Phishing attacks are on the rise, and they’re increasingly costly for businesses. PhishLabs reported that in 2021, attacks increased 28% over the previous year (opens in new tab). Today, a large number of cyberattacks begin with phishing emails.
That means malicious emails should be top of mind for businesses. However, many companies still don’t quite understand the breadth and scope of the phishing problem, the potential risks, or even what phishing truly is.
You might also want to check out Microsoft replaced as the most-phished company by a surprising entrant.
What counts as phishing?
Any attempt to obtain information or money using a fraudulent email counts as phishing. Phishing emails spoof the look and feel of an actual email message from a trusted source — a person or, more often, a company such as Amazon, Google, or PayPal. These emails create a sense of urgency for users to follow a link to a page where they will enter their passwords to prevent an adverse event — like their email account being shut down or a fraudulent charge being processed — or to double-check an account balance.
Once they log in, their information may be stolen, or their computer could be infected with malware or ransomware. In some cases, cybercriminals use the data to hack into accounts, pocket money, or make fraudulent purchases.
Phishing scams usually include link manipulation — using misspelled URLs similar to legitimate ones. Often, phishers use images embedded in emails instead of text to help evade filters. More sophisticated approaches may involve a covert redirect that uses a login popup on a legitimate website.
There are a few common approaches:
- Spear phishing is an attack directed at a specific individual or company. These attacks usually involve gathering information about the target or targets ahead of time to better craft phishing emails to manipulate potential victims.
- Clone phishing uses a legitimate and previously delivered email with an attachment or link that has its content and address cloned. The link/attachment is replaced with a malicious site or dangerous attachment.
- Whaling attacks are directed at senior executives or other high-profile targets. These scams usually take the form of important business or legal emails and have even included forged subpoenas.
- SMS phishing, or smishing, uses cell phone text messages to skim personal information from recipients.
Low-tech security strategies
While email filters and other security technologies can help block phishing emails from getting to your customers’ inboxes, the criminals behind these scams are constantly updating their techniques to avoid detection. Phishing relies heavily on psychological manipulation, and end-users are the weakest link.
Even basic, low-tech strategies can help you protect your business and your customers from the costs and consequences of a phishing attack. Those include:
Provide end-user awareness training to help staff recognize the tell-tale signs of phishing – misspelled website names, oddly named attachments, etc. In addition, employees should “hover” over sender names in emails and embedded links to make sure they match the origin account or a legitimate website.
Make sure they also know best practices, like never logging into a website they reached via an email link.
Designated Email Addresses
If the business regularly receives legitimate emails for financial transactions, it could set up specific email addresses just for those requests. Limit the exposure of these addresses on public sites, which can help reduce their target footprint when it comes to phishing.
Code Names/Code Words
Code names aren’t just for spies. For example, employees or clients could establish specific email formats or code words for correspondence to let the recipient know the email was legitimate.
Enforce Email Policies
Set up policies to minimize the number of sensitive transactions that occur via email. If employees know that financial authorizations should only be made in person or over the phone, it’s unlikely they’ll fall for a phishing attempt to get them to do so via email.
Phishing is a growing and constantly evolving threat, so it is vital to stay updated on the latest threats and what steps your organization can take to mitigate these attacks.
Jason Howells, vice-president, MSP international sales at Barracuda MSP (opens in new tab)