Phishing attacks are designed to give a cybercriminal access to a secure system, but rather than relying on technical trickery or exploiting configuration errors in computer systems, phishing takes advantage of a much more fundamental weakness: the human factor. Such attacks take a variety of forms. Typically, a phisher sends an email or message to trick the victim into willfully giving up personal information – usernames, passwords, Social Security numbers, credit card info, and other valuable data – or deploying malware on their systems, opening the door to further attacks down the road.
Phishing is one of the most nefarious and pervasive types of cyberattacks in the world today. It’s a type of social engineering attack that originated in the 1990s, when the early World Wide Web introduced the concept of usernames and passwords to the masses.
While a phishing attack can be devastating to an individual, it can be even more costly to a business. A single compromised username and password can open the entire enterprise up to the attacker if that account has elevated access privileges.
Phishing attacks have steadily grown in prominence since they first appeared, with no signs of slowing down. Since 2019, phishing has increased 150% per year, hitting an all-time high last year with 4.7 million attacks. In 2022, nearly 38 percent of all complaints received by the FBI’s Internet Crime Complaint Center (IC3) were related to phishing – by far the most common type of crime IC3 tracks. The use of phishing to plant malware in computer networks is becoming increasingly popular with cyber gangs, as phishing attacks evolve and become more sophisticated.
Given this rising threat, which experts believe will only get worse with the advances of artificial intelligence, learning how to recognize and prevent phishing attacks is now an essential skill for individuals and organizations alike.
What are the various types of phishing?
Phishing comprises a wide array of attack types, with more emerging over time. Some of the most common include:
- Email phishing – The most pervasive type of phishing attack. Here, an attacker (commonly a spam emailer) sends a message that’s designed to look legitimate, such as from a bank or a business the victim engages with. Fraudulent links embedded in the email lead to a phony website that looks real and tricks the user into entering their account information, which the attacker captures. Email-based phishing attacks have long been and remain the primary attack vector.
- Spear phishing – A more personalized version of the email attack, spear phishing messages rely on information gleaned about the victim in order to enhance the legitimacy of the message and improve the odds of a successful attack. Spear phishing often targets high-value victims, such as CEOs and finance professionals, as the spoils of these attacks can be immense. “Whaling” is another term commonly used to describe the spear phishing of extremely high-value targets.
- Vishing – “Voice phishing” attacks take place over the phone, which lend an air of added legitimacy and urgency to the attack. A visher will often tell a victim that their computer has been compromised and will walk them through the steps needed to grant remote access to it or will coax them to give personal information like passwords and credit card numbers.
- Smishing – “SMS phishing” takes place via text message but otherwise resembles email phishing tactics, again taking advantage of lower consumer awareness about the risks of fraudulent texts.
- Social media phishing – Popular platforms like Facebook and Instagram have become lucrative avenues for attackers to find new phishing victims. Phishers often create phony profiles and befriend the victim by using the personal information people share about themselves on these sites.
Why is phishing so rampant and difficult to stop?
For attackers, phishing remains the preferred method because it is so lucrative. It’s one of the simplest types of attacks for scammers to engage in, as attackers need no significant amount of specialized knowledge to mount an attack. This has led to such a massive number of phishing attacks that the sheer volume of them overwhelms many organizations.
Humans, by nature, tend to trust what they are told – particularly if what they’re told has some sense of urgency to it.
Phishing requires minimal energy and minimal cost, which on its own would be enough to sustain it. But even more of a driver is its high success rate in comparison to other types of attacks. In large part, this is because humans, by nature, tend to trust what they are told – particularly if what they’re told has some sense of urgency to it. Notices that our various accounts have been canceled, that charges have been applied for purchases we didn’t make, or that we have unclaimed rewards waiting to be collected all sound like pressing issues that require further, immediate investigation. Phishing attacks are often designed to instill some level of panic or urgent enticement – “free TikTok followers” – which further lowers the victim’s guard.
The bottom line is that phishing is designed to prey on the psychology of the victim, which makes it difficult to defend against.
Meanwhile, phishers are getting better and better, so even experienced users are finding themselves caught off guard by emails and text messages that look quite legitimate. For less experienced users, a lack of experience with these types of attacks puts them at even greater risk.
All of this continues to feed the phishing fire, which shows no signs of abating anytime soon.
What do phishing attacks look like?
