#1 Global Leader in Data Resilience

What is Phishing?

Phishing is a form of social engineering attack in which malicious parties trick a person into providing sensitive information. The attacker sends a message designed to look like it's from a reputable third party. Phishing attacks can be used to steal financial information, login details and other sensitive data. The FTC said consumers reported losing $5.8 billion to fraud in 2021, with imposter scams being one of the leading types of fraud. Understanding what phishing is and how to avoid it can help consumers and businesses alike protect their data.

Types of Phishing

Phishing can be performed over any communication medium. Some of the most common types of phishing include:

Email Phishing

When most people think of phishing, they think of emails. Email phishing is itself separated into a few different types:

  • Spear phishing: Targeted phishing attacks are known as spear phishing. In this attack, someone who already has some personal information about the victim will use that information to make their communications appear more legitimate.
  • Whaling: If a phishing attack is aimed specifically at a high-profile individual such as a senior manager or CEO of a company, this is known as whaling. These attacks are usually very sophisticated and may take a long time to plan and execute.
  • CEO fraud: In CEO fraud, the attackers impersonate an executive or manager in an attempt to trick an employee into doing something.
  • Clone phishing: With this attack, hackers send a message designed to look like it's from a well-known brand. Common clone phishing attacks involve major banks, payment processors and couriers, as well as government organizations.

Voice Phishing

Voice phishing attacks involve calling the intended victim and attempting to persuade them to perform an action. The caller may pose as a collection agency querying an unpaid bill, or someone from "tech support" who needs access to the user's computer.

SMS Phishing

In an SMS phishing attack, the malicious party will send a text message asking the victim to click a link or reply to the message. These attacks often copy the kind of SMS message a person would receive from a courier or a government website, even down to replicating the number it was sent from.

Page Hijacking

Page hijacking attacks involve the attacker cloning a website and directing the victim to it. This could be a broad attack where they attempt to generate lots of traffic to the fake page through paid advertising, or a targeted attack where page hijacking is combined with other forms of phishing.

Calendar Phishing

This attack takes advantage of poorly configured calendar defaults to place phishing links in people's online calendars. Many people are trained to look out for phishing links in their emails but may not be aware that it's possible to insert malicious links into their calendars too, giving these attacks a relatively high chance of success.

Phishing Techniques

The way the messages are delivered is just one part of phishing. It's also important to be aware of how the scam works. Successful phishing emails employ several techniques to bypass email filters and fool the recipient into clicking the link or following through with the desired action.

Link Manipulation

Link manipulation is used to make links in an email look like the address of the website the attacker is impersonating. However, when the user clicks on the link, it takes them to the attacker's website. Some perpetrators go a step further and use unusual characters or long and complex addresses to fool users who may not understand the difference between a top-level domain and a sub-domain.

Filter Evasion

Attackers often use images to bypass phishing and spam filters. Email platforms and software often have filters in place to block spam and malicious emails, but these filters are not always good at processing images.

Social Engineering

The practice of social engineering involves identifying victims and building trust. For example, if someone falls for the first stage of a phishing attack and replies to an email, the attacker will gradually ask them to hand over personal information, using plausible excuses as to why they need each bit, rather than demanding it all in one go.

How to Recognize Phishing

Phishing attempts can vary from being relatively poorly constructed email messages full of spelling, punctuation and grammar errors to carefully crafted and highly targeted messages. Some common things to look out for include:

  • The email address the message comes from is not one you recognize
  • There are spelling mistakes or grammatical errors in the mail
  • The branding/logos look "off"
  • The message fails to refer to you by your correct name/username
  • The message refers to a transaction that never happened
  • You're sent an attachment you weren't expecting
  • You're asked to perform an action the sender has never asked you to take before
  • The message went to your junk folder, but other messages claiming to be from that sender land in your inbox

Phishing Prevention Best Practices

Businesses looking to protect themselves from targeted phishing attacks should consider taking a variety of precautions, including improvements to their security policies and training their staff to spot and avoid cyberattacks. Some useful precautions include:

Email Filtering and Content Redaction

Enable aggressive email filtering and content redaction at the network level if possible. Blocking known malware or tracking sites can go a long way toward reducing phishing threats. Consider displaying a warning on all emails that come from an address that's not in the user's address book.

Browser Alerts

Use a browser configured to display an alert if the user is directed to an insecure website or a known phishing website. Ensure users are not able to disable or bypass these alerts.

Augmenting Password Logins

Use extra security features in addition to password logins. For example, biometric security can be employed for important systems. In addition, using "confidence images" as part of the login process can alert users to the possibility they're on a phishing site.

Multifactor Authentication (MFA)

Enabling MFA for important systems can reduce the risk of phishing and other forms of cyberattacks. Consider using a hardware authenticator over SMS-based two-factor authentication, because SMS authentication can be bypassed via SIM-swap attacks.

How Veeam Can Help

Phishing attacks on businesses can be incredibly costly, especially if they provide a route for attackers to infect your network with ransomware. Learn how Veeam can help you protect your business's vital data with backup and recovery solutions and ransomware protection.