If your business is in Managed IT Services or Cybersecurity, phishing and spear phishing are two phrases you would hear often. However, if your work falls outside of these industries, the terms may not be too familiar to you, making you more vulnerable to cybercrime.
Phishing, or spear phishing, is a type of cybercrime used to steal user data, including login credentials and credit card numbers. Cybercriminals typically impersonate another trusted brand, company or individual to trick their target into sharing their credentials. Sometimes victims are completely unaware that their details have even been compromised.
Attacks can take many forms, from targeted email messages to fake websites that mimic legitimate login pages. Users can protect themselves by knowing what signs to look for—and avoiding dangerous links altogether.
You hear about phishing on TV and in the news – and most likely, your Facebook or Twitter account has been targeted at some point. But what is phishing, exactly? Phishing refers to a type of cybercrime where fraudsters send out emails with malicious links or attachments in an attempt to steal personal information like login credentials and credit card numbers. Depending on the compromise, the information may be used to commit identity theft, to access bank accounts or even directly stealing their victims’ money for purchases and other financial crimes.
The word phishing comes from fishing: criminals are trying to catch you! For bait, they use your trusted relationships with companies, colleagues and friends, hoping they can trick you into handing over sensitive credentials and access to critical data and assets.
There are three main categories of attack: phishing, spear phishing and whaling.
Regular phishing involves sending mass emails that try to fool people into clicking on malicious links or giving up sensitive information under false pretences. Examples include the Netflix scam emails that we often intercept here at MailGuard. The cybercriminals are banking on most people having a Netflix account, so there’s a good chance that at least some portion of the recipients will click through without spotting the tell-tale signs.
Spear-phishing attacks are more specific: they target individuals rather than groups and rely on social engineering techniques such as sending messages that appear to come from someone you know well (like a friend or colleague). They also often include more credible-looking websites that seem legitimate but actually contain malware designed specifically for compromising computer systems in large companies.
And then whaling (or CEO Fraud), is a form of spear phishing, in that it targets individuals, however in the case of whaling the cybercriminals are generally impersonating a company President, CEO or other key executive (AKA, a whale) that has power and influence. They’re banking on the employee feeling obliged to act quickly, and to follow the instructions of their senior manager or executive without asking too many questions.
Irrespective of the variant, essentially all forms of phishing involve a cybercriminal impersonating another trusted brand, company or individual to trick their target into sharing their credentials. The initial approach will typically be in the form of a malicious link via email, SMS or a post on a forum or social media, in order to trick you into handing over your details.
For whaling and spear phishing, the target is researched online first, enabling the cybercriminal to socially engineer their approach to mimic the spoofed sender that they are impersonating, thereby avoiding detection. That means checking company websites and social media, the targets' Facebook or LinkedIn, and industry journals, among other sources of information.
Pretending to be from your bank or IT department, or impersonating a senior executive or CEO, can result in more successful attacks as it enables hackers to gather more information about their targets before launching an attack, and it plays on the psychology of the recipient, hoping to convey a sense of urgency and duty to follow the instructions of their executive.
Staying educated on the topic is one of the most important steps to ensure a cyber resilient business. To boost your awareness of scams and what to look for, we recommend checking out ‘6 Effective Ways to Spot an Email Scam’, or test your knowledge on our ‘Scam or Safe Quiz’.
Keep your business protected
Prevention is always better than a cure, and the best defence is for your businesses to proactively boost its cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for your business to fortify.
No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to complement Microsoft 365.
For more information about how MailGuard can help defend your inboxes, reach out to our team at expert@mailguard.com.au .