One of the more challenging aspects of phishing is that every attack looks different, so it’s hard to create any kind of universal guide to defend against them. In general terms, however, these are some of the most common types of phishing attacks:
- Emails designed to look like legitimate corporate correspondence – Phishing emails are usually commercial in nature and almost always contain an embedded link that directs the victim to a website whose purpose is either to harvest usernames and passwords or financial information or to deliver malware to the victim’s computer. The most common types of phishing emails are phony invoices for products or services the victim did not purchase, notifications from banks or other service providers (usually alerting the victim to some kind of fraud, charge, or account cancellation that hasn’t really occurred), notifications that the victim is due funds, or messages from the victim’s employer (often human resources) instructing them to take some kind of action.
- Messages that claim to be from the government – A common phishing attack pattern is to mimic a government agency with a scary message: “The IRS” says you owe taxes. “The police” say an arrest warrant is out for you. Another common attack claims that your Social Security number has been somehow “canceled.” All of these phony statements attempt to frighten the user into taking action and providing personal data.
The goal with training is not to fault users for clicking on a phishing message but to give them the confidence they need to identify phishing scams proactively – or at least to ask for help.
- Text messages from people who claim to know you – Phishing text chains can begin with something as simple as a “Hello” from an unknown number, after which they can take any number of avenues en route to some type of fraud.
- Messages designed to look like they’re from a colleague or loved one – Messages like these are often used in spear-phishing attacks and can be delivered via email or text. They often ask the victim to take action that’s financial in nature: “Can you make a wire transfer for the company?” or “I’m stuck and need money, can you send me cash” via an online payment system? These messages prey on victims who will naturally be more willing to help out their boss or a relative – with those contacts’ identities often scraped from social media.
- Social media messages from hacked or spoofed accounts – Social media is now fertile ground for phishing attacks where phishers make contact via direct messages on the social media app. Many such phishing attacks begin with a simple request that a victim “follow” the phishing account, which helps to improve their appearance of legitimacy and long-term success rates.
- Phone calls with “urgent” information – Vishing attacks are more complex and costly to undertake, so vishers often get straight to the point. These attacks usually inform the victim that they have invoices (or taxes) due and offer to take an immediate payment over the phone, that a prize has been won and requires some kind of advance payment to receive it, or that – commonly – their computer has been compromised and requires a system update to repair it. These phony tech support operators invariably end up installing malware onto and/or stealing credentials directly from the victim’s device.
How can I stop phishing attacks in my organization?
It’s hard enough for individuals to keep phishing attacks at bay, but for organizations, the problem is compounded – which means security-operations teams have their hands full staving off the threat. Here are the most effective tactics to stop phishing attacks:
- It starts with training – The most effective organizations have formal programs to educate users on how to spot phishing attacks and what to do if they receive one. These training sessions can be formal, in-person sessions or online classes. The most progressive organizations “spot-check” their staff by sending internally generated phishing messages to employees to test whether they will click on a malicious link or report the message as directed, thereby reinforcing the training lessons.
- Implement multifactor authentication – Multifactor authentication (MFA) requires employees to use a second (and possibly third) form of security – usually a passcode delivered via text message or through an authentication app – whenever they access network resources. If a phisher succeeds at compromising a username and password, they will still be unable to access the network without the additional security factors. (An important caveat: Phishers will attempt to phish those added factors out of the victim too.)
- Ensure anti-malware software is installed and updated – These tools are critical for stopping damage if a malicious link is clicked or an attacker is successful at delivering malware to a user’s PC. It’s essential that anti-malware tools be installed on all nodes in the organization’s network and that software is kept up to date. Remember, however, that software can only do so much, and multiple layers of anti-malware tools won’t provide increased protection over one well-managed tool.
- Block suspicious emails at the source – Anti-spam systems that prevent email messages with suspicious (or known spam) links in them are a huge help at keeping phishing attacks at bay.
How do I best train staff to recognize phishing attacks?
In an enterprise setting, training your staff is a critical safeguard against phishing – the final line of defense if all other countermeasures have failed.
Phishing messages are more credible-looking than ever and require deeper analysis to spot the frauds.
The goal with training is not to fault users for clicking on a phishing message that has made it through your corporate safeguards but to give them the confidence they need to identify phishing scams proactively – or at least to ask for help if they think something might be amiss with a message. Users who fear punishment for making a mistake are less likely to report those mistakes when they (inevitably) happen.
