What Is a Phishing Attack?
A phishing attack is a type of cybercrime where criminals try to trick people into falling for a scam, reveal login credentials or financial information, and launch malware. Most often, this type of cyberattack occurs through email, although it may involve spoofed websites that look real and social engineering to personalize attacks to appear legitimate.
Phishing attacks are also used to launch ransomware which can encrypt your data and prevent access unless you’re willing to pay the ransom.
The 8 Most Common Types of Phishing Attacks
Don’t be fooled by the cute names given to these attacks. They’re serious and can be devastating for victims. More than 90% of all cyberattacks start with a phishing email and account for nearly a third of all successful breaches. Here are the eight most common types of cybercriminals use:
1. Business Email Compromise
Business email compromise (BEC) accounts for the largest financial losses, accounting for more than $1.8 billion a year. While this includes several different types of scams, the most common is CEO fraud. Attackers gain access to a business email account and impersonate top executives such as the CEO and try to initiate wire transfers or payments for fake invoices.
Similar to CEO attacks, cybercriminals target executives within a company to reveal sensitive information. These phishing emails often use personalized company information to appear to be legitimate. Once hackers steal the login credentials of a high-ranking company official, they take over their email accounts.
3. Spear Phishing
Spear phishing attacks are highly targeted. Rather than sending mass emails and hoping someone responds, scammers target specific people within an organization. They hunt through company reports, websites, and individuals’ social media accounts to find personal information they can use to try to trick people into falling for their scam.
4. Domain Spoofing
Another common phishing attack is lookalike websites that appear to come from a legitimate company. Cybercriminals send emails with addresses similar to official domains. When someone clicks on a link, they are sent to a replica of the official website and asked to enter login information or financial information.
Smishing is when attacks occur through texting (SMS) but uses the same types of tactics. Victims may see a link that appears to be from a company they do business with offering them a coupon or discount. However, when they click, malicious code might be installed, or they are directed to enter personal information to get the offer.
Vishing — voice phishing — occurs when cybercriminals call your phone. They may use a recorded message and threatening language, such as telling you that your business or personal credit card has been used fraudulently or that there is a warrant for your arrest and urging you to take immediate action.
7. Fake Websites
Sadly, the internet is full of fake websites. Many of them have purposely been designed to look like the real thing. Some of them show up on legitimate search engines, but when users visit them, the scam begins. One of the more common tactics is to clone eCommerce sites but offer ridiculously low prices. When consumers try to make a purchase, they capture bank account or credit card information which they can exploit.
8. Wi-Fi Compromise
Phishing isn’t limited to email. Besides fake websites, crooks also use fake Wi-Fi hotspots in what’s sometimes called an Evil Twin Phishing attack. They may set up nearby a legitimate business and create a hotspot with the name of the business. However, when you connect to the hotspot, you’re giving access to your device to the attackers.
Preventing Phishing Attacks
While you think about phishing attacks or security breaches affecting big companies, the truth is that cybercriminals are attacking small and mid-sized businesses in record numbers. Over the past two years, attacks on mid-size companies increased by more than 50%. Attacks against small and mid-sized companies make up 43% of all data breaches.
The most important thing you can do to protect your business from phishing attacks is to educate your employees. This includes:
- How to recognize phishing scams
- Beware of urgent or time-sensitive warnings
- Verify emails and websites before providing sensitive information
- Only open attachments from trusted sources
- What not to share on social media
The best advice is to assume any email you receive is potentially dangerous and to be wary before clicking on a link or responding.
If you have become a victim of a phishing attack, you can file a complaint with the FBI’s Internet Crime Complaint Center (IC3).