What Are Phishing Attacks?

Cybersecurity is a constantly-evolving industry, with new threats emerging on a regular basis. One such threat, phishing, is a form of cyberattack in which malicious actors send communications while posing as a trustworthy individual or organization. These messages are intended to steal sensitive information – often login credentials or financial details.

Phishing can be carried out in many different ways, but the most common form is social engineering. This involves using various tactics (including deception and intimidation) to trick users into performing actions that jeopardize their security or data. Phishing is now used in practically every security event, and attackers are constantly developing new ways to exploit users’ trust.

If you ever receive an unexpected email or notification from a website you trust, don’t open it without first confirming that it’s from the source you expect it to be from. And if you think you may have been affected by a phishing attack, don’t hesitate to reach out to an antivirus vendor for help recovering your data and protecting yourself from future attacks.

Examples of Phishing Attacks

Here are two examples of how phishing attacks can happen:

1. You get an email that looks like it’s from your bank, but it’s actually a phishing email. The email might say something like “Your login has failed. Please try again” or “This message is important! Your account has been locked because of suspicious activity.” If you click on the link in the email, you might be taken to a fake website where you input your login information. This is why it’s so important to never give out your login information to anyone—not even if the person seems trustworthy.

2. You get an email from someone you know, like your best friend or cousin. The email says something like “Congratulations on graduating from college! Here’s some exciting news: We’ve just added your name to our waiting list for our new online account service….” If you click on the link in the email, you might be taken to a fake website where they ask for your credit card number or other personal information. Again, it’s important not to give out any personal information unless you definitely trust the person who sent the email.

3 Most Common Types of Phishing Attacks

Email Phishing

Email phishing is a type of phishing attack where attackers try to convince you to enter your login credentials (username and password) into a fake email message that looks like it came from a legitimate sender.

The goal of email phishing is usually to obtain your login credentials for your online account, such as your email account or bank account. Once the attacker has your login credentials, they can use them to make unauthorized transactions or access sensitive information.

Whaling

Whaling attacks are typically very covert and personal in nature, relying on the personal information of senior employees to craft effective attacks. These kinds of attacks can be incredibly successful given that they often exploit the fact that high-ranking individuals have access to a significant amount of sensitive information. In many cases, these kinds of attacks do not make use of deceptions such as fake links or malicious URLs. Instead, they rely on highly personalized messages that they create by utilizing the information they discover about the victim through their research. Whaling attacks are particularly effective at gaining access to confidential information, such as tax returns or personnel files.

Spear Phishing

Phishing is an advanced form of cyber-attack that uses email to try and extract personal or financial information from victims. Spear phishing is a specific type of phishing attack that specifically targets individuals within an organization - typically a trusted employee, manager, or executive. The goal of spear phishing is to gain access to sensitive information, such as account passwords, corporate secrets, and intellectual property. Spear phishing attacks are often more successful than other types of phishing because they take advantage of the trust that most people place in those who are influential within their organizations.

Phishing Signs to Look Out For

• Urgency & threats – Scammers often try to pressure you into action quickly, using language that sounds urgent and threatening. For example, they might say that your account is about to expire and ask for your login credentials immediately.
• Overly casual language – Phishers often try to make their requests seem less serious by using terms that are familiar and informal. For example, they might ask if you would be willing to "shoot a basketball" together or whether you could help them out with "a quick favor."
• Grammatical errors – Phishers don’t always bother with good grammar. They may use incorrect spelling and grammar in an attempt to look like someone you know.
• Unusual requests for your personal information such as account login credentials, credit card details, or dates of birth.

Always be on the lookout for these warning signs and never give out personal information or login credentials to anyone you don't trust.

How to Protect Yourself or Your Employees from Phishing Attacks

• Use strong passwords: Make sure your passwords are strong and unique, and never share them with anyone. Also make sure your login credentials (username and password) are secure – use a different password for every website and never reuse the same login details at more than one site.
• Install and use anti-virus software: Make sure your computer is updated with the latest anti-virus software, installed on all devices you use (PCs, laptops, tablets) and keep track of current virus threats so you can update as needed.
• Organizations should take steps to protect their employees and customers from phishing attacks, which can include implementing cyber security training and encouraging employees to be vigilant for suspicious behaviour. If employees recognize a phishing attack when it occurs, they should report it to the company's security team. By being aware and educated about phishing attacks, your enterprise will reduce the chances of data infiltration or financial loss due to phishing attacks.
• Be aware of suspicious email addresses and domains. Be especially wary of email addresses and domains that look suspicious, such as those that are not official company domains or have strange characters in the name. Check the web address against known safe domains and never provide your password or other confidential information directly to anyone you don't know personally.
• Always use 2-factor authentication when logging in to important accounts (like online banking). This will help reduce the chances of someone stealing your login credentials by stealing your password alone.