Phishing is a social engineering attack, usually sent via email, to steal a target’s login credentials and other sensitive data, such as credit card information or identity theft. 91% of successful data breaches start with spear-phishing attacks.
According to the FBI’s 2020 Annual Internet Crime Report, phishing attacks were the most common type of attack, accounting for 32.35% of all cyberattacks last year, with 241,342 incidents registered. This number has multiplied by more than ten in the past five years, up from 19,465 since 2015.
The relatively new non-fungible token (NFT) market has had another severe breach that casts doubt about its overall security, as more than a dozen accounts were compromised in a phishing attack on industry leader OpenSea.
The hackers targeted the owners of the “Bored Ape Yacht Club” crypto assets, a series of rough images of cartoon monkeys, which remain one of the most popular assets on the blockchain with the current input value of $242,000, and values that go up to $1 million.
Across the web, phishing attacks are prompting unsuspecting victims to hand over banking information, social security numbers and more. Cybercriminals are also getting smarter with their disguises. Sometimes these scams hide behind voices you know and trust, like your colleagues, your bank, or even the government. If you click on the link, you may be the next victim of a scammer.
As more and more criminals turn to online scams to steal your personal information, phishing prevention has become essential. We have learned how to avoid spam emails, but phishing emails seem treacherously trustworthy. Some are even made just for you. Since you will most likely end up encountering a phishing attack sooner or later, you should be aware of the warning signs. Considering that scams are not new to the web, phishing is much harder to spot than you might think.
How Phishing Attacks Work
Most phishing attacks take place via email. The attacker usually gets their hand on a list of leaked emails and sends mass phishing emails, expecting to mislead at least a fraction of the list.
The sender often tries to impersonate a reputable entity, such as a supplier (in the case of a business) or some utility company (in the case of an individual).
The purpose of the email is to deceive users into responding or, more commonly, clicking on a link that takes them to a fake website that looks like the legitimate site they are posing as. The user then attempts to log in to the fake website believing it to be the real site and attackers can steal their passwords.
Depending on how much work the attacker has put into the fake website, they may also receive additional information needed for identity theft. For example, they can create a dashboard similar to a legitimate website and ask for credit card information, Social Security numbers, addresses, and more, for future attacks.
What are the consequences of a phishing attack?
Financial Loss. The cost of providing identity and/or reimbursement protection to employees or customers can run into the millions if their business data is stolen and misappropriated. In addition to the direct costs of a breach, phishing attacks on employees can lead to fines if GDPR, PIPEDA, or PCI violations are found.
Loss of intellectual property. Aside from the direct financial loss, the most dangerous consequences of a successful phishing campaign can be the theft of intellectual property. Trade secrets, research, customer lists, formulas, and new developments can be compromised. For technology, defence and pharmaceutical organizations, one project, say a drug patent, can easily mean hundreds of millions of dollars in research costs.
Reputational Damage. At their core, brands and reputations are built on trust. Similarly, the publication of leaked humiliating internal communications can damage reputations and tarnish the brand forever. Media exposure about a severe breach can impact the overall brand perception as untrustworthy by partners, workers and customers. For example, the Coca-Cola brand is arguably more than half of the product’s worth. Damage to it caused by phishing attacks could result in the potential loss of hundreds of millions of dollars off their market value.
Investor Confidence. Investors have an ethical responsibility to ensure that cybersecurity programs are a priority at all stages of business development. Cyber-attacks have nearly doubled in the last five years, reducing consumer confidence and increasing demand for cyber security that protects users’ data and privacy.
Business Disruption. In addition to brand impact, business disruptions to critical infrastructure such as energy, transportation, water, healthcare, waste, and technology – the backbone of our economy – can lead to severe economic loss and social unrest.
How to identify suspicious emails:
You should be very vigilant and be suspicious of the following indicators:
- Any email that attempts to cause a panic or urges you to act quickly and without thinking.
- Emails containing unexpected attachments. Even if they come from trusted sources, (some of them could have been hacked).
- Claims that your account has been suspended for no reason, or that you must pay money to get it back.
- Pay attention to the links: Malicious actors sometimes use similar URLs or hyperlinks to confuse users.
- Verify the sender by checking their email address, look carefully, check the address and domain that the email came from, is that exactly what it should be?
- Be careful when asked for personal information, be very sure who you are sending it to.
- Too good to be true offers.
When you receive suspicious emails:
- Do not respond, even if the sender is a reputable business or financial institution. If you have an account with this service, contact them through different means to verify the email information.
- Do not click on suspicious email links (or copy and paste them into your browser). This can download malware to your computer or, at best, allow a phisher to verify that your email address is valid.
- Do not open any attachments. If you receive an unexpected attached file, check with the sender through a different channel to see if they sent the message themselves and were about to send the attachment.
- Contact your security experts. They can investigate the email, find malicious indicators, and block and mitigate malicious activity.
- Do not enter your personal information or passwords in an untrusted form.
- Delete the message.
Get in contact if you want to learn more!
To keep up to date with all the latest cyber updates and news, follow our LinkedIn.