Anyone organizing an enterprise’s training sessions should keep two major guidelines in mind:
- Training sessions should be brief and fun. No one wants to spend hours out of their day in an anti-phishing seminar, but quick, 30-minute sessions that are interactive and entertaining can be incredibly effective, especially if they are undertaken regularly and feature new material each time. For Cybersecurity Awareness Month this year, Dell produced an 18-minute audio story with the production values of a radio drama or podcast, describing a fictional – yet typical – phishing attack and its aftermath. (Take a listen by clicking here and scroll down to the link for “Audio story: A Modern Cyber Attack.)
- Simulations can help reinforce lessons after formal training sessions end. Organizations can craft their own faux phishing emails and send them to staff periodically to test how many are reporting messages and identify any individuals who may need additional training – all done without judgment, of course.
The training strategy itself should include these key reminders of a smart cyber defense:
- Anything can be spoofed these days. A return email address of [email protected] is no guarantee that an email came from Bank of America. Phishing messages are more credible-looking than ever and require deeper analysis to spot the frauds.
- Any request for credentials or financial information is likely a phishing scam. That means your organization should make it a strict policy never to send credentials or financial data through email or text messages.
- Hovering over links is still an effective and underused way to test for legitimacy. Most email programs allow you to hover the cursor over a link without clicking on it to see where it actually leads. If there’s a mismatch between the expected link and the actual one, it’s probably a scam. Teaching employees how to hover and identify fraudulent links is a critical step that should be part of any training program.
- If you can only remember one thing, it’s this: Report before you click. “When in doubt, report” policies should be hammered home regularly. Teach users that there’s no harm in reporting a legitimate message if they have the slightest suspicion and ensure security teams respond to suspicious-message notifications quickly. Users who are waiting interminably for security ops to respond may become frustrated and decide to take matters into their own hands.
How can I fight phishing attacks while improving the digital employee experience (DEX) of my users?
Balancing security with a positive user experience isn’t easy, and many users become frustrated when onerous security requirements drive them to look for ways to bypass these measures. This can create a situation where the organization faces an even higher level of security risk due to users undermining the systems.
Organizations that work to improve the overall DEX of their users are likely to find their employees are more engaged and observant when it comes to computer security.
The key with phishing-abatement measures (and all other security measures) is that they need to make every effort to avoid interrupting and disrupting the user’s workflow. Email clients outfitted with a one-button “Report this message” function or, at the very least, a dedicated anti-phishing email address where suspicious messages can be forwarded, are an excellent first step. The fewer hoops a user must jump through to report an attack, the more likely they are to report. Keeping attacks to a minimum is best — no user wants to spend their day filing reports. Eventually, alert fatigue will set in, and bad habits may develop.
Stepping back, organizations that work to improve the overall DEX of their users are likely to find their employees are more engaged and observant when it comes to computer security in general. Staffers who are less stressed-out due to their day-to-day working environment will likely be more understanding of the need for security and anti-phishing measures and more willing to work toward the common goals of preventing attacks, protecting the organization, and participating as a cohesive team. Good security hygiene, like a smart DEX program in general, benefits everyone.
While improving DEX is important, measures to eliminate phishing are bound to create some level of friction with users. Strong password policies, MFA, and training sessions all disrupt users’ workflow to some extent, and they may well push back against them. Your training messaging needs to stress that the present disruption will be far less painful than a future disruption caused by a successful phishing attack. A little pain now is better than a massive disruption later.
What is the ideal incident response when a phishing attack has been successful?
Despite all your best efforts, it’s almost inevitable that eventually a phishing attack will make it through your defenses. When this happens, you need to act fast, utilizing an incident-response playbook to help manage what happens next.
Some of the best incident-response practices include:
- A timely and complete disclosure. If a user knows they’ve been attacked, it’s important that they come forward quickly, as time is of the essence in the aftermath of an attack. As noted earlier, this means building a guilt-free reporting process that rewards users for disclosures rather than punishing them. Find out in detail what happened leading up to the attack before you jump into action.
- A speedy response is of the essence, and you must quarantine known impacted systems before any malware can spread. Immediately change any passwords that have been exposed as well as passwords to any potentially connected financial accounts. Credit card numbers that may have been revealed should be reported and canceled.
