You have probably heard of phishing.
You may imagine it as a type of piracy that only happens to large companies abroad. And you may not know exactly what it is or how it presents itself...
Am I close to the truth?
If so, let me share with you some shocking facts:
- Phishing is the most frequent type of cybercrime worldwide;
- 74% of organizations in the United States have experienced this type of attack;
- In 2020, Portugal was second on the list of territories with the highest rate of data theft on a global scale, just below Brazil.
If I have managed to gain your attention, you may be interested in the topics we will cover in this article. Read on if you are interested to know:
- What kinds of phishing exist;
- What a phishing email looks like;
- What types of subjects are used in a phishing email;
- What types of attachments follow in a phishing email;
- What are the consequences of phishing;
- How to protect your company from phishing attempts.
But before we truly dive into the topic, let's demystify this buzzword that scares less tech-savvy business owners. After all, what does the word phishing mean?
What is phishing?
Phishing is known as the criminal act of tricking a user into sharing confidential information such as passwords or credit card numbers.
As infishing, there is more than one way to "catch" a victim. But using an email posing as a trusted person or organization - such as a bank or government entity - is still the most common practice.
This is the usual sequence of crime:
- The victim opens the email because he finds a scary or urgent subject in his inbox;
- The email asks the victim to download an attachment and/or consult a website and do a certain urgent action;
- The user clicks and enters a trustworthy looking website;
- The website asks the user to log in or enter bank or personal details;
- This information is later sold, used to empty bank accounts and/or extort the victim
Most cases of phishing result in extortion, theft of money or identity. But beware: phishing is also used for corporate espionage or stealing data and trade secrets from companies.
For all this, it is essential that those responsible for Portuguese companies are prepared to recognize and avoid phishing attempts. Let's start by finding out what types of phishing exist so that your company can resist them too!
Phishing: What Types Exist?
1 – Spear Phishing
The term spear phishing is an analogy to spear fishing: where the fisherman can specifically select the fish he seeks to hunt, as opposed to rod fishing.
This type of attack targets a specific group or type of individual - such as an administrator in a company's finance department:
While most of us have never heard of the term spear phishing, the truth is that it is far from rare. In 2020 alone, about 30% of IT professionals claim to have faced at least one attack attempt!
2 – Whaling
If spear phishing is an attack directed at a particular position or group, whaling seeks to target a specific person. The term whaling is an analogy to catching really big fish: whales, of course!
CEO, CFO or any top position in a specific industry or business may be subject to this attack attempt. And remember: typically, this attack involves requesting tax or banking data from the company being attacked.
3 – Smishing
It is a strange name for phishing in the form of text messages or SMS. In practice, a written message that carries a clickable link or a request for personal information or data.
A classic example of smishing is an SMS apparently coming from the victim's banking institution: a warning that the bank account has been compromised and that information for some kind of confirmation is needed, immediately:
Note also the smishing attempts with pending payments to Apple or the alleged arrival of orders from Amazon or via CTT - which have become frequent in Portugal. I myself have been the target of several smishing attempts of this nature!
4 – Vishing
A traditional vishing attempt is made via a voice call, with the same objective as a phishing attempt via email.
In a typical scenario, the criminal impersonates, for example, a Microsoft representative and warns that he has discovered a pernicious virus on the victim's computer.
Next, the criminal usually requests access data or credit card information from the victim in order to remotely install an updated version of an antivirus.
Unfortunately the scenario gets complicated from here:
- The criminal gets hold of the victim's credit card access data
- Probably the "antivirus" that the victim installed is malware like a Trojan horse
And of course: this malware will be watching the victim's online activity, so that the criminal can steal other data, such as a bank account password.
5 – Search Engine Phishing
The nomenclature starts to get complicated but, believe me, the principle is always the same.
In this crime, attackers work with digital marketing techniques to make a website become the first result for a particular search in search engines such as Google. Let's imagine that this search is "green tea", to give you a practical example:
In this scenario, whenever a user searches for "green tea" on Google, the first result to come up tends to be the criminal's website. And therefore, the victim is much more likely to end up clicking on that suggestion!
If he does so, the victim is directed to the criminal's website, and in his interaction with that website - in simple actions such as logins - confidential information or data is stolen.
