Cybersecurity for businesses is an increasingly important issue about which one must be well informed. Among the various attacks, the most common and deceptive one is Phishing. But what is it and how can we defend ourselves? Read the article to find out.
What is Phishing?
Phishing is a type of cyber attack, carried out on the Internet network to deceive users. It takes place especially through deceptive emails, containing a message that – reporting registration or other problems – invites users to provide their access data to the service, such as banking services.
To reassure the user that the email is reliable, a link is placed inside that refers to the original website. In reality, it is a fake site, structured identically to the original one. Thus, the user, confident in the reliability of the site, enters their data, which will then be available to criminals.
In email phishing, there are three main mechanisms for scamming the user:
- Malicious links, that is, links that direct victims to websites infected with malware, that is, a malicious program or code that puts a system at risk;
- Malicious attachments, meaning attachments that, when opened, may contain malware that compromises the victim’s computer;
- Fake fill-in forms, which are sites created with the same format as original sites where forms are filled in that are useful for taking possession of the victim’s sensitive data.
History of Phishing: how this attack originated
Phishing was born in the mid-1990s. A group of young people modified the chatroom function of Internet service provider AOL, posing as one of the administrators. Their purpose was to gain unlimited free access to the provider by acquiring the credit card numbers of other customers.
The hackers, therefore, within this chatroom, which was created to offer assistance to users of the site, informed the latter that there was a problem with their account. The user was asked to enter a credit card number, which was later captured and used to pay the hackers’ accounts. Phishing scams are still common today; in fact, according to the Verizon 2022 Data Breach Investigations Report (DBIR), more than 60 percent of breaches occurred through phishing.
Which sectors are most affected?
As we have seen, the phenomenon of phishing is becoming more and more widespread as time goes on. Many sectors are affected by this attack, including financial institutions, online payment services, and social media. Currently, we find a higher percentage of phishing in Webmails or software we use in the Software as a Service (Saas) mode, tools used for managing file storage, creating Web sites, and, most importantly, enabling collaboration inside and outside the organization.
This service allows users to create Web sites without having to write any kind of code. This has attracted quite a lot of interest from cybercriminals, who have begun to exploit these platforms by inserting links to phishing pages. These links are hosted on legitimate domains, consequently, they are particularly difficult for engines to detect this type of threat, which is why the trend of this attack in this area seems likely to increase.
What are the different types of Phishing?
Phishing is used because it represents cyber criminals, a simple and above all effective type of attack. Those who fall for the phishing scam risk identity theft and loss of sensitive data. It can also be infected with malware, which includes the dreaded ransomware, a type of malware that restricts access to affected devices, requiring a ransom to be paid to remove the restriction. As mentioned earlier, phishing occurs especially via email, but to defend against these attacks, it is important to know that there are several types, so let’s find out which ones.
Phishing on search engines
This type of phishing involves work by hackers to get their phishing site to appear among the first results of a search using a browser. There are many efforts by search engines to prevent certain sites from appearing among the first results, but this is often not enough. Clicking on the displayed link, you access the site the hacker created, and by interacting with it, you risk being robbed of your sensitive data.
Spear phishing represents a significantly more precise and targeted attack than phishing. These attacks are created specifically for the victim. The scammers prepare by gathering detailed information about the victim, such as the field of work or role in the company. With this information, the hacker can pretend to be interested in a cause supported by the victim, or pretend to be someone they know, to gain the confidence to obtain the data to steal, through the victim opening malicious links or attachments.
A practical example of a spear-phishing email might be, “Mark, for your more in-depth training, we suggest that you sign up for the webinar scheduled for this Monday (link to the compromised, or spoofed, website), which others of your colleagues will also be attending.”
If spear-phishing is a distinctly targeted attack, whaling is specific to attacks against companies. Also known as Business Email Compromise (BEC), whaling is a type of attack that directly targets corporate officers or directors, with the intent of stealing money or sensitive information to gain access to corporate computer systems for criminal purposes; therefore, through whaling, key individuals in the company are targeted and lured through communications that appear to come from the CEO or other influential people in the corporate organization.
The danger of Phishing lies in being a cyber attack by which the hacker manages to scam you without you knowing it Click To Tweet
Smishing is very similar to phishing among its types, the difference being that it occurs mostly via text message on the phone. Typically, a link is attached to the message, personalized with the victim’s data, which can lead to a phishing site or malware that can compromise the phone and be used to spy on the user’s smartphone data.
When we talk about vishing, we are dealing with a less frequent but no less deadly type of phishing. Criminals typically target the victim through a phone call, made more credible through voice-altering software or generating pre-set messages, with which they manage to obtain sensitive information from targeted users.
How to protect against phishing
Protecting against phishing, which, as we saw earlier is a major threat, must be a priority. To do so, companies can invest in training courses for their employees to increase their awareness in the area of cybersecurity. Indeed, the employee must be able to recognize possible threats. Training, through real examples of phishing attacks and various simulations, will make the employee ready to deal with a possible risk of attack.
In addition, to protect against phishing, a key role is played by technology. This is the case with the Security Email Gateway (SEG), a set of technologies that can detect and classify phishing emails based on the bad reputation of links attached to the emails themselves. Although SEG has limitations, such as links escaping as arranged by a legitimate domain, much more effective is email gateway technology.
The latter, tests the links contained in suspicious emails, moving them to a separate folder. Afterward, administrators can test and figure out if they are phishing emails.
Cybersecurity is constantly evolving, which is why companies must have a greater awareness of the importance of investments in cybersecurity so that the risks of attacks can be reduced.