It is far too easy for modern consumers and businesses to be lured into digital scams, and phishing is one of the most persistent types. These attacks are engineered to trick trustworthy users into unwittingly providing personally identifiable information (PII) such as login credentials, passwords, email addresses, credit card details and other valuable data. Phishing attempts have recently seen a significant uptick, experiencing a year-over-year (YoY) increase of 76 percent in 2018.
One reason fraudsters rely so heavily on these attacks is that they are highly effective. A recent Verizon report noted that 30 percent of phishing messages are opened by their intended targets, and 15 percent who fall victim will be targeted again within a year.
Businesses are also highly vulnerable to phishing-related scams, and even big-name corporations specializing in identity solutions have fallen prey. Scammers posing as computer hardware vendors recently tricked Google and Facebook employees into making payments valued at $100 million, for example. The FBI noted that fraudsters impersonating vendors stole $676 million last year by tricking company executives and finance officials into sending them money.
The lending market is also no stranger to such fraud. The Department of Education warned last year of a phishing scam using what appeared to be college or university email addresses to target students receiving financial aid.
Messages sent from these accounts asked recipients to update password-protected information, and fraudsters used these details to redirect loan payments into illegitimate accounts.
Such tactics’ success and pervasiveness show they are unlikely to fade away anytime soon. The following Deep Dive explores different types of phishing attacks, how fraudsters pull them off and how consumers can protect themselves as these attempts become more aggressive.
Know Your Phishing Attacks
Not all phishing attacks are alike. Some are wide-ranging and attempt to target as many victims as possible, while others are highly specialized and focus on specific targets.
Email phishing is among the most common types, with fraudsters sending thousands of emails based on faulty claims. Messages could inform recipients that passwords to certain sites will soon expire and ask them to reset their codes as soon as possible, for example. These emails use fake but highly convincing illegitimate sites to collect users’ details, granting fraudsters access to their accounts. Bad actors view such scams as highly successful, even if only a small portion of recipients fall for them.
Spear phishing is a more concentrated fraud type that targets specific victims. Fraudsters perpetrating these attacks will research a company’s employees and executives to gain specific knowledge of the organization. They then pose as a company official or executive’s family member, friend or coworker and send a fake link requesting employees’ credentials, potentially granting them access to sensitive information such as invoices.
An even more ambitious form of phishing is whaling, which targets businesses’ senior executives. These types of attacks home in on high-level officials who could be warier of being targeted, meaning common phishing emails will often fall flat. Fraudsters might instead send messages threatening legal action, for example, to more successfully bait executives.
Consequences And Preparations
Several high-profile companies across multiple industries have recently fallen victim to phishing attacks, including eBay, Equifax, Marriott and Yahoo. Given the persistence and increasingly brazen nature of these attacks, it is imperative for both consumers and enterprises to take the necessary steps to guard against them.
One of the most-recommended ways to thwart these bad actors is to adopt two-factor authentication (2FA). This method requires those attempting to access accounts to provide knowledge-based answers in addition to demonstrating they have access to users' smartphones or other devices.
Education is another tool essential to preventing phishing attacks. Briefing consumers, employees and executives on what they can do to eliminate risks goes a long way toward ensuring data and financial resources are secured. Successful educational campaigns will recommend the adoption of best practices, such as not clicking external links included in suspicious emails.
Emails’ content can also offer warning signs, and recipients should watch out for “too good to be true” offers, sloppy grammar, unknown senders or unusual attachments, especially .exe files. Phishing takes many forms and fools millions of unsuspecting victims each year. Staying vigilant and taking steps to understand fraudsters’ tricks could prevent consumers and businesses alike from being hooked by phishing scams.