Start now

What Are Phishing Attacks?

What Are Phishing Attacks?

What Are Phishing Attacks?

In this digital age, awareness of how to safely navigate the online space is more important than ever before. One of the most common online threats to both individuals and businesses is phishing attacks – a threat that is growing year after year.

But what exactly are phishing attacks? In the first of three articles focusing on phishing, we take a look at the precise definition, before disclosing some eye-opening statistics and examining the different types of phishing.   

What is phishing in cybersecurity?

Phishing is a type of online attack where someone tricks you into clicking on a link, sending personal information like passwords or credit card numbers, or transferring money, etc. It’s the most common form of what’s known as ‘social engineering’ – a term that means to deceive online users.

Phishing can target individuals or businesses. The term ‘phishing’ originated in the 1990s, as hackers used to ‘fish’ for login details in the early days of the internet.     

Phishing statistics 

To get an idea of the impact of phishing attacks, all we have to do is take a look at the numbers. Verizon’s 2022 Data Breach Investigations Report and APWG’s 2022 Phishing Trends Activity Report revealed that:

  • 82% of attacks involve the human element – with phishing being a major contributor.
  • Phishing attacks make up almost 20% of non-error, non-misuse-based attacks.
  • Phishing attacks account for about 70% of social engineering breaches.
  • 18% of clicked phishing emails come from a mobile device
  • Only an estimated 2.9% of employees click on phishing emails. While this might not seem a lot, Verizon’s report found a total of over 1 billion personal records breached. Assuming the majority are email accounts, 2.9% would be 33 million accounts phished. That’s the equivalent of the entire population of Malaysia!
  • Training is a key part of creating awareness around the issue of phishing. However, most employees only receive an hour or two of phishing training a year.
  • In the second quarter of 2022, APWG observed 1,097,811 total phishing attacks, a new record and the worst quarter for phishing that APWG has ever noted.
  • Phishing against social media companies rose from 8.5% of all attacks in 4Q2021 to 15.5% in 2Q2022.
  • Finance, social media, and SaaS are the three most targeted industries

What types of phishing are there?

Traditional phishing techniques

Phishing by email

The most common form of phishing in cybersecurity, email phishing has been prevalent since the early days of the internet in the 1990s. 

A malicious actor will send you an email, often pretending to be a well-known company, and will tell you that your account has been compromised or you have a payment that needs to be verified, for example. They might ask you to click on a link, download a file, or ‘confirm’ your account details or credit card information. Clicking on links or downloading files can install malware onto your device. This can be used to steal your information. 

Email phishing can also be targeted. We can break targeted emails down into three separate categories:

  • Spear phishing

This involves targeting a specific user, hence the name ‘spear’ phishing. Just imagine a desert island castaway, spear in hand, trying to catch one of the many fish swimming around the shallow waters. 

As spear phishing is a targeted approach, the sender can tailor their attack – they will customize the communication to appeal specifically to the company or user they are targeting. They will do this to appear more authentic and appeal to their interests. 

  • Whaling

Much like spear phishing, whaling is a targeted phishing approach. However, whereas spear phishing earmarks general workers within a company, whaling goes after the ‘big catch’, targeting CEOs, CFOs, or any other senior leaders within the organization.

The purpose of whaling is to obtain critical company data. So, a whaling email might state that the company is facing legal action and a link must be clicked on to find out more details. Then, the senior leader is asked to enter information such as tax ID, bank account info, etc.   

  • Clone phishing

Malicious actors know that trust is a key factor when it comes to phishing. This is where clone phishing comes in. To win the trust of a user or a business, they will carry out research to find out what kinds of applications, tools, and platforms they use, or what companies they collaborate with.  

They will use this information to pose as the trusted partner or third party, leveraging the previous relationship to bait the company into sending sensitive data or even transferring money.

Vishing

Voice phishing – which can be shortened to ‘vishing’ – is a common form of phishing attack carried out over a telephone call or voice message. The malicious actor will pretend to be someone of importance, such as a tax service employee or a Microsoft representative. They will inform you that there is a problem and that they need some details to find a solution.

More than most phishing attacks, vishing attacks create a sense of urgency and panic. Vishing attacks are becoming increasingly common and have a higher success rate than standard phishing – according to an IBM report, the average click rate for a vishing campaign is 53.2%, compared to 17.8% for a standard phishing campaign. 

Smishing

Otherwise known as ‘SMS phishing’, smishing is a phishing attack carried out through the medium of text message. Much like other forms of phishing, this technique is often used to relay a fake message that claims an account has been breached and that an immediate response is required. 

Then, bank account details, credit card information, tax numbers, and other forms of personal data will be requested.

New phishing techniques

Social phishing

Otherwise known as ‘social media phishing’ or ‘angler phishing’, social phishing is carried out on platforms such as Facebook, Instagram, LinkedIn, or Twitter. This technique uses notifications of DMs (direct messages) to trick the user into providing personal details.

Malvertising

A term that refers to ‘malicious advertising’, malvertising is a new form of cyberattack that implements corrupted code into digital adverts. These adverts are hard to spot, both by users and the sites that host them. 

Once the user clicks on the ad, the corrupted code is downloaded onto the user’s device. It might also redirect them to a malicious website, where further phishing techniques are used to gain sensitive data. 

QR code phishing

Back in 2012, quick response (QR) codes became a popular and easy way for customers to interact with brands. However, it was a short-lived thing, as tech and trends moved on. But with the rise of touchless technologies following the Covid-19 pandemic, QR codes became popular again. This prompted the rise of a new form of phishing.

QR code phishing uses QR codes to direct users to a fake website, where they’ll be asked to enter sensitive information. It can come in the form of banking app scams, fake parking tickets, or be contained within emails.

Browser in the Browser (BitB)

One of the most advanced new phishing attack methods, BitB uses a simulated login window in order to entice users to enter usernames and passwords. They attempt to replicate a genuine browser such as Google or Safari, in terms of the images, colors, fonts, and even details that come up when you hover the mouse over a piece of text or an image. 

This technique takes advantage of single sign-in authentication, either stealing usernames and passwords by getting users to directly enter their login details into the browser, or by baiting them into clicking on a ‘forgot my password’ box. Users enter their details, thinking they’re being supplied to a trusted browser, but instead they go straight to cyber criminals. 

Final thoughts

The information above on phishing statistics and the various types of phishing attacks should give you a deeper understanding of the dangers of online phishing and how much of an impact it can have.

But how exactly do you avoid email phishing incidents and the newer types of phishing scams? Read our next article in the series on how to avoid phishing incidents, where you’ll pick up some valuable tips and tricks when it comes to staying safe online. 

For more information on how to increase your company’s security posture and meet your cybersecurity needs, contact Ackcent today.

Like this article? Follow us on LinkedIn or Twitter to see the content we publish.