Fight The Phish – The Most Common Types Of Attack And How To Avoid Them

Fight The Phish – The Most Common Types Of Attack And How To Avoid Them

In a year that has already smashed records for cybercrime, one type of attack looms large above all others in terms of sheer volume and manipulative nature – phishing.

At its core phishing is a type of digital social engineering attack where cybercriminals use various methods of deceit to dupe people into giving them sensitive data or access to IT systems.

From there they can wreak havoc – deploying malware or ransomware, stealing money or simply shutting down critical IT systems.

The result is often huge financial impact – lost funds, ransoms, fines, legal fees, compensation – not to mention the cost of getting your systems back online and data recovered.

So how does a phishing attack work, what is the size of the threat in 2021, and how can we recognise and avoid the most common types of attack? Let’s start with the basics.

What is Phishing?

Put simply, phishing is a tactic cyber criminals use to engage their victims before they start attacking them in some way.

It’s called phishing because, like it’s water-based namesake, it involves laying down bait – in this case digital bait – and seeing who and what will bite.

Victims are contacted via email, phone text or calls, and increasingly over social media, often multiple times, with the scammers ‘pretending’ to be someone they are not – like friends or legitimate organisations.

Scammers then use tactics like lure content to persuade individuals to either hand over private information such as passwords and personal data – or to get them to perform tasks like downloading malware or transferring money.

Attackers also often create a sense of urgency in their messages. They can warn you of an invoice you need to pay, announce you’ve won a fake prize, hook you in with the offer of a fantastic deal or a new job, or threaten to close an account.

An example of this are Paypal phishing scams – which offer anything from discounts to free credit.

In the aftermath of Covid-19, scammers also increasingly began using fake health alerts or warnings – preying on fear to get people to click on their messages.

The end result is an attempt to get you, the victim – whether business or private – to click on a link or open a file. Typically, that action then starts the next phase of criminality:

Size of the phishing threat in 2021

Phishing – despite being a widely known issue – is growing in impact on a year on year basis. There are a number of reasons for this.

Firstly, as we noted above, the global pandemic has created a paradigm shift in how people live and work. The shift to digital has increased potential attack surfaces – with more commerce, communication and data sharing happening online now than ever before.

Secondly, cyber criminals have become increasingly sophisticated at both selling attacking software, developing attacking methodologies, and sharing information. The dark web abounds with sites selling complete phishing attack packages – from tactics to software to financial clearing houses. Some even offer guarantees and 24-hour support.

Combined – more to attack, lower costs of entry, and more tools to use – the proliferation has been staggering.

In the UK government’s ‘Cyber Security Breaches Survey 2021’, 83% of identified cyber attacks on UK companies were phishing-related. This rose to 91% in large businesses.

The intention and outcome of the attacks themselves vary. Take data theft, for example. The top five stolen data categories last year were:

  1. Credentials (usernames, passwords);
  2. Personal data (addresses and phone numbers);
  3. Internal data (eg, sales figures);
  4. Medical data (such as insurance claim information) and
  5. Banking data (such as credit card information).

As you can see, the information stolen then opens itself up to further crime – from commercial espionage to further fraud on others to simple money theft.

As attacks have proliferated, costs to business from phishing have soared in parallel. For example, It is estimated that more than 90% of malware is delivered by phishing, and 47% of ransomware infection in 2020 came from phishing emails. All of these cost businesses million each year to resolve and to protect against.

However, despite the huge potential losses, both financial and reputational, a 2021 survey of 15 million suspicious emails reported by end-users globally found that only 63% of UK organisations train users in how to spot email-based phishing, the lowest of any region surveyed.

So how does Phishing Work and what kinds of attacks are happening?

Most phishing scams use one of two basic attack methods:

  • Malicious email attachments which install malware on victims’ computers / mobile devices when opened.
  • Links to malicious websites, which are often clones of legitimate sites, whose login pages then harvest credentials or, again, install malware.

Most phishing emails are sent to thousands of potential victims often at random, relying on the sheer volume of numbers for success. However, some particularly costly forms of attack target specific organisations or individuals.

Types of attack

  • Email Phishing – most phishing attacks are sent by email. Criminals

register a fake domain name that impersonates a legitimate organisation and send out thousands of these spoof messages in a bid for credentials or other personal information. According to research from KnowBe4, among the most common subject lines to phishing emails in 2020 included ‘Amazon Prime Membership declined’; ‘Microsoft 365: Action Needed to update the address for your Xbox Game’ and ‘Changes to your health benefits’.

  • Spear Phishing – A form of email phishing but sent to a specific victim.

Scammers already often know some details about their target such as name, email and job details. One of the most famous cyber-attacks in history, the 2016 hacking of the US Democrat National Committee, was enabled using spear phishing. ‘Whaling’ is a form of spear phishing specifically targeting senior executives.

