If you have an email account, odds are you’ve received a phishing message in your inbox before. To get your attention, phishing attacks use emails designed to look like urgent messages from banks, credit card companies — even government agencies. For instance, scammers will send emails with subject lines like: “Verify your account” or “Confirm billing information“ to lure people to phony websites that look similar to real sites of the company they’re impersonating.
But phishing risks are no longer limited to a sketchy message in your email inbox — there are many different types of phishing that put your organization’s sensitive data at risk.
What is phishing?
Phishing is a type of cybercrime that tricks users into clicking on a malicious link. The malicious link may come in an email, SMS message, or even a voice message, and once clicked, it takes users to a website that may look authentic — but it isn’t. If a user enters personal information or sensitive company data on the website, attackers can use it however they want.
In the past few years, phishing scams have become much more sophisticated. Threat actors use clever social engineering to convince you of their legitimacy, and they often target specific individuals within an organization. And because phishing focuses on compromising a user’s account, it’s one of the preferred methods to kick-start an advanced attack, with the ultimate goal of stealing sensitive data.
The proliferation of personal mobile devices in the workplace has also raised the stakes. Lookout’s recent Global State of Mobile Phishing Report found that the maximum financial impact of a successful mobile phishing attack rose to nearly $4 million for large organizations in 2022.
With attacks coming from so many different directions, it’s important to be aware of all types of phishing your organization could be facing and the consequences of these attacks.
Types of phishing risks
Phishing comes in many different forms. In order to keep your organization’s data secure from scams, you and your users need to be able to recognize all different types of phishing attacks regardless of where or how they’re delivered.
Business email compromise (BEC)
Business email compromise (BEC) is a classic type of phishing that's perpetrated through email, one of the traditional communications channels for business and individuals. Typically, a threat actor will send an "urgent" email to someone in a business with access to financials, often impersonating a high-ranking executive, and request a time-sensitive payment. If one person takes the bait, it can mean huge losses for an organization and a big win for threat actors.
While many employees are aware of the possibility of being phished via email, the proliferation of mobile devices has made it harder for many people to root out BEC scams. Mobile email apps often limit previews of hyperlinks and email addresses, meaning it's more difficult to spot a suspicious website or sender.
SMS phishing (smishing)
Phishing doesn't stop at bogus emails. SMS phishing, or smishing, is when attackers send a fraudulent SMS message to users in an effort to gain access to sensitive information. These types of attacks are on the rise due to the increased adoption of mobile devices, where the identity of the user is closely linked to smartphone and tablet devices.
Smishing attacks often target the authentication workflow used by many organizations. With multi-factor authentication becoming so common, most people receive multiple SMS messages a day asking them to validate their identity. But it's easy for attackers to mimic these messages and ask for a fake "authentication" that actually gives them control of your account.
QR code phishing (quishing)
These days, QR codes are everywhere — restaurant menus, business cards, product packaging — but they are also a potent type of phishing attack. QR code phishing, or quishing, has become a highly effective way for threat actors to steal your sensitive data. All they have to do is embed a malicious URL into the QR code, and as soon as you scan with your phone, they can steal login credentials or install malware.
A physical display with a legitimate QR code on it can be easily covered up by a nefarious one, and because of the visual nature of the codes, it’s very difficult for users to spot a malicious URL.
Voice phishing (vishing)
Voice phishing, also known as vishing, is when threat actors use phone calls to try and get you to give up your sensitive information. This is a relatively new type of phishing that took off during the pandemic.
Attackers typically use Voice over Internet Protocol, or VoIP, to spoof a phone number and pretend to be an organization or person you recognize. Vishing relies heavily on social engineering to convince you to give up information, and it’s particularly dangerous because traditional security measures like VPNs and multifactor authentication can’t prevent attacks.
HTTPS phishing
When a website has an SSL certificate, it means that the identity of the website has been certified and website traffic is encrypted. Users can recognize these sites by the presence of “HTTPS” prefixing the URL and a padlock icon in the status bar. But threat actors have begun using SSL certificates to give users a false sense of security in a type of phishing attack known as HTTPS phishing.
Since there is no authority governing the creation of HTTPS sites, it’s easy for hackers to register a site with an SSL certificate, and because the site has the HTTPS prefix and padlock icon, users feel comfortable entering things like login credentials or financial information.
How to prevent phishing
To recognize and prevent all types of phishing attacks, requires a holistic approach that includes both tools and training.
Employee education
The best defense is a good offense, and one of the best ways to prevent phishing attacks from causing harm to your organization is training employees to recognize phishing when they see it. Phishing emails often look like they are coming from a legitimate source, but when inspected closely, elements like a suspicious email address or hyperlink give them away as scams. They also need to be aware that not all phishing attacks come from email or are aimed at desktop computers.
On mobile, a phishing attempt might come in the form of a multi-factor authentication notice. Users should be wary of any authentication request received when they aren’t trying to sign into their accounts. Other red flags are authentication requests that arrive from odd locations or in the middle of the night. Mobile devices also have countless apps installed, and any of them with a communications functionality is a potential channel for phishing, whether it’s social media platforms, messaging apps, or even dating apps.
Users should also be trained to let internal IT and security teams know when they’ve encountered a suspected phishing attempt so those teams can make others aware of the inbound attacks.
Secure web gateway (SWG)
With phishing threats coming from all corners of the internet, a next-generation secure web gateway (SWG) is critical for staying protected. A SWG uses URL filtering, SSL inspection, advanced threat defense, and malware protection to defend against threats like phishing. It's essentially a checkpoint that ensures users are accessing the internet safely.
The best SWG solution will monitor internet traffic in real-time and block malicious URLs, which means if a user clicks on a known phishing link, they'll be prevented from reaching it. Your SWG should also have built-in data loss prevention (DLP) to prevent users from entering sensitive data into a malicious site.
Mobile threat defense (MTD)
Many employees now use their own mobile devices for work tasks, which means you need a defense against all types of phishing that extends to both managed and unmanaged devices. A robust mobile threat defense (MTD) solution should have advanced anti-phishing capabilities that can thwart potential threats by monitoring web requests and comparing them against a list of known phishing sites, preventing users from accessing known dangerous sites. It should also have the ability to identify what phishing attacks look like and can block malicious URLs even if they’re brand new.
Endpoint detection and response (EDR)
Endpoint detection and response (EDR) solutions look for patterns in phishing attacks to determine whether an attack is happening and can conduct forensic investigations into incidents. EDR is designed to detect targeted cyberattacks and prevent data breaches. Many EDR solutions are designed for desktop and laptop endpoints. But mobile phones frequently have access to the same data as desktops and laptops, so it’s critical to use a comprehensive EDR solution that also encompasses mobile devices.
The impact of phishing attacks
Phishing attacks are often just the tip of a spear for more advanced cyberattacks. Threat actors and advanced persistent threat (APT) cyber espionage groups often use phishing as a means to distribute spyware or conduct surveillance campaigns.
Attackers can steal credentials and take over legitimate accounts, where they can raise their access privileges or move laterally to other parts of your organization. Ultimately the goal is to identify and steal sensitive data and intellectual property, disrupt operations, and wreak havoc on regulatory compliance efforts.
And while many threat actors are getting more sophisticated, it’s also become easier than ever for attackers to perpetrate a phishing attack. Some attackers are now using malware as a service to supercharge their attacks. These inexpensive and easy-to-use kits make it simple for anyone to perpetrate a phishing attack.
Blog courtesy of Lookout. See more Lookout blogs and news here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.