What is Phishing?

Table of Contents

Phishing is categorized as a form of online fraud where criminals rely on posing as reputable sources in order to lure victims into giving them confidential data or tricking them into downloading malicious software. These communication tactics involve the use of email, social media, text messages, phone calls, and websites.

A severe attack on MGM resorts was perpetrated by a European cybergang called Scattered Spider that took just 10 minutes of phishing. The gang went on LinkedIn to find MGM employees, made a few fraudulent phone calls, and got login credentials. Scattered Spider has been known for leveraging social media and their success at hacking is often due to their research skills and ability to emulate people. 

Phishing is the most common type of cyberattack that people face globally. It’s so prevalent that the spam box in most email accounts is often filled with a wide variety of phishing scams, from claiming to be a bank account you just opened, to outrageous declarations that you inherited a fortune from a long lost uncle in Portugal. According to the 2023 Phishing Statistics report, nearly 3.4 billion spam emails are sent daily and Google blocks about 100 million phishing emails a day.

The Cost of Phishing

In 2022 the top internet crime experienced by the FBI was phishing, with a total count of 300,497 victims in the US resulting in a financial loss of over $52 million dollars. In the 2023 Cost of Data Breach Report, the reason why phishing has such a costly impact is due to the fact that it takes an average 298 days for phishing attacks to be identified and contained. In the United States 83% of Chief Information Security Officers (CISOs) expressed that identifying compromised assets across their network is a high-priority project.

Phishing has always been one of the top threats in cybersecurity because it’s often the very first step in a larger scale attack. According to IBM, 41% of breaches have phishing as the initial attack vector. In the MGM resort incident, phishing was used to gain access to then deploy a huge ransomware attack. MGM is said to have lost nearly $8.4 million, or about 10% to 20% of their daily revenue for each of the 9 days of system disruptions.

Precursor malware is also a common result of phishing from victims who click on supposedly legitimate links and attachments in emails. In the case of Universal Health Services (UHS), convincing emails were sent to staff impersonating trusted sources or colleagues and were filled with malicious attachments and links. UHS suffered a total  loss of $67 million dollars from the attack.

What Is Ransomware?

Learn more about the different types of precursor malware and how it leads to ransomware.

Most Common Phishing Attacks

New types of phishing tactics are developed often. Here are examples of phishing that use the most common and current trending scams out there:

Type of Attack

Description

Spear Phishing

Attacks directed at specific companies or individuals. Lots of information is gathered to make the imposter seem like a trustworthy contact. 

Whaling

Targets strictly senior level executives with the goal of stealing large volumes of sensitive data. Most of these targets have the ability to authorize payments.

Pharming

Tricks users into logging into very convincing fake websites to obtain their login credentials. 

Quishing

QR codes that direct victims to fake websites that may seem like restaurant menus, adverts, commercial tracking, etc.

Voice Phishing

Phone calls targeting victims to vocally confirm their sensitive data. The victim’s voice is then recorded stating their personal data or simply getting them to say “yes” for approved transactions.

Smishing

Attackers use convincing text messages to get victims to disclose account credentials or install malware. Also known as SMS phishing. 

Social Media Phishing

The goal is to impersonate victims by obtaining their social media logins in order to reach out and scam the victim’s friends and family via Instagram, TikTok, LinkedIn, Facebook, etc.

Phishing Prevention Strategies

Don’t be fooled! Phishing has become increasingly more sophisticated and can involve clever deception and psychological manipulation. Successful phishing attacks rely on human error and naiveté. Below are some Phishing Prevention strategies that can help your organization be better prepared:

  1. Provide updated awareness training: Present examples to your team on the latest phishing scams and key identifiers. 
  2. Encourage reporting “phishy” attacks: Provide a resource that people can report suspicious emails, phone calls, links, attachments and websites to.
  3. Promote regular password rotations: Encourage users into the habit of regularly changing passwords.
  4. Stay on top of updates: Updates often provide security patches for software and browsers, make sure everyone around you has the most up to date version. 
  5. Enable data confirmation for everyone: Phishing attempts often target hierarchical chains of command, so enabling communication at every level ensures a more secure environment.
  6. Have reliable protocols: Adversaries thrive in unclear situations or exceptions. Clear rules and reliable tools empower contact handlers to confidently reject or report issues, fostering assertiveness.

2023 Ransomware Flashcard Black Hat Edition

These cybersecurity precautions will help your organization stay on top of your defenses. 

How to Respond to a Phishing Attack

There are several stages to a phishing attack and at each stage you can take action, especially when there is any uncertainty on whether data has been leaked or a backdoor has been created. Here’s what you can do if you think you are being attacked:

  1. Don’t give personal info: Never ever give private information such as login credentials, card details, bank info, or social security numbers unless you can verify 100% who you are sending it to.
  2. Don’t click or download anything suspicious: Avoid clicking on links, and instead hover over the links to see where they lead. Don’t click on URLs that seem iffy or don’t match the supposed destination. Dangerous file types are .zip, .exe, .htm, .iso, etc.
  3. Report suspicious communications or mishaps: Contact your IT department  in case you may have received any suspicious phone calls, emails, or accidently clicked on a malicious link. They will be able to investigate and alert the rest of your team.
  4. Contact the organization directly: If you received a “phishy” communication from someone impersonating any reputable source, contact the real organization directly and inform them of the situation. They will take measures to inform their clients.
  5. Keep an eye on bank statements: Be on the lookout for possible identity theft.      Monitor any unauthorized activity on your bank or company card statements and     report them.

Recommended Tools for Phishing

There are numerous options when it comes to phishing protection. Many of these tools are available at no cost, or are budget friendly. The following is a list of the basic recommended tools for phishing protection:

  1. Anti-Phishing Add-Ons: Majority of browsers have free downloadable add-ons that can alert you of existing phishing websites and are able to identify signs of a malicious site. 
  2. Ad-Blockers: Pop-up ads are often used with malware linked to attempted phishing attacks. Download browser ad-blocker software to block malicious ads.
  3. Secure Email Gateways and Spam Filters: Spam filters and secure email gateways will analyze incoming emails for undesired and malicious content. They will prevent fraudulent communications from entering the primary inbox. 
  4. Phone Spam and Call Filters: Most phone carriers provide phone spam filters that restrict phishing text messages you receive. A separate inbox can also be created for text messages from unknown senders that aren’t on your contacts list.
  5. Anti-virus, malware, and spyware software: All of these will help identify if something malicious was downloaded onto your computer.

Phishing Incident Response Playbook

The Response Playbook is a quick set of guidelines that organizations can easily adapt to their needs. Paired with a Free Lumu Account, the playbook provides recommended actions for preparation, detection and analysis, containment/eradication & recovery, and post-incident activity.