No, that email from UPSTRACKINGaxxy121@U.ps.org is not your UPS tracking code! Do NOT click that link – it’s a phishing scam.
Phishing has rapidly become one of the most prevalent types of cyberattacks around the world, expanding far beyond the realm of simple email and showing up on our phones, tablets, and more.
Considering how easy it is to throw on a FedEx hat, and create a convincing phishing email address and a halfway decent phishing message, it’s no wonder phishing has become one of the most common types of hacks in the world today.
What is Phishing?
Phishing is a cyber attack that uses disguised email as a weapon. In a phishing attack, the phishers pretend to be someone you know and trust – UPS or the US Postal Service, for example – and attempt to get you to perform some action that would be safe under normal circumstances.
The goal is to trick the email recipient into believing that the message is something they want or need from a source they can trust — a request from their bank, for instance, or a note from someone in your company — and to click a link or download an attachment.
The Business Impacts Of Phishing
The results of phishing can be catastrophic. Since they involve willing participants, rather than brute-force assaults on a company’s IT infrastructure, phishing scams often go undetected – leading to massive losses that can accrue quickly or over time.
The financial impact of phishing cannot be understated. According to IBM and Hoxhunt, companies in general lose on average $5 million per cyber attack, and as Cloudflare reported this year, phishing attacks account for 90% of all cyberattacks!
We often don’t think of phishing attacks as hacks or cyberattacks, but they absolutely are. Phishing attacks are brutally effective because they are easy to pull off and reap huge rewards for the would-be hackers. Phishing will only continue to grow in popularity and effectiveness as more mediums for access, like VR, become commonplace.
Common Phishing Formats
- Shipping Notifications
- Emails, texts, or messages from USPS, UPS, FedEx, DHL, or other courier and package services are ripe for phishing scams. Always check and double-check the sending email address and cross-reference it with the provider’s website.
- Bank Account Verification
- Texts, emails, or messages from your “bank” asking for your login details are always to be avoided. Your bank will never ask you for your login details in this way – unless you yourself requested them!
- Fake Invoice
- Fake invoices are extremely common ways to take advantage of overtaxed business owners, who juggle a lot of paperwork.
- Job Opportunities
- A common new type of phishing scam is scams disguised as job offers. These scams usually require you to pay for materials or equipment up front in the form of a “deposit” that will be paid back in your first paycheck. You guessed it – that first paycheck never comes.
How Do Phishing Scams Attack Businesses?
Phishing scams exploit the trust of employees and use the guise of urgency or authority to trick them into giving away confidential information.
The most common goal of a phishing attack on businesses is to gain access to an employee’s login credentials. Usually, this will be in the form of some duplicated login page that is sent via email. Once the employee enters their company login information, the hackers have access to your company’s back end and are free to wreak whatever havoc they want to wreak. But in many cases, they can go even further,
An article by Cloudflare has an excellent example of this in their article on this topic (which is great, by the way). They detail a Microsoft Office 365 credential harvesting attempt where attacks sent mass emails that appeared to be from Microsoft – the biggest software provider in the world – with the body of the email being a hyperlinked JPEG image.
These attackers went a step further and didn’t even require the user to enter credentials or anything at all. Any click on the image-led the recipient to a compromised site that automatically harvested login credentials via the user’s PC! As you can imagine, this had a catastrophic effect on Office 365 users.
In-Depth Look at Common Phishing Attacks
Here’s a further look at some of the common types (not formats) of phishing attacks:
- Email Phishing: Attackers send emails posing as reputable companies to steal personal information. The emails often contain links to fake websites that mirror the appearance of legitimate ones, tricking users into entering their details.
- Spear Phishing: This more targeted form of phishing involves emails that are customized to individual recipients, using gathered information to appear more legitimate and convincing. They may impersonate colleagues or trusted partners to request sensitive information.
- CEO Fraud: Attackers impersonate a company’s CEO or other high-ranking executives to authorize fraudulent transactions. Attackers spoofed the CEO of French film icon Pathé’s email a few years back – resulting in a loss of €19.2 million. Ouch. Their CEO resigned quickly thereafter. Should’ve read this guide.