- A full malware and intrusion detection sweep must be undertaken to uncover any malware that might have made its way onto the network. By preserving the source of the phishing attack, security operations can better determine the nature of any threats that might have been introduced. Logs should be scanned for suspicious logins, URLs, IPs, and other traffic going in and out of the network during the time since the attack.
- Regular backups must be conducted and tested for integrity. In a worst-case scenario, data can be restored to a time before the attack was initiated.
- Tabletop exercises can be extremely beneficial in helping security teams prepare for a speedy and effective response.
- A review of employee mistakes is a useful way to reinforce training. There’s no need to “make an example” out of the individual who may have clicked the link. In fact, that’s likely to be counterproductive in the long term. But showing users what a successful phishing attack looks like – and the damage it can cause – can be invaluable.
What role is AI playing in phishing attacks today?
Historically, phishing messages have been generated by unsophisticated attackers with poor writing and design skills, making their typo-ridden messages exceedingly easy to spot.
Those days are gone.
The standard phishing defense of just skimming an email and looking for obvious spelling or grammar errors is no longer effective. With AI tools like ChatGPT now accessible to the masses, it’s easy for attackers to clean up their grammar and write with better clarity – both of which make their attacks much more difficult to detect.
In some cases, AI is even taking things a step further by allowing attackers to mimic the voice and style of a victim’s friends and colleagues. A victim’s manager can be imitated down to their distinctive use of slang, commonly used phrases, and use of shorthand – even emojis. Now those polished phishing emails can be cleverly personalized, making it nearly impossible to tell the difference between a malicious attack and the genuine article.
Besides leveraging AI, cybercriminals are also leveraging our interest in AI. In the summer of 2023, cyber researchers detected an uptick in fake AI promotions on Facebook, in which cybercriminals created ads featuring fake profiles of marketing companies that claimed to offer AI packages and access to Meta AI. As businesses and individuals explore the best ways to use generative AI to handle corporate data, cybercriminals are also jumping on the bandwagon. Which means savvy enterprise leaders must expect (and prepare for) newer and even more clever phishing attacks in the future.
How are phishing attacks evolving?
Phishing is evolving along with the rest of the technology industry, becoming more pervasive, easier to undertake, and more sophisticated. Some of the key advances in recent years include:
- Frequency – phishing is everywhere. What was once restricted to email is now a universal problem across all communication platforms: text message, phone calls, various types of documents, search engine results, other browser-based platforms, and even in-person media. Nowadays, phishing attacks are even commonly embedded in QR codes. Mobile device–based attacks have proven to be far more effective than email-based ones, so these types of attacks are likely to continue.
- Quantity – the amount of unprotected consumer data is exploding. Users are sharing more information online than ever, and very little of that is protected behind a corporate firewall. This is giving attackers more ways than ever to exploit their victims.
- Automation – AI tools help phishing attacks evade detection. We previously discussed the ways that AI is making phishing messages seem more natural and realistic, but AI is also having an impact when it comes to cybersecurity evasion, including the bypassing of spam filters. “Polymorphic” phishing technologies are also allowing phishing messages to adapt their look, language, and target URLs on the fly, making them even harder to detect. These technologies alter the sender’s name, email address, and even the body of the message so that each email is unique – and more likely to bypass anti-malware filters.
- Democratization – “Phishing-as-a-service” is giving criminals turnkey access to sophisticated attack technologies. Embarking on a career as a phisher no longer requires specialized knowledge. Subscription services now allow anyone to start sending phishing messages by clicking a few buttons and paying less than $100 a month to the service operator. These services are often hosted on legitimate cloud services, which makes them even harder to detect and stop.
- ROI – Nation-state attacks are becoming less of a threat; phishing is now dominated by those focused on monetary goals and return-on-investment. Like any smart business executive, cybercriminals are looking at ways to diversify and turn phishing attacks into a recurring revenue stream. The result: more-aggressive actions, such as extortion, proving that phishing is not only on the rise but continually evolving.
For more reading on phishing and phishing-as-a-service, check out the links below.
- To Defend Against ‘Vishing,’ Get Smart
- Cyber Threat Intelligence (CTI) Roundup: The Rise of Phishing-as-a-Service
- CTI Roundup: Google AMP & Salesforce Exploited for Phishing Attacks
- CTI Roundup: Hackers Use ChatGPT Lures to Spread Malware on Facebook
- CTI Roundup: ‘Tis the Season for a New Phishing Scam
- A Wave of Ukraine Crypto Phishing Scams May Get Workers Fired