It’s been hard to ignore the explosive growth in phishing attacks over the last year. Attacks have increased by 718%, and according to Microsoft’s Security Intelligence Report, phishing has now become the biggest cyber threat worldwide.

We all like to think we’d be able to spot a dodgy phishing email, but the reality is these types of attacks have become so devious and sophisticated that it can be hard to distinguish a genuine email from a carefully crafted fake one.

While email remains the number one attack method, cybercriminals will also target victims with malicious attachments, compromised credentials, instant messages, malicious URLs, and spoofed websites.

Whether you are a small business or a large corporation, phishing is one of the most dangerous and vicious threats that you need to prepare for.

To help you defend against these types of attacks, we’ve put together a guide that highlights five of the most common phishing attacks and how you can avoid them.

Top 5 Phishing Attacks

1. Email Phishing

Email phishing is the most common type of phishing attack and has rapidly evolved since the days of the infamous ‘Nigerian Prince Scam’. The phishing emails that we’re seeing today are sophisticated, targeted, and increasingly difficult to spot. In fact, according to a study by Intel, 97% of users are unable to differentiate a phishing email from a real one.

Fraudsters go to great lengths to disguise their emails as genuine messages from spoofed organisations. By using fake domains and carefully replicating the same language, logos, and branding used in official company correspondence, crooks can trick users into thinking they are receiving legitimate emails from a trusted sender. The emails often include links or attachments that will steal personal information or infect a device with malware once opened.

2. Spear Phishing

Spear Phishing is one of the most dangerous types of phishing attacks, and unfortunately, one of the most difficult to detect. It’s behind 91% of all cyber attacks worldwide, and in contrast to the mass email phishing approach, spear phishing is highly personalised and targeted. Attackers will spend a lot of time researching their victims to make any emails seem as authentic as possible.

By trawling social media sites, search engines, and company websites, attackers can gain valuable knowledge that will help create a credible narrative. Once they have a better understanding of their target, they’ll start to send personalised emails designed to trick their victim into divulging sensitive information. The user may also be prompted to click on a malicious link or directed to a website that contains advertisements or keylogging software.

3. Vishing

Vishing is a combination of the words voice and phishing and refers to phishing attacks that take place over the phone. In a typical scenario, fraudsters will impersonate a bank employee to flag up suspicious behaviour on a user’s account. They’ll often create a sense of urgency and inform the victim that someone has tried to steal their identity or fraudulently access funds in their account.

The call may be made through a spoofed ID, so it looks like it’s coming from a trustworthy source. Another tactic is to play background noise to trick the victim into thinking that the call is being made from a busy call centre. Once they’ve gained their victim’s trust, they’ll ask them to hand over personal login details, transfer funds into a holding account, or secretly install spyware on their device.

 4. Smishing

Smishing is essentially any type of phishing that involves a text message. It’s often very effective as people tend to be more trusting of a text message than they would be an email. This makes it the ideal platform to scam victims.

As is the case with other types of phishing attacks, the aim is to trick the recipient into disclosing sensitive information such as account details, credit card details, or usernames and passwords. The victim may also be asked to click on a malicious link.

5. Business Email Compromise

Business Email Compromise (BEC) is a type of phishing attack that specifically targets businesses. Attacks have skyrocketed within the last year and global losses due to BEC have now exceeded $26 billion. Cybercriminals will impersonate a high-level executive to convince an employee, customer, or vendor to transfer money to a fraudulent account or disclose sensitive information. Typically, attackers will compromise the email account of a senior executive by exploiting an existing infection or through a targeted spear phishing attack.

Once the account has been compromised, criminals will lurk in the background, closely monitoring activity, relationships within the company, common phrases used, and determine who has the authority to initiate money transfers. The criminal will then send a fake email from what appears to be the CEO requesting an urgent transfer of funds from a member of staff. The high-level targeting helps the email slip through spam filters and the use of a spoofed email address helps dupe unsuspecting individuals into believing the request is real.

How to Avoid Phishing Attacks

• Never click on links or download attachments from unknown sources.
• If there are any inconsistencies in the email address, links, or domain name, delete immediately.
• Question the validity of any email that asks you to submit personal or financial information.
• Ignore and delete emails with poor grammar and formatting.
• If an email, text, or call is threatening or urgent in tone, do not respond. This is a common tactic used to pressurise a victim into taking immediate action.
• Be wary of URL redirects and pay attention to subtle differences in website content.
• Always verify the security of a website. Check the site has been secured using HTTPS / check for a website privacy policy / use a website safety check tool such as Google Safe Browsing.
• Regularly update software.
• Be careful what you post online.
• Enable Multifactor authentication.
• Enable a spam filter on your email account.

For over 14 years, we have been committed to helping our clients defend against sophisticated cyber threats. As an ISO 27001 certified Managed Service Provider, we take cyber security incredibly seriously and understand how valuable your data is and what steps need to be taken to protect it.

We provide a full range of proactive IT services that include advanced security, round-the-clock monitoring, data encryption, network and firewall protection, anti-virus software, backups, and disaster recovery. We identify gaps that need to be plugged and work closely with you to ensure your IT systems are aligned with the latest technologies and security protocols.

To find out how we can help protect your business, get in touch for further information.