Phishing is alive and kicking as one of the methods most widely used by cybercriminals for penetrating the IT networks of organizations and businesses both small and large. The reason why is simple: It works.
While a well-trained employee can be taught to carefully screen their emails, even professionals are sometimes fooled by cleverly disguised scam email attempts. This is why in 2019, an estimated 32% of all digital data breaches originated from phishing emails according to a Verizon Data Breach Report. In 2021, the numbers have only gotten worse, with the same Data Breach Report claiming in its 2021 edition that 43% of all breaches involved phishing.
It’s also worth noting that successful phishing attempts are costly. 60% of them involve some level of data or financial loss for a business.
What are Phishing Email Scams?
In basic terms, phishing email scams are based on sending a recipient inside a business or organization an email that’s malicious, but disguised to look like it came from a trusted source. The point of this email is usually to get the person receiving it to either unknowingly download some kind of malware or to simply reveal information that can later be used for another kind of breach. The kind of information commonly asked for includes:
- Login credentials
- Dates of birth
- Social security numbers
- Corporate account numbers
- Credit card information or other financial details
- Specific addresses
- Password access information
Different Types of Phishing Attempts
One thing that all phishing email attacks share is there were created in order to trick the recipient into doing or revealing something that they shouldn’t. However, among phishing emails, there are different variants that aim at different purposes. Here’s an essential breakdown:
Dishonest information requests: The most basic sort of phishing email attack involves simply formatting a message and its sender details to look like they came from a trusted source. Inside the email, the hacker will ask for information to use later to orchestrate an even bigger attack. These types of phishing attacks don’t directly try to hack the recipient’s network right through the email. Instead, they ask for details such as personal or login information that they can later use in another attack.
False link emails: In the case of false link emails, an attacker sends one of your organization’s staffers a legitimate looking email with a link URL that’s designed to look like it belongs to a legitimate page of some kind (usually a page belonging to your company or some trusted organization). It asks that you visit the link either to download something that includes malware, or to enter sensitive information that will be copied and reused later for other attacks.
Spoofed website emails: What you’re dealing with here is similar to the false link email example above but in this case, the focus is on making a recipient open a link to a website that looks just like a page from a legitimate site. For example: an attacker could mimic your business banking login page on their own site, with its own similar-looking URL, and hope you click it to “log in” and reveal your access credentials.
Executive fraud: With executive fraud, or CEO fraud, attackers rely on a natural tendency of employees to cooperate with email requests that look like they came from their own supervisors and company executives. In this case, they pose as one of these people, asking an employee to reveal, download or do something that can be used by the hackers.
Content Injection: With content injection phishing emails, attackers temporarily hack a real website that your company has dealings with and then email you a link and request to that page. However, they then send you to a fake login page or pop-up window that seems to be a legitimate part of that real site. This is where they steal data or credentials.
Malware download emails: Emails that ask you to download malware use any one (or more) of the above phishing attack types to convince you to click a link that downloads malware to your network. In some cases, they ask you to download some kind of software, document or other email attachment for the same reason, because it contains malware. This is one method by which ransomware enters company systems to lock them down with encryption until a ransom payment is made.
Payment requests: Certain kinds of phishing attempts simply ask for payment directly. Instead of asking for credentials or asking an employee to download something that injects malware, they use link or website spoofing (as mentioned above) to fool a company staffer with access to company finances into sending a payment for something that seems legitimate.
Other phishing innovations: Finally, the above are just some of the more common phishing emails out there. There are others that combine one or more of the above, or use other technologies such as mobile networks and SMS or social media chat messaging to do the same things.
How You Can Protect Your Business
Protecting your business from every possible kind of email phishing attempt is extremely complicated. This is why this entire range of attack methods is still often successful despite years of being used by cybercriminals. Your best option for protecting your business lies with the services of a highly-professional managed IT services provider and their email security solutions. Great Lakes Computer and our partner Mimecast offer these in a way that thoroughly roots out possible phishing vulnerabilities from end to end. This lets your IT network to stay secure even if employees sometimes make mistakes with how they handle dishonest emails.