It’s known as one of the oldest and still one of the most prevalent forms of cyberattack. This is because phishing largely relies on a vulnerability we can never completely get rid of: human error.
It deploys the same basic tactic that scammers have been using for decades – faking the identity of an individual or business to get victims to divulge sensitive information, or to send money. Phishing has evolved since the early days of the internet and is now a catch-all term for a variety of attacks.
For you to understand these attacks in all their forms, here is the ‘who, what, where, why and when’ of phishing to help you protect your business.
Who is usually targeted in a phishing attack?
The targets of phishing attacks vary, but the traditional model was to spam as many people with the same scam email and see who took the bait. This has become less effective over the years as we’ve all grown accustomed to spotting scam emails when they appear.
Spear phishing involves targeting individuals with specific content related to them, such as an unrequested ‘forgotten password’ email from their favourite online retailer. Attackers may work for weeks in advance to learn as much as they can about their targets before then sending personalised scam emails to trick the individual into revealing confidential information. The most famous spear phishing attack was the targeting of Hillary Clinton’s campaign officials during the 2016 US presidential election.
Whaling takes the fishing puns to its logical conclusion. The ‘whales’ in a phishing context are senior executives and even CEOs. However, the difference here is that the scam emails appear to come from the CEO. This is an effective form of social engineering as employees are incredibly unlikely to deny a request for information from their boss.
What do attackers want?
In the majority of cases, attackers are after financial gains, either directly or indirectly. They may just head straight for credit card details, or they might use access to servers and mail to gather information that can be sold. According to Verizon’s 2019 Data Breach Investigation Report, 88 per cent of phishing attacks are financially motivated and 10 per cent are espionage efforts.
Where do phishing attacks come from?
This is difficult to say definitively. In the early days of phishing emails, they were easy to spot due to their relatively poor use of grammar. Phishing attacks these days are much more sophisticated, and when we consider the enormous budgets behind state-based espionage, an attack can come from literally anywhere in the world. The introduction of phishing kits has also lowered the skill barrier for attackers to spoof website domains for capturing credentials.
Why are phishing attacks still so effective?
Phishing attacks are the most common form of what are broadly known as social engineering attacks. All of these attacks use our own psychology against us, as is the case with baiting, which involves tempting us to click on malware infected media, or scareware, which bombards users with fake threats and alerts until they hand over their credentials. Each scenario is difficult to prevent because people aren’t robots and we’ll always respond to stimuli in very human ways.
When will we ever learn to spot phishing attacks?
The good news is that our awareness is far better than it was in the early days of the internet, when mysterious foreign princes could fool us into handing over our life savings for a lucrative diamond investment opportunity. But there is still a long way to go, particularly when we consider phishing attacks are still the first-choice method of cyber attackers.
All of this demonstrates that cybersecurity awareness training is more essential than ever if we want to keep our organisation’s sensitive data secure, especially our customer data. If our employees don’t have the knowledge or awareness on how to prevent phishing attacks, then no amount of money spent on enterprise security software will change how vulnerable businesses remain.
Datacom can partner with you to help you avoid the potentially catastrophic costs of a phishing attack. Our experienced team is here to help you evolve your people and processes through both targeted and organisation-wide cybersecurity awareness training modules. Speak to us today to discuss how we can help you become more resilient against a growing array of threats.