Note: Search engine phishing websites can impersonate any type of institution, but typically take the form of a bank website, social network, or online store.
6 – Phishing for Ransomware
Whether by email, chat or through search engines, ransomware phishing implies that the victim receives a fraudulent link.
The difference is that instead of being redirected to a fake website...
...the victim clicks on that link and automatically downloads malicious software onto the computer: often in the form of ransomware!
Recently, the Impresa group was attacked by ransomware and the SIC and Expresso websites were +3 days unavailable!
Unlike the forms of phishing we have explained so far, the intention of ransomware phishing is not just to steal information: it is the victims' computers that are virtually hijacked...
...with a similar outcome in any attack: the victim must pay a ransom to recover the data the criminal now has in his possession!
7 – Pharming
Business owners and managers of growing businesses: beware of pharming. It is one of the most dangerous types of phishing, because it attacks the DNS server - the brain of the entire computer system - especially in business systems!
The attack usually consists of installing a Trojan horse through a computer that connects to the network or directly into the corporate network.
Now, it is from this point on that panic sets in: any company website address, even if it looks trustworthy, can lead the user to fraudulent pages without the user being aware of it.
Can you imagine the feast you are serving hackers when you allow yourself to be infected by pharming?
All users visiting your company's website are now at risk: thousands of pieces of personal information are being collected at the same time, and at the end of the day, the responsibility for these crimes is your company's negligence!
TIP: Antivirus programs are key to avoiding this kind of contamination. Remember to keep yours updated and select it with the help of your computer partner!
8 – Clone Phishing
Just when you think cybercriminals can't surprise us anymore, a brilliant innovation always comes along that impresses the entire computing community. Want an example?
Nothing less than clone phishing, where:
- The criminal makes a copy - or clone - of a trustworthy email that contains an attachment or link, previously sent to the victim;
- Then it exchanges the attachment content or the link destination for malicious content;
- And the victim, by downloading that attachment or clicking that link, ends up allowing his system to be hijacked.
Did you see the example? It is almost impossible to find the differences...
...and in these cases MAXIMUM ALERT: usually the crime does not stop there!
The cybercriminal - in this case called a phisher - can even impersonate the victim's identity to pose as a trusted sender to other victims in the same organization!
9 – Blind Phishing
When it does not matter who the victim is, blind phishing is one of the most popular techniques. In this type of attack, mass emails are sent out in the hope that some victim will take the bait, out of the thousands that are attacked.
Simple? Certainly. But even more effective: for cybercriminals, blind phishing is the most widely used phishing technique worldwide!
10 – QRishing
As the name implies, QRishing names the cyberattack where malicious links are embedded in QR codes. As soon as the victim reads the code with his cell phone camera, he is directed to a malicious website...
...where, in addition to being asked for personal data on the landing page, your device absorbs some kind of malware!
11 – BEC or Business Email Compromise
If the word phishign is familiar to many of us, perhaps the term "BEC scam" is still unfamiliar to you. But that will change!
The acronym BEC stands for Business Email Compromise and alludes to one of the most financially damaging online crimes. In a BEC scam, the cybercriminal sends a professional-looking email making a seemingly legitimate request such as:
- An invoice, posing as a supplier that your company deals with on a regular basis;
- A request to a company employee, for example to buy dozens of gift certificates to send as a gift, posing as the CEO of the company;
- A transfer request to a home buyer, posing as a banking entity or the company that manages the transfer of title of the property.
These are scenarios that seem to be taken out of a movie, but happened with real victims.
According to the reported cybercrime victims of 2020, BEC scams were responsible for the loss of over $1.8 billion!
Phishing: 6 most common issues
As we saw earlier, email is the most widely used phishing vehicle in the world. There have been records of this type of attack since 1990, and because of the frequency with which it occurs, you should be prepared to detect it.
Are you curious to find out what the most common phishing emails are? That's what we're going to find out, with a list of the 7 most commonly used subjects of phishing attempts.
1 – Billing or invoice problems
You are informed that a certain product or service you bought online cannot be shipped - because there is a problem in creating the invoice. Want to see an example?
