Phishing attacks are becoming increasingly sophisticated, complex and common. According to a 2020 Proofpoint study, 90% of organizations experienced phishing attacks in 2019. Further, the 2019 Verizon Data Breach Investigations Report found that 94% of malware is delivered via email.
Such attacks can be devastating for employees and businesses alike. In fact, 32% of 2019 data breaches involved phishing, according to Verizon. And, with IBM reporting the average total cost of a data breach at $3.92 million, keeping employee and corporate data safe from malware, ransomware, identity theft and loss is crucial.
Types of phishing attacks
Phishing, a form of social engineering, involves attackers tricking users into providing access to data and systems. There are several common types of phishing tactics:
- Email phishing is the most common form. Attackers send emails with malicious links or attachments to infect their targets.
- Spear phishing is more selective, with attackers sending emails to a specific target.
- Whaling attacks occur when a high-profile employee, such as the CEO or CFO, is targeted in a phishing scam.
- Voice over IP phishing, or vishing, is a phishing scam carried out using voice technology, such as over the phone.
- Pharming attacks occur when a DNS server is tricked into replacing a legitimate cached IP address with a malicious one, thereby redirecting users to the malicious website when they type the legitimate one into the browser.
- SMS phishing, or smishing, is a phishing scam executed via text message.
- Social media phishing occurs when phishing messages are sent via social media platforms.
How to recognize and avoid phishing attacks
How can these attacks be stopped? Educating employees is the first step in phishing protection. Here is a list of clues end users should be on the lookout for to avoid getting hooked by phishing schemes.
If an unsolicited or unexpected email arrives in your inbox, be sure to do the following:
- Never reply to the message, click on any links or download suspicious attachments.
- Never trust an email or website that asks for personal, corporate or financial information. Legitimate companies will never ask for such data via email. If you are concerned about your accounts, contact the organization using a telephone number you know is genuine or by opening a new browser session and typing in the company's website.
- Never copy and paste links from emails. Also, note that hovering over links to check their validity is not recommended -- hackers can use coding to make the URL appear legitimate.
- Never click untrusted shortened URLs, such as Bitly links.
- Check for typos. Many phishing emails contain grammatical errors and misspelled words.
- Check the sender's address. If you don't recognize it, be wary. Remember, phishers can forge sender addresses. Check the IP address in the email source code to see if it can be traced back to the true sender.
Phishing protection best practices
Unfortunately, user awareness only goes so far in phishing defense. Therefore, technical controls should be considered to help catch phishing attacks. These controls will not eliminate phishing attempts but may minimize them.
- Regularly update and patch web browsers. Browser vulnerabilities are often used as part of phishing attacks.
- If personal, corporate or financial data must be entered into a website, visit the site by typing it into a browser; never click the link in an email or copy and paste it. Also, make sure the site is secure by checking for a lock symbol in the browser bar or making sure the URL starts with HTTPS.
- Install a web browser toolbar or extension to help protect against known phishing websites.
- Run antimalware software, and regularly update it.
- Use a firewall.
- Many groups collect phishing attack data to shut down websites and take legal action against phishers. Phishing scams can be reported to groups such as the Anti-Phishing Working Group via email or its website or the Federal Trade Commission via its website. In addition, many companies at risk of being spoofed have an email address to report scams to -- for example, Netflix and Visa.