What is Phishing and How to Defend Against it?

Despite the humorous name, however, phishing can have some pretty serious consequences for businesses if left undetected. From data breaches and identity theft to financial losses and reputational damage, a successful phishing attack can bring even the strongest business to its knees.

In this blog, we investigate what phishing is, how it works, and how your business can best defend itself against this form of cyber attack.

What is phishing?

‘Phishing’ refers to a specific method used by cybercriminals to trick individuals into divulging sensitive or important information by sending fraudulent messages pretending to be someone else. Anything from financial data and classified information to private passwords is at risk from this form of cyber attack — essentially, anything that will give a malicious outsider a ‘way in’ to a business. 

This is where the term “phishing” initially came from as this method of cyberattack essentially ‘fishes’ for sensitive information, passwords, and usernames from a sea of users — with only a few successes among many attempts.

This method involves an individual (the cybercriminal) posing as a trustworthy or well-known individual or stakeholder in order to gain the trust of their victim or victims. Usually, attackers pose as a company CEO, a bank, or a similar reputable organisation. 

How does phishing work?

Phishing involves the creation and circulation of fraudulent emails and/or messages to a business or person pretending to be someone known to them. The hope is that the receiver will fall victim to the social engineering techniques in the email and share the information or click on a link that downloads malware or a virus onto the computer to steal data.

Social engineering & phishing

The reason phishing is so effective is its leveraging of social engineering in a cybercrime context. Social engineering refers to the use of deception tactics to manipulate individuals into giving out their information for fraudulent or criminal purposes. 

Phishing attempts utilise social engineering to gain the information needed to do damage to a company — such as gaining access to its systems or banking accounts. The individuals responsible for the phishing attempt usually create a false sense of urgency in order to coax information out of their victims. At a basic level, a simple phishing email might look something like this:

“Hi, it’s me [insert name of someone the victim knows], I’ve been locked out of [insert company system], can you share the details with me again?”

The future of phishing

Just as cybersecurity is evolving, so are the methods of cybercriminals. Now, thanks to advancements in things such as artificial intelligence, cybercriminals are able to produce increasingly convincing phishing emails. For example:

• Deepfake technology can make it look like someone at a company has sent a video of themselves asking for sensitive information or doing something compromising that could be used as blackmail.
• Generative AI tools that help with writing can be used to enhance the content of phishing emails to make even long-term, well-educated employees fall victim to them.

So, now more than ever, it is essential that businesses arm themselves against phishing attempts — understanding what they are, how sophisticated they can be, and (most importantly) how to protect themselves against them. 

More on AI & cybersecurity

The different types of phishing

Before we launch into how your business can defend itself against this ever-developing form of cybercrime, it’s a good idea to get to know it in its many forms first. 

So, below, we have detailed the most common types of phishing attacks to help you know what you're dealing with and spot even the most subtle of attempts.

Spear phishing

Phishing itself, we’ve covered, refers to a broader umbrella term of using fraudulent material, social engineering, and posturing to obtain sensitive information.

Spear phishing is a much more targeted form of attack. Under this method, a particular group of individuals — such as employees of the same company or residents in a certain area — are targeted. 

Vishing 

This method of phishing is conducted through voice calls — hence the “v” instead of the “ph”. This is where an attacker will obtain a targeted list of phone numbers (or call at random) and ring individuals pretending to be someone else in order to gain their sensitive data, credit card information, and so on. 

One of the most common vishing forms is someone saying they are calling from a corporation like “Microsoft” to inform businesses or individuals that they have detected a virus on your computer and need credit card details to install an antivirus program. 

If successful, the attacker not only has your details and access to your bank, but they also likely have installed malware onto your computer that can steal yet more data. 

Smishing 

Another clever name, smishing is a type of phishing attack that uses text messaging or short message service (SMS) as its method — hence the name.

This usually relies upon individuals clicking a link or replying to an SMS message with valuable data. As such, it often involves criminals posing as a banking company with the excuse that your account has been compromised and requires re-verification of your details and so on. If completed successfully, the attacker can gain access to your bank account, locking you out — all thanks to a simple text.

Whaling

Finally, we have whaling. Similarly to spear phishing, this is a specific targeted attack — but, as the name suggests, it’s exclusively aimed at bigger fish.

Whaling is when cybercriminals use phishing to go after high-profile individuals, for example, CEOs, CFOs, or any directors of a company. Usually, this takes the form of a fraudulent legal threat facing the company in an attempt to get them to take action, click a link, input their details, or share the email with other members of their team. 

Often, the links are infected with malware and direct the victim to a page that further damages their computer. The stakes are high with this method, but the payoff is big as, if successful, the attacker now has direct access to the data of the most important person(s) in a business and can use this to their advantage.

Protecting your business from phishing

So, how can you make sure that your business doesn’t fall victim to phishing attempts? 

Recognising phishing attempts 

So, now that you know what phishing is, how can your business stay safe? One of the most important things is to know what to look for. Since phishing almost always relies on external messages or emails being sent to you or your employees, your entire workforce must be educated on what to be aware of. 

Here are just a few of the red flags to keep an eye out for to avoid becoming a victim to phishing emails or texts:

• Unexpected emails from unknown senders
• Mismatched or ‘dodgy’ URLs
• Grammatical errors and spelling mistakes in emails 
• Unusual font choices and font colours
• Large attachments or images you weren’t expecting
• Generic greetings that don’t match what you’d usually receive 
• ‘Pressure tactics’ that try to evoke a sense of urgency. Would the CEO really ask you for data via email immediately? 
• Requests for personal information or data the real sender would already have access to via password sharers.

Staff cybersecurity training

Phishing is a form of cyberattack that targets individuals and preys upon human error. So, in order to keep your business safe, you need to educate the humans who work there. According to IBM, over 95% of cybersecurity incidents originate in human error, illustrating how essential staff training truly is to business integrity. 

Make sure your staff understand the importance of cybersecurity. Can they identify phishing emails? Do they know how to report and escalate any phishing-related issues they may come across? Are they briefed not to click suspicious links or input sensitive data? 

On a wider level, does your business undergo regular staff training to ensure high levels of cybersecurity competence and digital literacy despite team changes? Read another of our blogs to find out more about cybersecurity awareness training. 

Cybersecurity improvements 

Going hand in hand with staff training comes the actual bolstering of your organisation’s digital infrastructure to protect it from phishing attacks. 

Ask yourself the following questions about your business. If the answer to any is “no”, then there is more you could be doing by means of cyber defence for this method of attack. 

• Are your software and security systems updated?
• Do you use strong, unique passwords?
• Do you use two-factor authentication?
• Do you invest in and use email filtering tools that can send suspicious emails to spam?
• Do you have an in-company verification process for requesting sensitive information?
• Do you have an up-to-date GDPR policy that all of your staff are aware of?
• Do you regularly monitor the security of financial accounts and personal data?
• Have you performed penetration testing? (This is a mock cyberattack to see how far a cybercriminal or malware would get into your system)
• Do you have antivirus software and firewalls installed?
• Have you looked into phishing simulation tools?
• Do you have advanced threat protection solutions?

Need help with your IT security?

Need help navigating the intricacies of phishing? Keen to learn more about this method of cyber attack so that you can better protect your business? Contact our team of experts to find out how our managed IT support and security services can help you.

And, in the meantime, jog your memory on GDPR and cybersecurity best practices over on the ITRM blog.