There is a link in that email that redirects the user to a fraudulent webpage where they are asked for banking or tax information, which the criminal can then use. You already know the rest of the story!
2 – Requests from government institutions
Do you respond institutionally to emails from institutions and government authority figures? If yes: you are the ideal victim for this type of attack.
Several phishing attempts threaten the victim with some sort of penalty - for example tax - unless certain data is provided within a certain period of time.
Have you received an email from finance or social security and have questions about it?
- Refer to the What does a phishing email look like? chapter of this article and learn how to recognize a threat.
- Confirm your suspicion with the phone contact you can find on the official website of that government institution!
3 - The government has money for you
It's the same scenario as the previous example, this time reversed: typically used during tax return season, these types of phishing attempts promise tax refunds...
...but you need to confirm your financial data quickly!
And where will you confirm them? You know the answer to this question: in a fraudulent link that allows the cybercriminal to register your personal data!
4 - Bank Alert
Most banks alert their customers, by email or written message, to confirm online transfers or other movements.
This practice is known as two-factor authentic ation or two-factor authentication.
Cybercriminals have taken advantage of this practice to also convince victims to "confirm" personal or banking information. This is the typical form of this type of phishing or smishing attempts:
But never forget this principle: your bank will never ask you to confirm access data by email or written message. Your bank may send you written messages or e-mails with access codes...
...but only if you have previously required them to complete some process!
5 - You won a prize
We have all landed on websites that open automatically and announce that we have won a prize. The younger generations are completely vaccinated against this threat...
...but the most technologically inexperienced individuals are the ideal target to fall into this trap!
As a general rule, never believe in these kinds of prizes and offers. Don't even give out personal details when you are asked to register to claim the prize you just won!
6 - Request for help
Caution: we are facing an armed conflict in Europe, and this circumstance will further open the doors to the exploitation of this theme!
In this type of phishing email you are told that a certain cause, that a friend or even a family member, needs urgent support because they are going through a terrible situation. Increase your resistance even more if, in the request, the whistleblower begs for financial help!
The Independent newspaper wrote an article about two years ago, about scams that have emerged with the emergence of the coronavirus. Can you guess which one of the scams was listed?
As described in the story, the cybercriminals were posing as the WHO and asking for funds to support the prevention and detection of the virus in various countries.
Remember that this type of scams preferentially target the elderly and also occur via telephone. It is sad that criminals take advantage of the solidarity of citizens but this threat exists and the current context calls for it to be maintained and multiplied!
Phishing: 10 most common issues
Also known as subject lines, the subject is a kind of email title.
It can be read in the inbox of your email provider, before we open the email itself. If you are not familiar with the concept, the image below illustrates where the subject of an email usually appears:
In research for this article, we found that the company KnowBe4 - the world's largest platform for training and coaching employees against phishing attacks - did a study in the last quarter of 2020 on the 10 most likely subjects to find in a phishing email.
Since you've been looking for more information about phishing, we thought you might be interested in this information!
This was the final list, produced by KnowBe4's study:
- IT: Annual Asset Inventory
- Changes to your health benefits
- Twitter: Security alert: new or unusual Twitter login
- Amazon: Action Required | Your Amazon Prime Membership has been declined
- Zoom: Scheduled Meeting Error
- Google Pay: Payment sent
- Stimulus Cancellation Request Approved
- Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription
- RingCentral is coming!
- Workday: Reminder: Important Security Upgrade Required
Please note: the conclusions of this study found potentially dangerous subjects in the English language, but the subjects that are being used the most can be extrapolated to the Portuguese language!
"It's no surprise that phishing attacks related to working from home are on the rise, as many countries around the world have seen their employees working remotely for almost a year now," says Stu Sjouwerman, CEO of KnowBe4.
- References to payments and subscriptions at Amazon, Microsoft, and Google are used;
- To alleged problems with online meetings at Zoom;
- To Twitter and remote work...
...in short: the name of the services and applications we use the most being used as a vehicle for stealing data from innocent cybernauts.
But phishing is not only about brands.
We also tried to investigate the type of institutions the hackers impersonate, in most of their attempts to steal data. And we found that it is common to find phishing emails where the criminals impersonate:
1 - Banking Institutions
With the argument that there has been the launch of a new card full of advantages, or that there is an invoice that is close to due and will lead to the permanent closure of your account if it is not paid.
