Of all of the major cyber threats to businesses and individuals, phishing is the most common. Recent studies indicate that 65 percent of U.S. organizations experienced a successful phishing attack in 2019, and 22 percent of data breaches began with phishing campaigns.
“In its simplest form, phishing is the practice of sending a link via email or text or embedding a link on a website that, when clicked, downloads malware onto the user’s device as well as any other devices that are connected to the same network,” says CyberScout founder and chairman Adam Levin.
“From there, any number of things can happen. There are viruses that send hackers your most sensitive logon information, and others that recruit your machine into a botnet used to send illegal spam through networks that can create enough computing power to disable important servers. Your privileged access at work can be grabbed to transfer funds, hijack databases loaded with sensitive customer and employee information or steal intellectual property.”
The commonplace nature of phishing as a method of cyberattack is due in part to the fact that it typically relies on relatively simple methods to deceive targets, but it also owes something to the security of email as a platform.
“Email currently has a 90.1% penetration rate… in the United States, compared to 68% for Facebook and 23% for Twitter,” says Levin. “Email addresses are still the main way we authenticate ourselves to do business online, and because of that email represents an extremely weak link in your collective cybersecurity.”
While phishing traditionally relies on email, it can incorporate other means of communication, including voice calls and SMS texts, comprising what is sometimes referred to as “the pantheon of -ishings”:
Vishing (voice phishing): Is a phishing scam conducted by phone. Scammers will often contact their targets claiming to be representatives of banks or financial organizations and attempt to get information about their accounts or wire money.
“Vishing is how hackers take advantage of phone number databases... They’ll call you and claim to be from your bank (they just need your account number and routing information), the IRS (just confirm your Social Security number) or even Microsoft (just let them log into your PC remotely) to try to gain access to your personal or financial information or even install malware on your devices,” says Levin.
Smishing (sms / text phishing): Smishing is a phishing variant that targets mobile device users. Like vishing and phishing, criminals pose as representatives of familiar organizations or businesses in an attempt to gain access to sensitive information or to trick users into clicking a link that installs malware on their devices. Smishing attacks will typically target individuals, but can be leveraged into a wider-scale attack against an organization.
The early 2020 hack of Amazon founder and CEO Jeff Bezos through a malware link sent via WhatsApp is an example of this exploit.
“[I]f you use your smartphone to access the internet, bear in mind that there are hidden dangers everywhere, and pause before you pounce on text warnings,” says Levin.
While phishing and similar schemes continue to be effective, their relative simplicity as an attack vector means that proper and regular training for employees can help identity all but the most clever campaigns. Levin suggests that individuals follow the Three M’s of cybersecurity to protect themselves: Minimize, Monitor, and Manage.
Minimize risk of exposure by practicing good cyber hygiene, not sending sensitive information over email or unencrypted connection, and be skeptical about any messages alerting them to “urgent” issues with accounts.
Monitor accounts by checking credit and bank accounts, signing up for alerts, and double-checking every transaction. Many victims of phishing scams aren’t aware that they’ve been had until weeks after the fact.
Manage the damage by reporting scams to the proper authorities, sign up for identity theft protection when possible, and change logins and passwords if they suspect they’ve been breached.