Fighting phishing attacks 101: Definition, methods, and more

Although phishing attacks using a social engineering method are a very old tactic, they are still used by malicious actors today. Research shows 1 million phishing attacks occurred in the first quarter of 2022. The risk of exposure to phishing attacks is also increasing every year. In this post, we've compiled crucial information about phishing attacks, which have become increasingly widespread in the era of remote work.

Statistics show that roughly 15 billion spam emails are sent daily, while 83% of organizations experienced phishing attacks in 2021. Another study reveals more than 1 million phishing attacks occurred worldwide in the first quarter of this year. These figures suggest that the first quarter of 2022 was the worst-ever period in phishing attacks. The prevalence of remote work in the post-pandemic period has also increased the likelihood of phishing attacks. Finance, service-as-a-service, e-commerce, social media, cryptocurrencies, payment systems, and logistics are the sectors most vulnerable to phishing attacks.

 

But first things first: What exactly is a phishing attack?

 

Phishing attacks aim to access users' personal data via emails or fake websites and are among the most commonly used methods by today's cyber-attackers. These attacks come in various forms and exploit users' weaknesses using the social-engineering technique. In this post, we'll provide crucial information, such as the definition of phishing attacks, the history of the phenomenon, and the most common phishing techniques. We'll also examine the direct relationship between the era of telecommuting and phishing attacks. 

What is a phishing attack? A brief history of the phishing phenomenon

A phishing attack is a cybercrime directed at a target via email, phone or text message by malicious actors posing as legitimate institutions or authorities to persuade individuals to provide sensitive personal data, such as passwords or bank and credit card information. Phishing attacks are a type of psychological attack that seeks to force victims to behave in a particular way. They are organized by a social-engineering method to trick victims into providing information with the ultimate aim of committing data theft. 

It is known that the first case of phishing was filed in 2004 against a Californian cyber-attacker who obtained users' sensitive information through a fake web page disguised as the "America Online" website. Phishing attacks can be carried out through emails or websites and communication tools such as text (SMS) and WhatsApp messages.

 

What are the main features of phishing attacks?

Phishing attacks exploit people's weaknesses, prompting them to make quick decisions based on emotions. Therefore, the main features of phishing attacks can be listed under the following headings: 

  • They offer deals that are too good to be true: Phishing attacks often offer incredible deals, discounts or sweepstakes, attracting users' interest.
  •  They create the illusion of "once-in-a-lifetime" opportunities: A favorite tactic of cybercriminals is to offer deals that are "available for a limited time only." They want their victims to make quick decisions based on an immediate emotional response. The sooner the deal is struck, the less time the victim has to question its legitimacy.
  •  They often use links or email attachments: Phishing attacks involve forms on which users can enter their personal information. For this reason, email phishing attacks typically send links or file attachments to trusting victims.
  •  They often involve emails from unknown people: Although email services today store emails from unrecognized email extensions in a spam folder, victims can nevertheless fall for what's written in them. Phishing attacks often offer an unexpected inheritance from a distant relative, a lottery jackpot, or a once-in-a-lifetime holiday opportunity.

 

How do phishing attacks work?

As mentioned above, phishing attacks are generally based on social engineering. They aim to access victims' data by offering a seemingly real opportunity. To make their scams more believable, cyber-attackers will access information about users' personal history, work experience, interests or hobbies using publicly available sources. Attackers posing as senior company officials often try to gain victims' trust using this simple method. 

While many email phishing attacks are poorly written and obviously fraudulent, criminals often use professional marketing techniques to make unwitting victims believe their messages. In a phishing attack, the victim typically receives a message from the cyber-attacker. Victims who click on the link or open the attachment are then persuaded to give their personal data before being exposed to fraud. Ransomware, with a fee of over $800,000 and a cost of millions of dollars, including processes such as data recovery, also settles on the victim's computer through malicious files attached to phishing emails. They can lose their social media accounts, bank information, and cash.

