Put Your Phishing Training to the Test

Phishing is a form of cybercrime in which the attacker poses as a legitimate institution or trustworthy entity in a fraudulent attempt to obtain sensitive information from an intended target. Phishing attacks are a leading threat to information security; according to recent data, 25% of all confirmed data breaches involved phishing.

Phishing is a form of identity theft. The objective of any phishing attack is simple: to get the intended target to reveal personal identifying information, including usernames, passwords, credit card details, banking information, Social Security numbers, and more.

Email phishing is, by far, the most common type of phishing scam. That said, phishing attacks take a number of different forms:

• SMiShing: Also known as SMS phishing, this type of attack uses cell phone text messages as bait to cause the target to divulge sensitive personal information.
• Vishing: A portmanteau of “voice” and “phishing,” vishing refers to any type of phishing attack that uses voice over internet protocol technology to spoof caller ID and convince the target to share personal information or financial details. Vishing scams most commonly appear in the form of a call from the government or the target’s bank.
• Spear Phishing: This refers to any attempts directed at specific individuals, companies, or political organizations. Spear phishing attacks are typically well-crafted and, in some cases, tailored to appear personal to the target.
• Angler Phishing: With angler phishing, the attacker poses as a member of a company’s customer support team on social media in an attempt to lure the intended target to share personal information, including login credentials. Alternatively, the attacker might use a covert redirect to send the target to an alleged customer support page, however, clicking the link automatically installs malware on the target’s computer.
• Clone Phishing: The attacker replicates a previously delivered/received message in order to create a seemingly legitimate communication.
• Pharming: This type of attack redirects traffic from a legitimate website to another, fake website. This involves corruption in DNS server software or the targeting of a local network router.
• Whaling: Whaling refers to the practice of attacking high-profile targets within business. This type of scam is often disguised as a legal subpoena, complaint from a customer or other “executive” issue.
• Content Injection Phishing: This describes a phishing technique in which the attacker changes all or part of the content found within the page of an otherwise reliable website, which is then used to redirect the target to another website designed to obtain their personal information.
• Filter Evasion: Any attempt to avoid anti-phishing filters by using images that contain writing rather than actual text.
• Man-in-the-Middle Phishing: This is a highly sophisticated phishing technique in which the attacker collects personal information by hiding in-between a legitimate website and a phishing system and traces details as they are entered.
• Search Engine Phishing: The attacker directs targets to falsified product websites and steals their personal information as they input their data.
• Tabnabbing: Also known as tabjacking, this type of phishing attack takes advantage of a browser with multiple open tabs and quietly loads and redirects the user to a fraudulent website.

One of the things that makes phishing such a threat is how sophisticated phishing scams can be. Attackers can convincingly mimic any number of trustworthy entities, from your banking institution to your credit card provider — even, in some cases, family and friends.

That said, there are a few key identifiers to help you spot a potential phishing scam:

• Poor spelling and grammar. Phishing emails and other forms of communication often have poor spelling, grammar or incorrectly used idioms because attackers typically live in a different country than the people they’re targeting. If you receive a message from a seemingly legitimate source that’s riddled with spelling and/or grammatical errors, it’s probably an attempted phishing attack.
• Generic salutations. Most legitimate sources will greet you by name, so be wary of any messages that use a generic salutation, especially if they’re trying to offer you something or convince you to take action on something.
• An undue sense of urgency. Whether they’re advertising a limited time offer or threatening account suspension, many phishing attacks are designed to encourage targets to take immediate action. Although it’s best practice to ignore these types of messages, if you’re concerned about a message you received about one of your accounts, it’s in your best interest to contact the provider directly rather than open or reply to the email.
• Unrealistic offers. Phishing scams will often promise something exciting — think a special deal or easy money — in order to entice the target to open the message and click a link. These offers are almost always too good to be true and should be summarily ignored.
• Requests for donation. While some attackers rely on unrealistic offers, others choose to pull on their target’s heartstrings by requesting donations, often in the immediate aftermath of a natural disaster or other major event. It goes without saying that you should always thoroughly vet charitable organizations before donating, as well as donate directly through an organization’s website rather than through a link sent via email, SMS or social media message.
• Hyperlinks. Many attackers will attempt to get you to click a hyperlink, which will install malware onto your computer. This hyperlink may appear as though it is from a legitimate source, though you can typically sort that out by simply hovering over the link to see the actual URL.
• Suspicious attachments. Phishing email attachments generally contain some sort of payload, such as ransomware or a virus, so it’s best practice never to open an email attachment unless you were expecting it.
• Odd hours. If you receive a message from a seemingly legitimate source outside of regular business hours — for example, an email from your bank timestamped at 4 am — odds are it’s a phishing scam.

Attempted phishing scams are inevitable, but that doesn’t mean your business has to face the consequences. There are few things you can do to mitigate — or avoid entirely — the damage caused by phishing attacks:

• Never give out personal information via email or through links found in emails.
• Never share your password(s).
• Trust your gut — if something seems suspicious, it’s better to be safe than sorry.
• Never open unexpected attachments, especially from unknown senders.
• Don’t click on links that seem dubious in nature.
• If you question the legitimacy of a source, follow up with the individual or office that purportedly sent the message.
• Report any phishing scams you encounter to the appropriate authorities.
•  Utilize spam filtering, firewalls and anti-phishing tools and software.
• Use inbound email sandboxing to scan suspicious emails and files for potential threats.
• Stay up to date on the latest phishing techniques and cybersecurity best practices.

For even more tips on how to prevent phishing attacks, please read our blog post on the subject.

In addition to spam filters and phishing detection tools, your employees are one of your first lines of defense against potential phishing scams. That said, without the proper cyber awareness training, an alarming 37.9% of employees fail phishing tests. Therefore, it’s imperative that businesses not only invest in cyber awareness and cybersecurity training for employees, but also teach their employees what to look for when identifying potential phishing attacks and routinely put that knowledge to the test.

Incorporate our phishing test for employees into your phishing training program to help bring your workforce up to speed.

Test Your Knowledge