Phishing emails can steal sensitive data and cost companies' their reputation. However, protecting a company from these scammers doesn't need to be difficult.
What Is Email Phishing?
Phishing is when an attacker mimics a trusted person or brand in an attempt to steal sensitive information, or gain a foothold inside a company network. While phishing emails are by far the most popular, these attacks can also be sent through text message, social media, and even phone calls.
What Do Phishing Emails Do?
Phishing emails are a social engineering attack used to steal your personal information like passwords or credit card numbers. The victim receives an email appearing to be from a trusted company but which is actually from an imposter.
These malicious messages are crafted with the goal of the recipient clicking on a link or email attachment that contains malware. Phishing links often redirect to fake login pages that look very similar to legitimate websites. If the victim enters their real login information into the site, the attacker will have a copy of those credentials for themselves.
Email attachments work in a similar fashion, but install malware directly on the PC that tried to open the file. This malware can silently collect data and keystrokes and then send this information back to the attacker. This presents an even more dangerous situation where now the attacker can attempt to move further into the network, or create backdoor access to reinfect the network later.
4 Types of Phishing Emails
Not all phishing attempts are created equal. While most fraudulent messages are sent indiscriminately, some are carefully crafted to look as real as possible. Let’s take a few phishing email examples.
General email phishing is the most common type of attack you’ll see. It's estimated that nearly three billion phishing messages are sent every day, with a majority of those messages being sent in massive waves to thousands of recipients.
These attacks often impersonate well-known brands, and disguise themselves as shipping updates, password reset requests, and overdue invoice notices from fictitious companies.
Spear phishing emails use a much more targeted approach to trick their victims by using company specific information to make their messages even more believable. Information such as phone numbers, email signatures, and staff names are used in these attacks to appear as legitimate as possible. Attackers spend time collecting this information on websites, and sometimes stealing it from other email addresses that have been compromised.
Another common technique is for the attacker to use a cousin domain to send their messages from. For example, if the attacker was targeting Microsoft.com, they would register “Micosoft.com” and send their emails from that domain. When combined with other targeted information spear phishing emails can be tough to spot.
Whaling phishing is very similar to spear phishing, but goes an extra step further by targeting specific high level staff within an organization. The goal of whaling is to impersonate a C-level executive and use that authority to pressure staff members into sending sensitive information.
Phishing attacks that use this strategy often target other high level members within a company, putting sensitive information that most staff members don’t have access to at risk. Scams commonly ask for tax information, financial documents, or even wire transfers during whaling attacks.
Business Email Compromise (BEC) is a targeted attack that focuses on companies who frequently conduct wire transfers and have global partnerships. Attackers use keyloggers, spoofed domains, and phishing attacks with the primary goals of tricking the victim into wiring money into the attackers account.
"How to Protect Against Advanced Email Threats"
Common Signs of Spoofing & Phishing
Fraudulent emails can be tough to spot, but if you know where to look, identifying them gets a lot easier. While it’s better to prevent phishing in the first place, here’s what to look for when trying to identify a phishing email.