Phishing and spear phishing are phrases we hear often, especially those of us working in Managed IT Services or cybersecurity. Protecting a company’s data and vital information or looking after the online privacy and reputations of their key executives and personnel. Unfortunately, though, for many of the staff in those businesses, they still don’t know what phishing or spear phishing really means, which makes them more vulnerable to cybercrime than they would be otherwise. This post aims to give them the basics of what phishing is and how it works. Let’s get started!
Phishing, or spear phishing, is a type of cybercrime used to steal user data, including login credentials and credit card numbers. Cybercriminals typically impersonate another trusted brand, company or individual to trick their target into sharing their credentials. Sometimes victims are completely unaware that their details have even been compromised.
Attacks can take many forms, from targeted email messages to fake websites that mimic legitimate login pages. Users can protect themselves by knowing what signs to look for—and avoiding dangerous links altogether.
You hear about phishing on TV and in the news – and most likely, your Facebook or Twitter account has been targeted at some point. But what is phishing, exactly? Phishing refers to a type of cybercrime where fraudsters send out emails with malicious links or attachments in an attempt to steal personal information like login credentials and credit card numbers. Depending on the compromise, the information may be used to commit identity theft, to access bank accounts or even directly stealing their victims’ money for purchases and other financial crimes.
The word phishing comes from fishing: criminals are trying to catch you! For bait, they use your trusted relationships with companies, colleagues and friends, hoping they can trick you into handing over sensitive credentials and access to critical data and assets.
There are three main categories of attack: phishing, spear phishing and whaling.
Regular phishing involves sending mass emails that try to fool people into clicking on malicious links or giving up sensitive information under false pretences. Examples include the Netflix scam emails that we often intercept here at MailGuard. The cybercriminals are banking on most people having a Netflix account, so there’s a good chance that at least some portion of the recipients will click through without spotting the tell-tale signs.
Spear-phishing attacks are more specific: they target individuals rather than groups and rely on social engineering techniques such as sending messages that appear to come from someone you know well (like a friend or colleague). They also often include more credible-looking websites that seem legitimate but actually contain malware designed specifically for compromising computer systems in large companies.
And then whaling (or CEO Fraud), is a form of spear phishing, in that it targets individuals, however in the case of whaling the cybercriminals are generally impersonating a company President, CEO or other key executive (AKA, a whale) that has power and influence. They’re banking on the employee feeling obliged to act quickly, and to follow the instructions of their senior manager or executive without asking too many questions.
Irrespective of the variant, essentially all forms of phishing involve a cybercriminal impersonating another trusted brand, company or individual to trick their target into sharing their credentials. The initial approach will typically be in the form of a malicious link via email, SMS or a post on a forum or social media, in order to trick you into handing over your details.
For whaling and spear phishing, the target is researched online first, enabling the cybercriminal to socially engineer their approach to mimic the spoofed sender that they are impersonating, thereby avoiding detection. That means checking company websites and social media, the targets' Facebook or LinkedIn, and industry journals, among other sources of information.
Pretending to be from your bank or IT department, or impersonating a senior executive or CEO, can result in more successful attacks as it enables hackers to gather more information about their targets before launching an attack, and it plays on the psychology of the recipient, hoping to convey a sense of urgency and duty to follow the instructions of their executive.
Keeping businesses protected
Prevention is always better than a cure, and the best defence is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workplace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email solution like MailGuard.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us how we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 282 2
UK partners call 0 800 404 8993