2 - Government entities
With the argument that a certain document, such as the voter card, will be canceled if not updated; or that there is a debt to the social security or an irregularity in the tax declaration; or that there are pending traffic fines.
3 - Press
With the argument that you will have access to exclusive photos or information about political scandals, celebrities, or conspiracy theories in exchange for data or payment.
4 - Social media
With the argument that your Facebook or Instagram account will be deleted or become paid if you do not perform a certain action, or that you have received a new friend request and need to access a link to accept that request.
5 - Most used digital services
Phishing emails posing as services such as Dropbox or Google Drive are commonly used. Criminals use fake addresses that appear to come from these platforms to trick victims into logging into fraudulent websites.
6 - Cryptocurrency-related services
In the form of exchange services or tempting buying opportunities, with currencies below the market price.
Now that you know:
- What is phishing;
- What kinds of phishing exist;
- What topics a phishing email is about;
- What kinds of subjects are used in the title of a phishing email;
It will make sense to look at the actual form of a phishing email.
What are the most typical signs? Which characteristics should put you in a state of alert right from the start? Find out in the next chapter!
10 Signs of a Phishing Email
Although they come in many different shapes and sizes, it is possible to learn to recognize a phishing email by learning its most common traits.
Yes: there are software and services that can help with your company's cybersecurity. But you can (and should) anticipate if you encounter one of these 10 signs:
1 - The Email is generalist
In this article we learn the concept of blind phishing, where mass emails are sent in the hope that some victim will take the bait. It isthe most widely used phishing technique worldwide, and one that always shows this sign.
As a rule, this type of email will identify you by "dear customer", "dear subscriber", or some other kind of generalist nomenclature.
But beware: just because the message contains your email address, does not mean that the phishing attempt is no longer general. The message may even contain your name, but clearly have generalized content.
Review the content carefully before clicking on any link!
2 - The email asks for immediate action
Phishers love urgency. Urgency drives us to act! This is a principle that every marketing professional knows and uses.
Remember this when you open a new email and don't be afraid of missing a unique opportunity. Don't respond to threats of fines, cancellation of accounts, or seizure of assets, without thoroughly appreciating the sender of the email.
Don't act on impulse: no government entity or legitimate institution will give you just one chance to act before you face a sanction. If the message points in that direction, there is a strong possibility that you are facing a phishing attempt. Like here:
If you click on the link, you are automatically forwarded to a clone page of Amazon's official login menu. Notice how much data you share with the cybercriminal:
3 - Shortened links
If you didn't know this already, there is software that shortens links. What for, you ask? To make it easier to share the link and to make it look more elegant.
These software programs, by themselves, do not pose a threat to your company's computer security. The problem: you never know what is on the other side of the link before you click on it!
As a general rule, we recommend that you avoid clicking on an abbreviated link when opening a new email message. Even marketers, because of the distrust these types of links cause, are beginning to prefer a longer link to the elegance of a short link!
4 - Strange or suspicious links
This means that cybercriminals make an effort to use links that resemble those of the entity they are pretending to be.What does this mean in practice?
For example: if the cybercriminal is posing as a Vodafone employee, he may use a link like www.premiovodafone.pt instead of the official Vodafone link in Portugal, which is www.vodafone.pt.
But watch out! There are cases where the link is not suspicious: it looks exactly like the company's official web address. Only after clicking, you realize that you have been forwarded to another, potentially dangerous website!
To throw off this risk, hover your mouse over the link without clicking on it. In gmail, when you do this, you will notice that the actual destination link appears at the bottom left:
In the example above, I have placed my mouse over the hyperlinked text, which reads "View online". Immediately, gmail indicates to me in the lower yellow bar that I will travel to a link beginning with http://mailchimp if I click on that link.
The same thing will happen to you, regardless of which email provider you are using. Test it on your desktop!
5 - Links with spelling errors
We have seen that a phishing email can use strange links, such as www.premiovodafone.pt. But there are occasions when the cybercriminal uses a web address almost identical to the legitimate site he is impersonating.