  • BEC (Business Email Compromise) – emails pretending to be from

senior members of staff requesting wire payment for goods/services – and often sent to clients or other employees . BEC scams in which hackers trick C-suite workers and executives into making wire transfers cost US businesses more than $2billion in 2020 (FBI’s 2020 Internet Crime Report.)

  • Angler Phishing – an increasingly popular form of attack, targeting

victims over social media. Criminals often use personal information posted on Facebook or Instagram to download damaging malware or hijack accounts.

  • Smishing / Vishing – smishing specifically targets victims via text

Messaging, and vishing via telephone calls. This type of attack grew exponentially during 2020/21. A common vishing scam involves criminals posing as bank fraud investigators, telling victims their account has been breached and asking for card payment details and personal information.

How to Identify Phishing Emails and Mitigate the Threat:

  • Security Awareness Training – As phishing attacks rely entirely on human error to succeed, regular staff training on how to recognise phishing emails should be at the forefront of any IT security plan. A positive work culture that encourages employees to report phishing attacks should also be implemented.

Staff should look out for:

  • misspelled domain names and emails containing bad grammar
  • unusual or unexpected attachments
  • any email sent from a public domain email address (eg: amazon@gmail.com)
  • any email creating a sense of urgency.

 

  • Secure Email Gateways (SEGs) – these monitor all company in and outbound emails, scanning them for malicious content. Although effective at blocking spam and the most basic phishing attempts, increasingly sophisticated phishing attackers evade these gateways by impersonating trusted senders.
  • Post-delivery Protection (PDP) – these use AI and machine learning to analyse individual employee’s communication patterns, scanning their emails for anomalous behaviour. These email network solutions can identify more personalised spear-phishing attempts.
  • Secure the Cloud – Because users trust links to things like SharePoint and OneDrive sites, attackers increasingly use cloud file sharing services as part of their schemes. Employers should continually review and update their cloud security policies.
  • Two-factor authentication (2FA) – one of the most effective methods for countering phishing attacks, as it requires an additional verification step (often a password sent by text message to a smartphone) to prove identity.

Ultimately, whether for businesses or individuals, the best advice to people is to always independently check the source of any email / text / call or social message they receive, with the person from whom it is claimed to be sent.

A quick message or call – using the method you usually use to contact them – to double check whether they have sent you something, could be what saves you or your business thousands, or even millions of pounds / dollars.

 

Our accreditations & Partners

  • REC Member
  • VTC - Virtual Technology Cluster
  • Bloom Nepro
  • YPO
  • Crown Commerical Service
  • Disability Confident
  • ISO 9001
  • Armed Force Covenant
  • Cyber Essentials Plus
  • ISO 27001

Thanks

Success

Thanks

Success

Thank you for signing up to the acumin alerts.

Send CV

Send us your CV and have our recruiters match you to the ideal opportunities

Do you already have an account with us?

Log in

Want to have an account with us?

Register

Want to just send us your CV?

Upload only doc, docx, odt, pdf format file.

By submitting your registration and CV to us you are agreeing to join our database and to be contacted about relevant jobs industry communications. Please read our terms of business for more information.

Password reset

If you need a reminder for your password, fill out the field below

Log in

Access your account to edit your contact details, job alerts or to upload a new CV

Thank you

Success

Thank you for successfully uploading your CV.

Acumin Alerts

Success

Thanks for registering for Acumin alerts.

Acumin Alerts

Unfortunately your CV could not be uploaded

Please make sure your CV is one of the following file types: doc, docx, odt, pdf, rtf

Acumin Spam

Unfortunately your submission has been declared spam. Please try again.

Vacancy

Success

Thank you for submitting your vacancy.

Register

Create an account to register your contact details, sign up for job alerts and upload your CV

Success

Thanks for registering for Acumin alerts. To get the most out of Acumin's service why not register with us?

Upload only doc, docx, odt, pdf format file.
- Practitioner
- Commercial

I agree to the terms and conditions and to be contacted by recruiters:

I agree to receive marketing communications relevant to my job search:

I agree to receive Jobs By Email for the following professions:
- Business Continuity Management
- Counter Fraud
- Cyber Security
- Executive Management
- Governance & Compliance
- Information Security & Risk Management
- Penetration Testing & Digital Forensics
- Sales and Marketing
- Sales Engineering
- Security Management
- Technical Security
- Information/Risk Assurance
- Identity Management
- Application Security
- Security Architecture
- Dev/Sec Ops
- DV & SC Cleared Jobs
- Programme & Project Management
- CISO/CSO

Submit a Vacancy

Use the form below to submit a vacancy