…And How to Avoid Them

There’s no doubt about it: phishing is still the world’s most common cyber threat.

Three billion fraudulent emails are sent out every day to compromise sensitive information. And, according to the 2021 edition of the Phishing Benchmark Global Report, one in every five phishing email recipients is prone to clicking on the enclosed malicious link.one in every five phishing email recipients is prone to clicking on the enclosed malicious link.

Being able to consistently detect and avoid phishing email attempts that land in your inbox is a key component of strong cyber security. To do that, it’s important to understand the different types of phishing emails and the warning signs to look for in each scenario.

What is a Phishing Email?

A phishing email is a cybercrime that relies on deception to steal confidential information from users and organizations.

Phishing victims are tricked into disclosing information they know should be kept private. Because they trust the source of the information request and believe the party is acting with the best intentions, phishing email victims typically respond without thinking twice.

In a phishing email, cyber criminals will typically ask for your:

  • Date of birth
  • Social security numbers
  • Phone numbers
  • Credit card details
  • Home address
  • Password information (or what they need to reset your password

Cyber criminals then use this information to impersonate the victim and apply for credit cards or loans, open bank accounts, and other fraudulent activity.

Some cyber criminals use the information collected by a phishing email to start a more targeted cyber attack, such as a spear phishing or business email compromise incident, that relies on knowing more about the victim.

How Does Phishing Happen?

Phishing happens when a victim replies to a fraudulent email that demands urgent action.

Examples of requested actions in a phishing email include:

  • Clicking an attachment
  • Enabling macros in Word document
  • Updating a password
  • Responding to a social media connection request
  • Using a new Wi-Fi hot spot.

Every year, cyber criminals become savvier with their phishing attacks and have tried-and-tested methods to deceive and steal from their victims. According to 2021 data from Verizon, hackers took advantage of the COVID-19 pandemic to up the frequency with which phishing emails were sent out as part of cyber attacks.

Since phishing attacks come in many different forms, differentiating one from a valid email, voice mail, text message, or information request can be difficult. For this reason, phishing simulations are an ideal way to test users’ knowledge and boost organization-wide levels of phishing awareness.

Examples of Different Types of Phishing Attacks

Just like everything else on the internet, phishing email attacks have evolved over the years to become more intricate, enticing, and tougher to spot.

To successfully pinpoint and flag suspicious messages in their inbox, all your users must be familiar with phishing emails’ different forms.

Phishing Email

Phishing emails still comprise a large portion of the world’s yearly slate of devastating data breaches. Phishing emails are designed to appear to come from a legitimate source, like Amazon customer support, a bank, PayPal, or another recognized organization. Cyber criminals hide their presence in little details like the sender’s URL, an email attachment link, etc.

Spear Phishing

This more targeted phishing email attack relies on data that a cyber criminal has previously collected about the victim or the victim’s employer. Typically spear phishing emails use urgent and familiar language to encourage the victim to act immediately.

Link Manipulation

Relying on carefully worded phishing emails, this attack includes a link to a popular. This link takes victims to a spoofed version of the popular website, designed to look like the real one, and asks them to confirm or update their account credentials.

Fake Websites

Cyber criminals send phishing emails that include links to fake websites, such as the mobile account login page for a known mail provider, asking the victim to enter their credentials or other information into the fake site’s interface. The malicious website will often leverage a subtle change to a known URL to trick users, such as mail.update.yahoo.com instead of mail.yahoo.com.

CEO Fraud

This example of a phishing attack uses an email address familiar to the victim, like the one belonging to the organization’s CEO, Human Resources Manager, or the IT support department. The email urgently asks the victim to act and transfer funds, update employee details, or install a new app on their computer.

Content Injection

Savvy cyber criminals hack a familiar website and include a fake website login page or pop-up that directs website visitors to a fake website.

Session Hijacking

With this advanced phishing attack, criminals gain access to a company web server and steal the confidential information stored on the server.

Malware

All it takes to install malicious software on a computer or company network is clicking an email attachment. These attachments look valid or may even be disguised as funny cat videos, eBook PDFs, or animated GIFs.

“Evil Twin” Wi-Fi

This occurs when free Wi-Fi access points are spoofed. Victims unknowingly log into the wrong Wi-Fi hotspot. Wi-Fi access points commonly spoofed include those available in coffee shops, airports, hospitals, shopping malls, public parks, and other public gathering locations.

