Phishing has become a dominant form of cyberattack. The pandemic saw an immediate 52% spike in phishing when most of our lives – both personal and professional – shifted online. And now, according to Cisco’s 2021 Cybersecurity Threat Trends report, it accounts for 90% of data breaches.
Small businesses are a frequent target for phishing attacks. For one, owners often do not have the budget to invest in a great deal of cybersecurity and training. And, as we recently discussed with expert Mike Storm, the data from small businesses is just as valuable as the data from major corporations. These two factors make small businesses the perfect target.
Phishing accounts for 90% of data breachesSOURCE: Cisco
Phishing is extremely effective because it targets the weakest link in the security chain – the user. In fact, Cisco discovered that 86% of organizations had at least one user fall victim to phishing. As a result, the FBI’s Internet Crime Complaint Center reports that over $44 million was stolen from U.S. businesses via phishing in 2021. The fact that criminals can make millions of dollars so easily means that phishing techniques will only continue to evolve so they can come back for more.
Because these cyberattacks are such a danger for small businesses, we help you identify 10 different forms of phishing, some serious red flags, and offer tips to protect you and your business.
What is phishing?
Phishing is a modern fraud technique where criminals send messages or make calls pretending to be a legitimate person or organization. The criminals usually have one of two objectives. One is to trick you into sharing sensitive personal information, such as passwords or Social Security numbers. Another objective is to get you to click on a link or open an attachment; either action will download malware onto your device or take you to a malicious website. In both cases, the criminals then can get access to your various accounts – from email to financial – and steal even more of your personal information.
Types of phishing
One of the best ways to fight phishing is to recognize the variety of techniques criminals use to get your personal and financial information. Here are 10 of the most common.
With 96% of attacks arriving via email (per Verizon’s 2022 Data Breach Investigations Report), it is by far the most popular of all the phishing methods. Criminals register fake domains in order to impersonate real companies and then send out mass emails to thousands of targets. Even one response is a success.
PROTECTION: Always double-check the sender’s email address. Also look for any inconsistencies or irregularities in the message, including misspelled words, before you consider responding.
Clone phishing is when a criminal duplicates a legitimate email you have received from a business and then adds a malicious link or attachment. The cloned email may include something in the subject line like “sending this again” or “email delivery failure” to try and add to its legitimacy.
In addition, you might see the cloned email come from a slightly different address. For example, the real email may come from email@example.com whereas the criminal would follow with one from firstname.lastname@example.org. Note that a zero was used instead of the “o” in “support” and it was lacking the “m” in dot com.
PROTECTION: Any duplicate email should be a red flag. Carefully examine the sender’s email address and consider the request before doing anything with the message.
96% of phishing attacks arrive via emailSOURCE: Verizon
Spear phishing is email phishing with a specific target. Rather than sending an email to thousands of users hoping to catch one who clicks on the malicious link or attachment, spear phishing targets an individual or set of individuals with access into an organization. Criminals might focus on employees within the HR or IT departments, for example. This method has really risen in popularity; cybersecurity software company Symantec reports spear phishing now accounts for 65% of email attacks.
PROTECTION: Make sure you know the sender of the email and double-check the email address. Since it’s a person within your organization, you can always call them on the phone to confirm that an email was sent.
Whaling is an even more focused email attack than spear phishing. Whaling only targets “high value” individuals, such as those on the leadership team of a business. Criminals will pretend to be other senior executives in order to get the targets to respond and divulge sensitive information.
It doesn’t stop there. Once the criminals get access to the whaling target, they can then use the legitimate account to spear phish other colleagues and employees without arousing suspicion.
PROTECTION: Once again, if any email seems suspicious, reach out to the supposed sender directly. Do not respond to that particular email.
Smishing is a form of phishing that is done via short message services (SMS) – aka text – rather than email. Criminals will use the same kind of scare tactics as seen in email, such as messages that seem like they’re from your bank, utility company, government, and so on.
On the flip side, smishing may also include messages saying you’ve won something. In any case, it’s to convince you to click on a malicious link that will either download malware onto your phone or take you to a fraudulent website to steal your personal information.
PROTECTION: Never click on a link in a text from an unknown phone number, even if it seems like it’s from a company you know. If there’s allegedly an issue on one of your accounts, go directly to the source to confirm rather than through any link in the text message.
Vishing, or voice phishing, is where criminals try to get your valuable personal information over the phone. They often try to scare you into speaking with them by claiming to be from the Internal Revenue Service, credit card company, or law firm, for example. The messaging could be that your account is compromised or a bill needs to be paid immediately.
Vishing is being used more and more. In a Statista survey of IT professionals, 70% of respondents reported encountering a vishing attack in 2021.
PROTECTION: Do not answer an unknown phone number. Most phones now identify if the call comes from a number that’s likely a scam, which is a huge help. If you do answer, hang up on any suspicious call. And if you sense it might be legitimate, find the company’s official phone number and call them directly.
