Security remains one of the top priorities for organisations as they navigate the hybrid working world. Threats continue to evolve at a frightening pace – yet older tactics are still hitting hard. Some of the most common, and costly, risks to business security comes from phishing, a technique which is more than 30 years old yet still causes disruption and damage to industries across the world.
Let’s take a look at the risks it poses and how to defend against phishing attacks.
What is phishing?
It’s not hard to spot that the word phishing comes from ‘fishing’ – each deploys similar tactics. Just as fishermen attract fish to their lines with bait, a phisher attempts to attack an organisation by luring unsuspecting individuals into revealing confidential company data by posing as a friend, colleague or network contact.
Phishing prays on the trusting nature of human beings. It capitalises on the carelessness many of us may have exhibited at one time or another by clicking a link or responding to a message without due care and attention. Some examples of phishing emails or calls can be strikingly similar to the brand they’re pretending to be, convincing even those most vigilant to let down their guard.
One common example of phishing in day-to-day life is an email or phone call, purporting to be from your bank, informing you that your account has been frozen and all your money must be moved to a new, secure location. In the business world, you could get a message from someone claiming to be a representative of a supplier, asking for financial details to complete a transaction.
Although low-tech in nature, phishing has become a more sophisticated method of attack in recent years, with hackers seeking to exploit any weakness in an individual’s character or an organisation’s IT strategy to gain a foothold.
Types of phishing attacks
At its most simple level, phishing is the practice of convincing an individual or organisation to give up personal or sensitive information by impersonating a trusted source.
But there are different types of phishing attacks that can seem confusing without proper understanding. Here are some of the most common attacks you might be exposed to.
The most common form of phishing comes via bulk email. The phisher sends thousands of emails to a large audience, waiting for someone to bite. Requiring little effort and planning – the emails are usually easy to spot and rarely personalised – they cast a giant net and often reel in unsuspecting victims, with the potential for individuals to fall victim being significant.
Similar to the above method, spear phishing limits the audience size and creates tailored emails and communications, aimed at convincing targets the source is genuine and should be trusted. These communications can be via email, SMS, WhatsApp or even phone calls. To achieve this, attackers will attempt to collect personal information about a target from social media or company directory, before reaching out to them with a personal greeting.
Whaling is a sub-set of spear phishing, targeting high-level executives and C-suite employees. Because of the seniority of the victims, successful whaling attacks can cause great damage to an organisation.
One of the more sophisticated and difficult to detect types of phishing, cloning sees a phisher create a very similar-looking email to one which the victim has received and engaged with before. Since the original email was legitimate, it’s very easy for the victim to trust the follow-up. The email will contain malicious links and attachments which may contain malware.
How does phishing cause harm?
The bank account example mentioned above has an obvious end result. By following the phisher’s instruction, all of your money is transferred to a new account under the attacker’s control.
But understanding how types of phishing attacks can compromise whole organisations goes a long way to preparing yourself to defend against them – before you fall victim.
No matter an organisation’s size, phishing attacks can cause harm in multiple ways.
Many types of phishing attacks focus on extracting bank details and credit card information. When targeting a business, phishers may create fake invoices for genuine-sounding services. Phishing leads to direct financial loss when victims are tricked into handing over compromising financial information or directly – and mistakenly – paying the attacker.
There are two ways in which a phishing attack can cause long-term damage to your reputation. If a successful phishing attack becomes public, the loss of confidence in your business as a safe and reliable organisation can quickly fall away. A data breach of any kind is guaranteed to bring a reputational hit. Even worse, however, is that once your system has been compromised, a phisher can send emails to your clients and contacts posing as you, reducing your credibility and trust in your organisation to zero.
Once an attacker has caught you off-guard with a successful phishing attack, they may not only be seeking financial gain. By installing malware or ransomware via a phishing communication, phishers can cause productivity to grind to a halt and bring your operations to a standstill.
Ransomware and phishing
Ransomware is a type of malware (malicious software) that encrypts an organisation’s data and/or devices, only releasing the data once payment has been made to the attackers. Malware can be installed on a victim’s computer by opening a phishing attachment or clicking a phishing link.
The threat actor will then demand a ransom in exchange for a decryption key, theoretically unlocking access to information and systems once the extortion payment has been received.
If the payment is not made, the attacker may conduct ‘double extortion’. They could do this by refusing to decrypt the information/systems, and even threatening to publish information on the open web, sell compromised data, or further expand their foothold in the victim’s IT infrastructure.
Ransomware is used to harm organisations in various ways:
- causing a device to become locked or unusable
- stealing, deleting or encrypting data
- taking control of devices to attack other organisations
- obtaining credentials that allow access to organisations’ systems or service
- mining cryptocurrency
- using services that may cost its targets money
To be released from the attack, targets are inevitably instructed by the attackers to send payment to an anonymous destination. Of course, there’s no guarantee that your payment will be end of it. Criminals don’t follow the same rules as your organisation.
As with all phishing attacks, malware attacks can cost considerable money and time for organisations who fall victim.
Phishing facts and stats
You might believe that your defences are sound and that the sheer number of organisations who will fall for these schemes before you mean that you’re quite safe. You’re probably right.
