In a year that has already smashed records for cybercrime, one type of attack looms large above all others in terms of sheer volume and manipulative nature – phishing.
At its core phishing is a type of digital social engineering attack where cybercriminals use various methods of deceit to dupe people into giving them sensitive data or access to IT systems.
From there they can wreak havoc – deploying malware or ransomware, stealing money or simply shutting down critical IT systems.
The result is often huge financial impact – lost funds, ransoms, fines, legal fees, compensation – not to mention the cost of getting your systems back online and data recovered.
So how does a phishing attack work, what is the size of the threat in 2021, and how can we recognise and avoid the most common types of attack? Let’s start with the basics.
What is Phishing?
Put simply, phishing is a tactic cyber criminals use to engage their victims before they start attacking them in some way.
It’s called phishing because, like it’s water-based namesake, it involves laying down bait – in this case digital bait – and seeing who and what will bite.
Victims are contacted via email, phone text or calls, and increasingly over social media, often multiple times, with the scammers ‘pretending’ to be someone they are not – like friends or legitimate organisations.
Scammers then use tactics like lure content to persuade individuals to either hand over private information such as passwords and personal data – or to get them to perform tasks like downloading malware or transferring money.
Attackers also often create a sense of urgency in their messages. They can warn you of an invoice you need to pay, announce you’ve won a fake prize, hook you in with the offer of a fantastic deal or a new job, or threaten to close an account.
An example of this are Paypal phishing scams – which offer anything from discounts to free credit.
In the aftermath of Covid-19, scammers also increasingly began using fake health alerts or warnings – preying on fear to get people to click on their messages.
The end result is an attempt to get you, the victim – whether business or private – to click on a link or open a file. Typically, that action then starts the next phase of criminality:
Size of the phishing threat in 2021
Phishing – despite being a widely known issue – is growing in impact on a year on year basis. There are a number of reasons for this.
Firstly, as we noted above, the global pandemic has created a paradigm shift in how people live and work. The shift to digital has increased potential attack surfaces – with more commerce, communication and data sharing happening online now than ever before.
Secondly, cyber criminals have become increasingly sophisticated at both selling attacking software, developing attacking methodologies, and sharing information. The dark web abounds with sites selling complete phishing attack packages – from tactics to software to financial clearing houses. Some even offer guarantees and 24-hour support.
Combined – more to attack, lower costs of entry, and more tools to use – the proliferation has been staggering.
In the UK government’s ‘Cyber Security Breaches Survey 2021’, 83% of identified cyber attacks on UK companies were phishing-related. This rose to 91% in large businesses.
The intention and outcome of the attacks themselves vary. Take data theft, for example. The top five stolen data categories last year were:
As you can see, the information stolen then opens itself up to further crime – from commercial espionage to further fraud on others to simple money theft.
As attacks have proliferated, costs to business from phishing have soared in parallel. For example, It is estimated that more than 90% of malware is delivered by phishing, and 47% of ransomware infection in 2020 came from phishing emails. All of these cost businesses million each year to resolve and to protect against.
However, despite the huge potential losses, both financial and reputational, a 2021 survey of 15 million suspicious emails reported by end-users globally found that only 63% of UK organisations train users in how to spot email-based phishing, the lowest of any region surveyed.
So how does Phishing Work and what kinds of attacks are happening?
Most phishing scams use one of two basic attack methods:
Most phishing emails are sent to thousands of potential victims often at random, relying on the sheer volume of numbers for success. However, some particularly costly forms of attack target specific organisations or individuals.
Types of attack
register a fake domain name that impersonates a legitimate organisation and send out thousands of these spoof messages in a bid for credentials or other personal information. According to research from KnowBe4, among the most common subject lines to phishing emails in 2020 included ‘Amazon Prime Membership declined’; ‘Microsoft 365: Action Needed to update the address for your Xbox Game’ and ‘Changes to your health benefits’.
Scammers already often know some details about their target such as name, email and job details. One of the most famous cyber-attacks in history, the 2016 hacking of the US Democrat National Committee, was enabled using spear phishing. ‘Whaling’ is a form of spear phishing specifically targeting senior executives.
senior members of staff requesting wire payment for goods/services – and often sent to clients or other employees . BEC scams in which hackers trick C-suite workers and executives into making wire transfers cost US businesses more than $2billion in 2020 (FBI’s 2020 Internet Crime Report.)
victims over social media. Criminals often use personal information posted on Facebook or Instagram to download damaging malware or hijack accounts.
Messaging, and vishing via telephone calls. This type of attack grew exponentially during 2020/21. A common vishing scam involves criminals posing as bank fraud investigators, telling victims their account has been breached and asking for card payment details and personal information.
How to Identify Phishing Emails and Mitigate the Threat:
Staff should look out for:
Ultimately, whether for businesses or individuals, the best advice to people is to always independently check the source of any email / text / call or social message they receive, with the person from whom it is claimed to be sent.
A quick message or call – using the method you usually use to contact them – to double check whether they have sent you something, could be what saves you or your business thousands, or even millions of pounds / dollars.
Send us your CV and have our recruiters match you to the ideal opportunities
Do you already have an account with us?Log in
Want to have an account with us?Register
Want to just send us your CV?
By submitting your registration and CV to us you are agreeing to join our database and to be contacted about relevant jobs industry communications. Please read our terms of business for more information.