon an executive and steal their login credentials.
In the event their attack proves successful, fraudsters can choose to conduct CEO fraud, the second phase of a business email compromise (BEC) scam where attackers impersonate an executive and abuse that individual’s email to authorize fraudulent wire transfers to a financial institution of their choice.
Whaling attacks work because executives often don’t participate in security awareness training with their employees. To counter that threat, as well as the risk of CEO fraud, all company personnel – including executives – should undergo ongoing security awareness training.
Organizations should also consider amending their financial policies so that no one can authorize a financial transaction via email.