 

Techniques and types of phishing attack

Although all phishing attacks are based on the same general idea, they can be carried out in different ways. These different types of attacks are referred to by different names. Descriptions of the most common types of phishing attacks are as follows: 

  • Target-oriented phishing attacks ("spear phishing" ): These attacks use the victim's personal information to enhance the attack's credibility. They typically know the victim's name, location, or other personal information and reference coworkers or managers at the victim's organization.
  •  Whaling attacks ("whaling" ): This type of attack targets upper-level executives using the same methods as spear phishing. These attacks are typically aimed at defrauding people of large sums of money.
  •  Pharming: This is a phishing method that requires substantial technical know-how. The attackers redirect websites that users visit daily (for example, Internet banking) to an address that looks identical via DNS cache memory poisoning. Users who fail to notice the difference enter their personal information on the fake platform, effectively handing it over to the attacker.
  • Voice phishing: In this attack, the perpetrator contacts the victim through voice calls. This method involves leaving voice messages or calling directly. For example, the attacker will tell the victim that they are a police officer and that money was transferred from the victim's account to an illegal organization. They will ask the victim to verify their credentials and share their account information to confirm this.

 

Phishing attacks in the era of telecommuting

The State of Email Security 2022 report, published by Mimecast, states that phishing attacks are the most common type of attack via email. While 55% of survey participants said email phishing attacks were on the rise, nearly all (96%) said their organization had experienced phishing attacks – in one form or another – within the last year. The post-pandemic prevalence of hybrid work models has also contributed to the rise of phishing attacks. There are two overriding reasons for this, namely: 

  1. Employees use their home Internet to connect to networks. Home Internet is a less secure alternative to corporate networks that are typically protected by firewalls.
  2. Employees are more likely to make decisions without consulting friends due to their busy workload. Employees who are at home tend to let their guard down. They are less inclined to think critically and fall for phishing attacks much more easily.

 

Which sectors do phishing attacks target the most?

Since the main motivations of phishing attackers are financial, they tend to choose the most lucrative sectors for their attacks. According to data compiled for the first quarter of 2022 by Statista, the financial services industry comes in first place. E-commerce platforms and retail services follow the finance and software as a service (SaaS) industries. Users who trade on cryptocurrency exchanges, which have become increasingly popular investment tools, are also among those most affected by phishing attacks.

 

Phishing attack examples: How are attacks detected?

Many email services offer protection from phishing. But phishing attacks aren't only carried out via email. Antivirus software, firewalls and spam avoidance are no longer enough to protect yourself. In the current circumstances, users must know how to prevent phishing attacks. Common ruses used in phishing attacks include the following: 

  • Business-focused phishing attacks: An attacker posing as the CEO or CFO of the company the victim works for can contact the victim and request a money transfer.
  • Financial phishing attacks: Confusing payment notifications are often used in financial phishing attacks. Victims click on a link in a message about a payment they are requested to make – or have already made – and are asked to share their personal data to clarify the issue.
  • Gift- and inheritance-related phishing attacks: In these attacks, users are told that they have unknown assets, that they have won prizes or gifts, or that they are entitled to a large inheritance. Enthralled by the news, the victim is asked to pay a fee to access the imaginary gift.

 

How you can protect yourself from phishing attacks

To protect yourself from phishing attacks, it's necessary to question the authenticity of the phishing attack message. It is therefore recommended to evaluate the information, such as how good the grammar and spelling are and the validity of the sender's email. Searching the email content on Google is one way to determine if it's an attack. Before clicking on the forwarded links, one should always check where the link leads and run a search on the Internet address in question. It also helps to keep one's cool and consult at least one other person, especially in voice phishing attacks, to stop you from doing something you might regret. 

Businesses also have a responsibility in this regard. Firstly, every business should evaluate how much their employees know about phishing attacks and raise awareness within the company by providing training on the subject. Moreover, companies – especially those that adopt a hybrid working model – should employ end-to-end security systems to protect their networks from attacks and optimize safety. Such solutions can insulate the entire network from online threats and reduce attack surfaces that cyber-criminals might otherwise exploit.

 

Frequently Asked Questions

What is a phishing email?

A phishing email is a cyber attack method used to steal personal data, such as passwords and bank information, using the social engineering method. 

What are the main types of phishing?

The most common types of phishing are spear phishing, whaling, voice phishing and pharming, which require considerable technical know-how. 

What is a phishing website?

A phishing website is a web page that mimics a legitimate website and transfers all transactions carried out on the page to malicious actors. For example, a website that contains all the standard features of the Facebook interface could potentially be a phishing website. 

How does one identify a phishing attack?

Common features of phishing attacks include poor grammar, unfamiliar emails, email extensions that mimic original domain names but don't quite match, and suspicious links and file attachments. Emails used in phishing attacks often end up in spam folders. In such attacks, malicious actors typically state that the situation is "urgent" and requires immediate action. These attacks typically offer opportunities that appear "too good to be true" – and, as the victim soon discovers, they are.