A 2023 study by the UK government revealed that 79% of UK businesses have faced a phishing attack in the last 12 months, and that phishing was by far the most disruptive form of attack in the last year.
Of real concern is the evidence that British businesses are lessening their anti-phishing strategy, with just 48% having processes in place for dealing with phishing attacks in 2023, down from 57% in 2022.
Similarly, the number of businesses using malware protection fell from 83% to 76%, password policies fell from 75% to 70%, and network firewalls from 74% to 66%.
And, while you may have confidence in your people to recognise and fend off such attacks without the need for additional solutions, the same report revealed that only 19% of businesses have actually carried our phishing simulations to test that theory.
Quishing: how types of phishing attacks have evolved
Just as the methods employed by phishers have become sophisticated, so the tools at their disposal have evolved as well.
One example is the humble QR code. With its return to popularity since Covid, threat actors have jumped on the bandwagon to exploit unprepared mobile phone users. Restaurant menus, flyers, event tickets – even Covid passports – QR codes are as ubiquitous now as mobile phones themselves, and it’s very easy for this familiarity to play into the hands of attackers.
To avoid ‘quishing’ as it has become known, users should avoid scanning any QR codes that they are not certain they know the source of, or where you cannot easily identify the end user. Instead, users should look the information up online, through a traditional – and much more secure- browser.
Which industries are most at risk from different types of phishing attacks?
According to Statista, the industry most at risk from phishing is the financial sector, with 27% of attacks in 2022 focusing on financial services.
Businesses across a wide range of other service areas are also at risk. Those most targeted by phishing are SaaS (Software-as-a-Service), social media, logistics, payment, and ecommerce.
However, the industries most . The worldwide average cost of the most financially damaging phishing attacks in 2022 was in the business and professional services industry – not featured in the list above. The media, leisure and entertainment sectors, also outside the top six most targeted, placed second in the list of most financially damaging phishing attacks.
From this, a picture should be emerging that phishing attacks can succeed in any industry, against organisations of any size. In September 2023, Greater Manchester Police (GMP) was targeted by a ransomware attack which saw officers’ names, ranks and photographs compromised.
Despite being a secure organisation, with security an absolute priority, the force’s defences were breached, leading to an alert that more 12,500 staff may be affected. If your data is valuable, then you need to be prepared to repel those who’d use it for ill gains.
How to defend against phishing attacks
The best defence against phishing is to invest in your defences and employ a forward-thinking strategy.
There are many ways that an organisation can position itself to be more secure, starting with simple education and personal responsibility all the way up to complex endpoint protection. Here are some of the ways you might find helpful when looking at how to defend against phishing attacks.
Education and awareness
The greatest defence against phishing comes from arming your people with a solid understanding of what potential attacks look like. Make sure everyone in your organisation considers the sender’s email address and makes sure it’s genuine, since some clone emails can look very convincing.
Don’t just glance over the contents – pay attention to the small print, the details and the overall appearance. Mistakes in spelling and grammar are a telltale sign that an email is not genuine; similarly, a well-known logo that looks just a tiny bit off is another. Another important lesson to learn is to not click links without first making sure you know their destination – a lesson worth learning before you fall foul of it.
Proper password safety, while not directly related to repelling phishing attacks, is another good habit to adopt. Utilising strong passwords keeps your sensitive data most secure and gives you the best first line of defence at keeping out threat actors.
However, using a reliable password manager will protect you in certain instances from phishing. As well as providing a safe repository for your passwords and generating strong words for your accounts, password management software protects against phishing by only allowing password entry on verified domains. This means if a user opens a phishing email, their password manager will not allow their details to autofill.
If the worst happens and an attacker gains access to your account details and password via a phishing attack, multi-factor authentication, or MFA, can prevent them from getting any further. Various methods exist among different MFA providers, but the overriding principle is that by separating authentication into two stages – the first of entering a password and the second of confirming your identity on a separate device – attackers cannot subvert your login security with just your password.
How to defend against phishing attacks with phishing simulations
A sure-fire way of testing your preparedness and encouraging your people to be on their guard for phishing attacks is to enact a phishing simulation.
A phishing simulation is a cybersecurity exercise which tests your ability to recognise and respond to a phishing attack. It involves simulated phishing emails, texts and voice calls being connected to your organisation, using identical tactics to real-world threat actors.
The communication will aim to gain the trust of the employee and manipulate them into revealing compromising information or data. The difference is that any employee who takes the bait and follows any malicious links, opens any dangerous attachments or passes information to a fraudulent user will simply fail the test.
Some organisations take the opportunity of failure to instil another lesson by directing those who fail the test to a landing page, highlighting the choices they made which led to them failing the test, and how to better spot phishing attacks in the future.
How a managed security service provider can keep your people safe from types of phishing attacks
Our expert cyber security teams are up to date with the very latest phishing methods employed by threat actors. Together with their advanced understanding of industry-leading security solutions, they can offer you the best advice on how to shape your cyber security strategy to give you the best chance of surviving not just a phishing attack, but also the multitude of cyber threats that exist today.
By enlisting the support of a managed security services provider, you gain not only the wealth of expertise and knowledge that professional cyber security experts bring, but you have the peace of mind that your environment and data are protected 24/7, allowing you the freedom to focus on the things that make your organisation and people great.