It started back in 1996 when hackers pretended to be AOL administrators to phish for login credential so they could access the internet for free. Today, phishing is a top security concern for 50% of IT decision makers. Is it any wonder when you consider its prevalence and success?
According to a recent report, “83% of organizations experienced a successful email-based phishing attack in which a user was tricked into a risky action, such as clicking a bad link, downloading malware, providing credentials, and executing a wire transfer.” Clearly, cyber security is on everyone’s mind, from CFOs and IT professionals to individuals. But what exactly is phishing?
Phishing 101.
Merriam Webster defines phishing as “the practice of tricking internet users (as through the use of deceptive email messages [AKA phishing emails] or websites) into revealing personal or confidential information, which can then be used illicitly.”
Why its unique spelling? The dictionary further states its spelling as having been “influenced by an earlier word for an illicit act: ‘phreaking.’ Phreaking involves fraudulently using an electronic device to avoid paying for telephone calls, and its name is suspected of being a shortening of ‘phone freak.’”
How does one fall victim to phishing? The scammer gains remote access to your computer through illicit means. They pose as tech support agents or use other phishing attacks to trick you into giving them remote access to your computer. With that done, they can crawl your hard drive for sensitive data, passwords and photos, and even withdraw money from your bank accounts, steal your identity or extort you for money. So what are the different types of phishing to look out for?
Most common types of phishing
There are several types of phishing:
Email phishing
Email phishing is the most common. The fraudster registers a fake domain that looks like a real organization and sounds thousands of emails at one time. The domain may use a character substitution, like “r” and “n” next to earn other to create “rn” instead of “m.” Sometimes, the domain appears legitimate. You see the name of the organization in the sender’s address and assume it’s genuine when it’s anything but.
Spear phishing
Spear phishing is sending malicious emails to a specific person. The fraudster has some or all of the following information about the victim—name, place of employment, job title, email address and specific information about their job. What’s the difference between phishing vs. spear phishing? Spear phishing is so much more convincing, as the sender seems to know a lot about you. And that’s how they get you—you think they know you.
Whaling
Whaling is aiming sophisticated, targeted attacks at senior executives or emails masquerading as senior executives to deceive others.
Angler phishing
Angler phishing is a relatively new method of attack via social media using fake URLs, cloned websites, posts and tweets, as well as instant messaging. The result? People give up sensitive information or download malware.
Here’s something else to look out for:
Deepfakes
Deepfakes are AI-powered video- and audio-based messages that often make it look as if someone is saying or doing something they never said or did. These can have severe criminal implications. For instance, one finance executive received an urgent voice mail from his boss ordering a wire transfer. However, it was a fake audio message. Deep fake videos can also be used to misrepresent well-known politicians or used to blackmail.
Education is your best protection.
Whether phishing or deepfakes, cybercrime is becoming ever more sophisticated. As such, it behooves organizations and individuals to be wise to prevention methods—in essence, stop it before it even starts.
- Never click on links in emails or text messages. Go directly to that site and log in to see if your account has been compromised.
- Ignore tech support scams or pop-ups claiming your device has been infected by a virus. Do your research before calling a tech service. Close the pop-up window immediately!
- Never click on a link or call a number listed on a notification offering to clean your device.
- Got an unexpected email or text saying you owe a large amount of money? Delete it.
- Block and report any scam emails that come into your inbox.
- Never pay for a service using gift cards—that’s a clear sign it’s a scammer.
- Check out the Better Business Bureau’s Scam Tracker.
Demand zero trust security.
You can help defend your organization from malicious actors by making sure your company’s remote access software has zero trust security architecture. GoTo Resolve, for instance, the all-in-one IT support and management solution, is powered by zero trust architecture. Its industry-leading security model works simply to help protect your organization from malicious actors gaining access to your IT Infrastructure.
- Agents sign remote access actions (like IT automation) with a signature only they know. Advanced access control means no one can modify or create a task on the agent's behalf.
- Endpoints never trust blindly. They always verify the signature before granting access, locking out hackers.
While cyberattacks may be on the rise, and methods are evolving, there is much you can do to help circumvent them—from education to zero trust security architecture. Ensure your employees are well informed and get GoTo Resolve, free.