Phishing attacks are difficult threats for IT and Security professionals to eliminate because existing methods continue to evolve in order to disrupt businesses of every size.
Attacks typically don’t target seasoned security professionals — instead, criminals are focusing their efforts on the largely negligent employee base, or on specific individuals within a business who tend to yield the most power or access.
There are five common types of phishing attacks that you and your employees need to be aware of:
- Spear Phishing
- Whale Phishing
- Business Email Compromise (BEC)
- Clone Phishing
According to Intel, 97% of people around the world are unable to identify a sophisticated phishing email.
While your employees or executive team may be a part of the 3%, it’s always better to be safe than sorry when it comes to the security of your organization.
Educating your employees about the dangers of a phishing attack is critical. In fact, raising employee security awareness can help to decrease your exposure to numerous cybersecurity threats.
Therefore, we recommend implementing an employee security awareness training to aid employees in identifying and avoiding the most common and costly threats.
Phishing certainly fits the bill of a common and costly threat.
[Read: Phishing Statistics: What Every Business Needs to Know]
Your employees may have heard of phishing, but do they know all the different methods used by perpetrators?
What is Phishing?
Phishing is the umbrella term used for all phishing attacks, and includes the most common instance — a fraudulent email that is sent to a large number of people, whose intention is to trick recipients into doing what the hacker wants.
A general phishing email can ask recipients to (1) login to a spoofed website in order to extract the victim’s username and password, or (2) ask the victim to download a fraudulent attachment, which is actually malware.
These attacks are successful because the spoofed emails are often indistinguishable from legitimate emails, aside from small changes to the ‘from’ field, the link URL, or the spoofed company’s website.
Additionally, because these attacks can be carried out on a mass scale, a hacker only needs to trick a small percentage of the target in order to accomplish his/her objective.
What is Spear Phishing?
Spear phishing is when a criminal targets specific individuals or businesses in order to personalize the experience and increase the chances of a successful phish.
This method is incredibly effective for hackers.
Using publicly available information, or even an educated guess, a spear phishing attack can create a significant amount of pressure on the recipient to take an action.
Imagine a member of your finance team gets a spoofed invoice from a vendor that the marketing team has been using for years. The invoice could be fake and create a loss-of-money scenario, or the invoice attachment could be malware.
Did you know: 95% of all attacks on enterprise networks are the results of successful spear phishing.
Remember, the hacker is trying to create the illusion that the recipient is receiving a legitimate email and trying to elicit an action.
Another way to do this is to pretend to be a co-worker or manager.
For example, hackers can reference specific company initiatives in order to get the target to let their guard down. A team member returning from a business trip can receive an email from their manager requesting them to login to the company expense report software in order to upload their receipts — this contextual request makes sense to the target and could generate a username and password combination for the criminal to gain access.
What is Whale Phishing?
Whale phishing, also called whaling, is a spear phishing attack that is aimed specifically towards the most valuable members of an organization, like a CEO or Board Member.
If successful, whaling can provide access to tons of sensitive company and customer information. It can also provide access to large amounts of money.
Pulling off a successful whaling attack is difficult though — consider, the hacker needs to do extensive research into the target (social engineering) in order to trick them.
An executive or board member isn’t going to just hand over the keys to the castle.
Highly contextual and relevant attacks that relate to ongoing issues within the business, specific conversations between executives and board members, or legal problems, can elicit action out of a whale.
What is Business Email Compromise (BEC)?
Business email compromise, or BEC, is an attack designed to extract money from the target.
This type of attack has been growing in popularity, with reports suggesting that BEC schemes can generate $9 billion for hackers in 2018 (up from $5.3 billion just a year ago).
Did you know: BEC schemes are expected to generate $9 billion for hackers in 2018, up from $5.3 billion last year.
Business email compromise attacks are hard to setup but relatively easy to execute.
Essentially, a hacker uses a spear phishing or whaling attack to gain access to the email of a high-value target, like a CEO or CFO. This is the hard part.
Once the hacker has access to their email, they simply observe.
Who does the CFO email? When do they email them? What language do they use?
For example, if a hacker has access to the CFO’s email, he can trigger a seemingly legitimate email to the Controller asking him or her to transfer money to an account controlled by the hacker.
The email looks harmless to the Controller because the hacker is able to mimic the language, tone, and general characteristics of an email from the CFO.
What is Clone Phishing?
Clone phishing is when a hacker clones an existing, legitimate email with an “updated” email in order to fool the recipient into believing it is just an update because of an error to the original email.
In this scenario, the hacker uses the original sender’s email address (with a slight variation), subject line, and email body, but adds some context around the previous email being a mistake, and this email being the intended email.
Using a malicious link or site, the hacker can extract a username or password, or can install malware.
A successful clone phishing attack can oftentimes lead to additional clone attacks on co-workers or other similar targets.
How to Stay Safe
To repeat, the number one way to limit phishing attacks or any other type of cybersecurity threat is to educate your employees on the dos and don’ts of safe cybersecurity behavior.
[Read: How to Improve Employee Security Awareness Behavior through Security Training]
On top of outlining the scenarios above with examples for employees, part of cybersecurity training should include regular phishing tests.
[Read: How to Run a Phishing Test to Improve Security at Your Organization]
These tests can incorporate a number of the potential scenarios outlined above, and can help turn negligent employees into informed, savvy users who always double-check a sketchy link or attachment.