Mobile Phishing (Smishing)

A fraudulent SMS, social media message, voice mail, or other in-app message asks the recipient to update their account details, change their password, or tell them their account has been violated. The message includes a link used to steal the victim’s personal information or install malware on the mobile device.

Voice Phishing (Vishing)

This scenario occurs when a caller leaves a strongly worded voicemail that urges the recipient to respond immediately and to call another phone number. These voicemails are urgent and convince the victim for example, that their bank account will be suspended if they don’t respond.

Man-In-The-Middle

This sophisticated phishing email attack tricks two people into believing that they’re emailing each other. However, the hacker sends fake emails to each person asking them to share information or update confidential corporate information.

Malvertising

This phishing technique uses online advertisements or pop-ups to compel people to click a valid-looking link that installs malware on their computer.

Real-World Examples of Phishing Email Attacks

One common thread that runs through all types of phishing emails, including the examples below, is the use of social engineering tactics. Like most phishing attacks, social engineering preys on the natural human tendency to trust people and companies.

This leads to many users failing to carefully review phishing email details and automatically trusting the sender’s request. Email phishing victims believe they’re helping their organizations by transferring funds, updating login details, or providing access to proprietary data.

(example of phishing email)

Make sure your colleagues are aware of these common examples of phishing emails:

Account Deactivation

An email from PayPal arrives telling the victim that their account has been compromised and will be deactivated unless they confirm their credit card details. The link in the phishing email takes the victim to a fake PayPal website and the stolen credit card information is used to commit further crimes.

Compromised Credit Card

The cyber criminal knows the victim made a recent purchase at Apple for example, and sends an email disguised to look like it is from Apple customer support. The email tells the victim that their credit card information might have been compromised and to confirm their credit card details to protect their account.

Transfer Funds

An urgent email arrives from the company CEO, who is currently traveling. The email asks the recipient to help out the CEO transfer funds to a foreign partner. This phishing email tells the victim that the fund request is urgent and necessary to secure the new partnership. The victim doesn’t hesitate to transfer the funds, believing she is helping both the company and the CEO.

Social Media Request

A Facebook friend request arrives from someone who has the same Facebook friends as you. You don’t immediately recognize the person but assume the request is legitimate because of the friends in common. This new friend then sends you a Facebook message with a link to a video that, when clicked, installs malware on your computer and potentially the company network.

Fake Google Docs Login

A cyber criminal creates a fake Google Docs login page and then sends a phishing email to trick someone into logging into the faked website. The email might read something like, “We’ve updated our login credential policy. Please confirm your account by logging into Google Docs.” The sender’s email is a faked Google email address, [email protected]

(example of phishing email)

Company Tech Support Request

Employees receive an email from corporate IT asking them to install new instant messaging software. The email looks real. However a spoofed email address is used [email protected] instead of [email protected] When employees install the software, ransomware is installed on the company network.

When employees install the software, ransomware is installed on the company network. These phishing attack examples highlight how easy it is to be tricked by an email. The more familiar people are with how phishing happens, the easier it is to foster a cyber-aware culture.

Take advantage of Terranova Security’s free Phishing Simulation Trial to raise awareness of how phishing email attacks happen.

How To Protect Against Phishing Emails

To protect against phishing emails, you need to raise awareness of how phishing happens. When people experience first-hand how easy it is to be tricked by what looks like a valid email, they are more likely to carefully review email details before automatically clicking Reply, an embedded link, or downloading an attachment.

To protect against phishing emails, remember these five keys to building a cyber secure aware culture:

  1. Educate: use security awareness training and phishing microlearnings to educate, train, and change behavior.
  2. Monitor: use phishing simulation tools to monitor employee knowledge and identify who is at risk for a cyber attack.
  3. Communicate: provide ongoing communications and campaigns about phishing emails, social engineering, and cyber security.
  4. Incorporate: make cyber security awareness campaigns, training, support, education, and project management part of your corporate culture.

You want to be protected from phishing email attacks. The same sentiment extends to your colleagues, organization, friends, and family members. Everyone must be able to keep their information safe

The best way to do this is to create optimal levels of cyber security awareness. The first step is finding out who is at risk for a phishing attack. We recommend you try our free Phishing Simulation Tool so you can move forward with creating a cyber security-aware culture.

 


 

You can also share different kits, including infographics, other blog posts, videos, and much more, from the Cyber Security Hub!

It’s a 100% free content repository you can instantly access and use to share crucial security awareness tips and best practices with those close to you.