- Whaling: These attacks target high-ranking executives with the aim of stealing large sums. The emails may involve requests for wire transfers or sensitive employee information, leveraging the authority of the supposed sender to bypass scrutiny.
- Vishing (Voice Phishing): Attackers use phone calls to extract personal information or financial details from victims. They might pose as bank officials, law enforcement, or other entities that can elicit trust and prompt immediate action. You actually see a lot of these people in car warranty scams and the like.
- Smishing (SMS Phishing): Similar to phishing, but conducted through SMS. These messages might prompt the recipient to click on a malicious link or provide personal information under various pretenses, such as confirming a package delivery or verifying account details. You see a lot of these with fake delivery scams and the like.
- Business Email Compromise (BEC): In BEC scams, attackers gain access to a business email account and use it to conduct unauthorized funds transfers. They might also target employees responsible for wire transfers or payroll management to misdirect funds. These can be some of the most brutal types of phishing attacks for businesses.
- Clone Phishing: Attackers create a replica of a previously sent email containing a safe link, but replace the original link or attachment with a malicious version. Recipients, believing the email is a legitimate follow-up, are more likely to click on the malicious link.
- Domain Spoofing: Cybercriminals use domain names that are visually similar to legitimate ones, exploiting small differences to trick users into believing they are visiting a trusted site.
- Man-in-the-Middle (MitM) Phishing: This involves intercepting a communication between two parties to steal or manipulate the data being exchanged. Attackers might create fake Wi-Fi networks or compromise legitimate ones to carry out this type of attack.
- Pharming: Unlike other phishing attacks that require tricking the user into clicking a link, pharming reroutes legitimate URLs to fraudulent websites through DNS hijacking. Users, thinking they are on the correct website, enter their personal information, which is then stolen by attackers.
Comprehensive Protection Strategies
Protecting your business against phishing requires a multi-functional approach (what doesn’t in IT, though?). The main thing to focus on is your staff, and their access to your data, which does 90% of the heavy lifting here.
- Educate and Train Employees: The primary way to prevent phishing scams is by – frankly – scaring your employees into not clicking anything they think is suspicious. Put the fear of IT God in them. Let them know how serious phishing attacks can affect business – and therefore, their livelihoods!
- Restrict Access: When it comes to giving access to your employees, make sure you restrict access to only job-critical material. This is not to cut them off from your company or to show your power. This is to quarantine more critical information behind more protection.
- Implement Advanced Security Measures: Use email filtering, web filtering, and anti-phishing software to detect and block phishing attempts. This is the least you can do because this will take care of probably 50% of threats.
- Adopt Multi-Factor Authentication (MFA): MFA is basically essential for business applications today. You can get away without MFA as an individual, but as a business, it just makes no sense. Enable it for all users, with no exceptions.
- Develop and Test Incident Response Plans: Prepare your organization to respond effectively to detected phishing attempts to minimize damage. Since they can crush your business quickly and brutally, it’d be a good idea to prepare.
- Backup Data Regularly: Always stay backed up. No, not like that. Back up your data frequently. Regular backups can minimize the damage in case of a data breach, allowing you to “turn back the clock”, so to speak.
- Monitor for Brand Impersonation: Tools that scan the web for fake domains or fraudulent use of your brand can provide early warnings. Companies like ZeroFox provide services to protect your brand from that kind of thing.
- Secure Your Network: Implementing robust network security measures, including firewalls, encryption, and secure Wi-Fi networks, can help protect against phishing attacks that bypass individual defenses.
When it comes to phishing, the key is caution. Encourage your employees to never, ever click a link from an unrecognized email, and make sure the consequences for doing so are firm.
It’s also important that you, as the leader of your team, set a good example by practicing what you preach. You don’t want to pull a Pathé now, do you? No, nobody wants that – except the phishers out there casting hooks for any unsuspecting office workers.
If you’re not sure whether something is a phishing scam, it probably is. And at the end of the day, you can always rely on this one trusty phrase to set you right.
“When in doubt, exit out.”