5 Things to Know About Phishing Attacks

The more you know about phishing, the better you will be able to spot phishing attacks. Here are five phishing fundamentals that can help you avoid becoming the next victim.

Only 66% of working adults correctly answered the question “What is phishing” in 2019 Proofpoint survey. This means one-third of adults do not know that phishing is a form of fraud in which cybercriminals try to scam people into providing sensitive information (e.g., login credentials, account information) or performing an action (e.g., clicking a link, opening an email attachment) in order to steal money, data, or even a person’s identity.

Being able to answer the question “What is phishing” is a good start. However, the more you know about this type of attack, the better you will be able to avoid becoming the next victim. Toward that end, here are five things you should know about phishing:

Phishing Isn’t Just about Emails

People commonly associate phishing with emails. However, hackers carry out phishing attacks through other communication channels as well, including websites, text messages, and phone calls.

Most often, cybercriminals use emails and websites in their phishing attacks. Sometimes they even use both channels in the same scam. For example, they might try to get people to click a link in a phishing email, which sends the victims to a phishing site. Similarly, cybercriminals might try to get people to click a link in a text message, which leads to a phishing site.

Phishing calls are also becoming common. Mobile scam calls rose from 3.7% of all calls in 2017 to 29.2% of all calls in 2018, according to researchers at First Orion. This upper spiral is expected to continue throughout 2019.

Phishing Sites Can Be HTTPS Pages

Cybercriminals are increasingly using HTTPS sites for phishing. Hackers are counting on people being lulled into a false sense of security when they see the “https” designation and the accompanying padlock icon in their web browser’s address bar. When some people see these two elements, they assume that a site is safe. However, the “https” designation simply indicates that any data sent between the browser and the website is encrypted. It does not signify that the website is legitimate or free from malware.

More than half of all phishing sites are HTTPS sites, according to Anti-Phishing Working Group’s “Phishing Activity Trends Report, 2nd Quarter 2019“. The situation is getting so serious that the US Federal Bureau of Investigation (FBI) issued a public service announcement in June 2019 warning people about this.

Hackers Like to Reel In Certain Types of Victims

While phishing attacks were initially targeted at consumers, cybercriminals quickly discovered that businesses are also lucrative targets. In 2018 alone, 83% of businesses experienced phishing attacks, according to Proofpoint’s “2019 State of the Phish Report“.

Small and midsized companies are often targeted. In 2018, for example, employees in smaller organizations received more phishing emails than those in large organizations, according to Symantec’s “2019 Internet Security Threat Report“. Small and midsized companies are sought because they typically do not have the expertise or resources to properly secure their businesses against phishing scams and other types of attacks.

Cybercriminals are also selective about who they target within companies. Security experts note that popular phishing marks include:

    • Executives are highly sought because they typically have access to sensitive business information and the authority to sign-off on financial transactions such as electronic fund transfers.
    • Administrative assistants. Administrative assistants work closely with the managers and executives they assist. As a result, they often have access to information (e.g., an executive’s schedules) and accounts (e.g., a manager’s email account) that can help phishers plan and carry out scams.
    • Human resources (HR) staff. Cybercriminals like to target HR professionals because they have access to sensitive data such as employee records. Plus, they regularly respond to queries from employees (including manager and executives) as well as handle unsolicited communication from people outside the company (e.g., job applicants).
    • Sales team members are common marks because their contact information is often readily available. Furthermore, they are usually very responsive to unsolicited communication (e.g., emails, texts, or calls from potential customers).
Cybercriminals Don’t Take Holidays Off

Hackers go phishing 365 days a year, which means people should not let their guard down, even on holidays. In fact, people might want to be more cautious around holidays, as cybercriminals often ramp up their efforts during certain seasonal events such as Black Friday, tax season, and even Amazon Prime Day. Cybercriminals also try to capitalize on unforeseen events, such as natural disasters. Preying on people’s compassion, they pretend to be collecting donations for disaster victims.

Nearly 80% of phishing attacks occur on weekdays, according to Vade Secure researchers. This isn’t too surprising given that hackers like to target businesses. Tuesdays and Wednesdays are the top two days cybercriminals carry out their attacks.

Phishers Are Skilled Impersonators

Cybercriminals commonly impersonate legitimate contacts and companies to carry out their phishing scams. When targeting a business, cybercriminals often pretend to be someone within the company (e.g., an executive or employee) or an organization that does business with the company (e.g., a supplier or lawyer).

When targeting consumers, hackers typically masquerade as representatives from popular companies. For instance, in the second quarter of 2019, the top 10 companies that hackers pretended to be representing were:

    • Microsoft
    • PayPal
    • Netflix
    • Bank of America
    • Apple
    • CBIC
    • Amazon
    • DHL
    • DocuSign
A Serious Threat

Phishing attacks are a serious threat for not only consumers but also companies. We can help your business devise a comprehensive strategy to deal with phishing attacks, no matter if they are carried out through emails, websites, text messages, or phone calls.

Menu