According to Infoblox’s 2023 Global State of Security Report, about 32 % of cyber attacks involve phishing. Moreover, this cybercrime reached an all-time high in 2021, as revealed by APWG’s “Phishing Activity Trends Report”, when more than 300,000 cyberattacks were recorded.
What is phishing?
Phishing is a type of cyber-scam that involves impersonating an organisation or person known to the victim in order to obtain confidential user data, such as passwords, credit card numbers, bank account numbers, etc. The aim of the attacker may also be to get the victim to download some kind of malicious file, or even other actions that involve them in other types of cybercrime. In this context, one of the most targeted sectors has been the financial and healthcare sector.
Moreover, according to a report by Proofpoint, based on a survey of 600 technology security professionals worldwide, by 2021 more than half, 54%, of phishing attacks were successful and resulted in a breach of user data, and 48% resulted in the sharing of compromised credentials or accounts.
What types of phishing attacks are there?
These attacks can be executed in different ways depending on the attacker’s intentions and the information they wish to obtain:
- Bulk email. Generic mass phishing via email is the most common technique. Cybercriminals impersonate the identity of a relevant institution, and include fake hyperlinks to lure the user into sharing sensitive data.
- Malicious software. Cybercriminals create malicious software, or malware, disguised as trusted attachments in emails or sms. If the user opens the file, they may suffer the blocking of the device from which the file was executed or the theft of private information.
- Spear-phishing. Generally, these attacks cover a wide range of users, while spear-phishing targets specific users. In this way, it collects relevant user data and investigates the user’s work, social and family life. This usually takes the form of a personalised and targeted email, usually using social engineering or open sources. It also increases the impression that the email is from a trustworthy source.
- Smishing. Uses fake text messages, SMS, impersonating well-known companies, with the aim of tricking users into downloading malicious software onto their phones, sharing private data or sending money to cybercriminals.
- Vishing. This is carried out through phone calls or voice messages. With this fraudulent strategy, digital criminals try to trick users by voice to steal personal or banking data.
Common phishing strategies
Hackers know how to manipulate victims to achieve their goals using a technique called social engineering. Thus, they focus on designing a deceptive communication by replicating the style of the impersonated identity. Moreover, they do not replace just any institution, they target corporations that generate a lot of stress for users or that have a strong connection with the public.
In addition, the phishing messages that victims receive create a sense of urgency, false confidence, fear or even anxiety, allowing them to be easily tricked or to make a hasty decision.
What damage can this cause?
As IBM’s “Cost of a Data Breach Report 2021” shows, it can take up to 213 days for an institution to identify that it has been the victim of a phishing attack. A successful phishing attack can have very serious damages for the victims. In the context of users, they often suffer from theft of money, fraudulent credit card charges, loss of valuable photos or videos, theft of confidential files and even identity theft.
At the business level, the risks to organisations include loss of customers, a sharp drop in revenue, loss of credibility, damage to reputation, breach of confidential files, among others.
How to avoid becoming a victim of phishing?
It is important for users to be familiar with this type of computer scam. To avoid becoming a victim of phishing, one of the first clues is to check the sender’s email address before opening any hyperlink or attachment. As for the text, it is very common for it to contain typos, spelling and grammatical errors, something that does not happen in genuine e-mails.
On the other hand, it is advisable to check whether the links are secure or not. Similarly, the signature in the footer should be inspected to check whether the legitimate senders include it. If the email contains phrases that provoke fear, manipulation or anxiety, it is usually a clear example of phishing.
Messages requesting personal information or asking for money to pay for an incident should make the user suspicious, as should receiving unsolicited files.