Insight

Six Phishing Scams that Can Hobble Your Business

By David Finz, Alliant

The term “phishing” refers to a type of cybercrime that uses emails or other electronic communication to deceive the recipient into sharing sensitive information, clicking on malicious links or opening harmful attachments. While email is the most common delivery means of launching these attacks, cybercriminals may also resort to text messages, “DM’s” on social media, imposter websites, voicemails or even placement of an actual call to the recipient.

Types of Phishing Scams

Many larger cyberattacks have featured phishing as one element of intrusion. In fact, in its 2021 Data Breach Investigation Report, Verizon noted that phishing played a role in approximately one-third of all breaches analyzed. Here are six common types of phishing scams:

1. Deceptive phishing—Deceptive phishing entails a cybercriminal impersonating a recognized sender to gather personal data and login credentials. These emails often ask the recipient to verify account information, change a password or make a payment, all with the intent of tricking the victim.

2. Spear phishing—A spear-phishing scheme targets specific individuals or companies and incorporates customized information to convince victims to share their data. In these instances, cybercriminals will examine a victim's online behavior—such as where they shop or what they share on social media—to collect personal details that make themselves seem legitimate.

3. Whaling—Whaling aims to trick high-profile targets such as C-level executives into revealing sensitive information, including payroll data or intellectual property. Ironically, many executives claim to be “too busy” to attend security awareness trainings, making them vulnerable to these scams.

4. Vishing—Vishing, or "voice phishing," consists of a criminal calling a target's phone to elicit personal or financial information. These scammers often disguise themselves as trusted sources, such as a bank or law enforcement, and rely upon creating a sense of urgency or fear to trick a victim into giving up sensitive information.

5. Smishing—Smishing refers to "SMS phishing" and embeds malicious links into SMS text messages. These messages may seem to come from a trustworthy source and lure victims in with coupons, gift cards or a chance to win prizes.

6. Pharming—Pharming is a sophisticated method of phishing that installs a malicious program onto the victim’s computer to redirect traffic to the criminal’s website. Once users input their login credentials or personal information on the fraudulent site, the perpetrator now has access to this data.

 

How to Protect Against Phishing Scams

As phishing scams proliferate, business leaders and employees must remain vigilant about cybersecurity. No single cybersecurity solution can prevent all phishing attacks. However, the following actions can reduce their frequency and severity:

  • Stay informed about phishing techniques. IT administrators should keep abreast of new phishing scams and train employees to watch for them. Mock phishing exercises can help prepare employees for real attempts.

  • Examine a message before clicking. Phishing scams often contain URLs that are slightly inaccurate, so check the sender’s web address before clicking on the website. A secure website always starts with "https" rather than simply “http.” If uncertain, it’s best to type the destination in a web browser rather than clicking on a potentially dangerous link. In addition, phishing scams will tug upon heartstrings and play upon the recipient’s fears, so messages that are designed to incite such emotions should be treated with suspicion.

  • Keep computer systems up to date. When software developers discover a vulnerability, they will release a patch as soon thereafter as possible. It’s critical to deploy these patches in a timely fashion. Cybercriminals inevitably discover these vulnerabilities and find ways to exploit them. This applies to browser updates as well.

  • Never give out personal information. As a rule, you should never share personal or financially sensitive information in response to an unsolicited message. When in doubt, go to the company's website directly, or call to see if the request is legitimate.

  • Use antivirus software. Implement antivirus software on all workstations to detect and prevent phishing attacks.

  • Back up data regularly. Since phishing attacks often leave behind malware, including ransomware, companies should back up their data at a regular cadence, so attacks don't hinder the organization's productivity.

Phishing scams are becoming more sophisticated, and the consequences of them can be severe. By taking the proper precautions, organizations can safeguard their data, as well as their financial well-being and reputation.