Social media phishing
Social media phishing is an attack that takes place on platforms like Facebook, Twitter, and Instagram. Criminals send a direct message (DM) with a link that usually takes you to a malicious website. Many times this type of phishing tries to entice you with news that you’ve won a prize. Or it might be an offer to be an ambassador for your favorite brand in exchange for free products or discounts.
PROTECTION: If you receive an unsolicited DM, especially from a suspicious account, do not respond in any way. Report it as spam (which will delete the message) and block the sender.
Angler phishing is an attack in which a criminal pretends to be a customer service agent on social media. The goal, as with other phishing methods, is to try and get your valuable personal information. In addition, they may try to infect your phone or computer with malware.
Criminals find targets from those who ask questions on a brand’s official account or related support account, such as airlines, telephone carriers, and utility companies. Criminals create profiles that closely resemble a company’s official account and start responding to legitimate questions from their phishing account. It’s an extremely effective way to attack because consumers are primed to receive some kind of response.
PROTECTION: Before responding or clicking any link, make sure the message is coming from an official account. You can do this by going to the company’s website and finding the direct links to their social media pages. Better yet, if you’ve received a suspicious response, take it off social media and go directly to the company through your own path.
A common form of phishing is an attack using pop-up ads. In fact, according to Cisco’s analysis of cybersecurity threat trends, 70% of organizations had users that were served malicious ads. Fake virus alerts and other forms of scareware are among the most effective types of ads. Though the pop-up may advertise the ability to download anti-virus software, the irony is that clicking the ad actually downloads malware to steal information from your phone, tablet, or computer.
70% of organizations had users that were served malicious adsSOURCE: Cisco
PROTECTION: Make sure your pop-up blocker is on and never click on any windows that appear while you’re browsing online.
In addition, experts recommend that you avoid shopping through a browser search. Google reported it removed 3.4 million malicious ads last year, including pop ups, but they can’t catch them all. Criminals now pay to promote their ads; some even appear ahead of legitimate company sites in search. Start bookmarking your favorite shopping sites so you know they are safe.
Watering hole phishing
Watering hole phishing now accounts for 23% of all targeted attacks, according to Symantec. In this scenario, a criminal compromises a website that is used by a group of people, such as a corporate site that’s central to employees. Once the criminal gains access to the site, he can infect it with malware and acquire the personal information of anyone who visits.
PROTECTION: Install anti-virus software that can give you additional security while visiting sites online. In addition, make sure to report any unusual behavior when visiting company pages.
Phishing red flags
In our interview with Cisco cybersecurity expert Mike Storm, we discussed some of the red flags that indicate when something is phish-y. They included:
- Did the email, text, or phone call come out of the blue?
- Is the person asking for personal information?
- Is the person asking about something financial?
In addition, here are some general subjects to be wary of when you receive them via email, text, or phone call:
- Need to reset your password (when you did not request it)
- Suspicious activity on your account
- Problem with your account or payment information
- Confirm your personal or financial information
- Overdue bill requiring an immediate payment
- Action needed to receive a refund
How to protect your business against phishing
We mentioned ways to protect yourself against each of the specific phishing techniques above, but here are some additional tips.
First and foremost, adhere to a policy of “zero trust.” Don’t trust anyone or anything. Assume that everything you receive is compromised and do the extra work to confirm its authenticity.
Think before you click
The key to phishing is user error. It relies on human nature and the kind of quick click reaction we’ve developed over the years. Learn to modify your behavior so that you no longer jump to click on a link, attachment, or ad regardless of where it presents itself. Read the message thoroughly and avoid anything that seems too good to be true.
You must double-check the source of every questionable message – whether email, text, or phone – and take the extra step of going directly to the source. If the message claims to be from Bank of America, then go directly to Bank of America’s official website to inquire about the message you’ve received. Does that seem inconvenient? It’s never inconvenient if it prevents you from being hacked.
Keep in mind we’ve only discussed some of the techniques being used today and these techniques are ever-evolving. Training is essential – both in the form of lessons as well as real-world examples to test you and your employees. If you’re a small business owner without official cybersecurity training in place, you can still follow an expert like Mike Storm and his Unhackable podcast. Experts will keep you in the know of what’s going on today and what to look out for tomorrow.
For even more ways to stay safe, read our blog on 6 steps to staying safe in the cloud. These include multi-factor authentication (MFA) and how to structure the strongest possible passwords.
Meraki Go is your partner in cybersecurity and we want to make it easy to protect your network. Everything can be managed through our mobile app and web portal, so checking your business’ WiFi usage, troubleshooting and making needed changes, and staying up-to-date on security is always at your fingertips.
All of our devices include built-in business-grade security from Cisco. You can block suspicious websites and the automatic security updates help you stay ahead of the latest cyber threats. The Router Firewall Plus also features client and site-to-site VPN. In addition, the optional Cisco Umbrella Security license provides even more protection such as interactive threat intelligence and cloud malware detection. We’re here to protect your network and help your business grow.
Cisco Cybersecurity Threat Trends report (2021)
FBI’s Internet Crime Complaint Center (IC3)
Small Business Trends
U.S. Federal Trade Commission
Verizon Data Breach Investigations report (2022)