These kinds of "typing errors" are known as typosquatting and are nothing more than slightly incorrect versions of legitimate URLs that you would normally trust.
For example: if the cybercriminal is posing as a Vodafone employee, he may use a link like www.vodaphone.pt instead of the official Vodafone link in Portugal, which is www.vodafone.pt.
Did you notice that I wrote ph instead of f in the middle of the word Vodafone?
Another sign that you may be facing a phishing attempt is to find gross errors throughout the body text. Series institutions care about their image. Caution: gross errors include improper use of punctuation (example: !!!!!).
6 - Poorly written text
It can happen... But it is highly unlikely that your bank will send you an email full of spelling or grammatical errors. This is a blatant sign that you may be facing a phishing attempt.
Remember that a phisher is someone who may be on the other side of the planet. Many just go to Google Translator to translate a criminal message into the victims' language!
7 - Requests for personal information
At this point there is one thing you know: phishers want data. And you also know that your boss, your relatives and your friends are not in the habit of asking you for confidential data by email.
The act of asking for data by email is in itself a cause for suspicion.
When an email contains such a request - for example asking for confirmation of bank account details, login credentials or other personal information - it is likely to be a phishing attempt.
Delete this email and block the sender immediately. If you are an email user, just click the three dots in the top right and choose the checked option:
8 - Contact is from a service that you do not use
The cybercriminal may have access to a database containing your email address. But it is unlikely to know which companies actually provide you with services.
This means that, not infrequently, the phisher tries to impersonate a company with whom you have never established a business relationship. For example: in the image I shared above, the phisher impersonated Novo Banco, but I am not a Novo Banco customer!
When the contact is made by a company or service that you do not use, we recommend going on high alert. You are probably facing another phishing attempt!
9 - Contains an offer too good to be true
No, you did not win the lottery.
No, this person who needs to move country for political reasons is not going to give you significant compensation if you help him.
No, you will not be awarded because you have done the number 1,000,000 Google search.
The email you are reading is a threat and you are about to be the target of a cyber crime. Delete this email and block all messages from this sender now!
10 - Suspicious attachments
It is normal to receive attachments from family members or co-workers. An attachment alone is not a sign of a phishing email!
But one thing is certain: more often than not, it is thanks to an infected attachment that some kind of malware gets into your computer.
Security software company ESET created a report on cyber threats in late 2020, where it included the most common types of malicious files attached to phishing emails. They are:
- Windows .EXE files (74%)
- Script files (11%)
- Microsoft Office documents (5%)
- Compressed files like .RAR and .ZIP (4%)
- PDF documents (2%)
- Java files (2%)
- Batch files (2%)
- Shortcuts (2%)
- Android executable files (>1%)
It is true that the younger generations find it extremely easy to detect these kinds of signs. But the older generations not so much. That's why it's fundamental to be alert, otherwise we may lose access to our companies' critical files and applications.
Are you prepared to recognize a phishing attempt?
If so - and so that you are really aware of the importance of this knowledge - I will share with you the dire consequences of such an attack.
Phishing: What are the consequences?
A Proofpoint study conducted in 2020 asked several companies that had been phished what the cost of the attack was. The answers were surprising: only 18% cited financial losses, contrary to what one might think.
The main consequences indicated were:
- Data loss (60%)
- Compromised access accounts or passwords (52%)
- Ransomware infections (47%)
- Malware infections (29%)
The Verizon company took this study even further and investigated the type of data that is typically compromised in a phishing attack. The report was published in 2021 and indicates:
- Credentials, such as usernames and passwords
- Personal data such as addresses and telephone numbers
- Internal data, such as sales figures
- Medical data, such as information about insurance claims
- Bank details, such as credit card information
Beware: the consequences of a phishing attack on a company can escalate to long periods of downtime, reputational damage, monetary loss, or even loss of intellectual property.
What's more, in the scenario where customer data is stolen, your company can be sued by those customers and face lawsuits that require you to pay large fines and legal fees.
You can't be too careful for any company.
But is your company part of an industry typically affected by this type of crime? Let's look at some trends that can help you understand the level of protection that is most suitable for your company.
Phishing: The Most Affected Industries
It was thanks to a report produced by KnowBe4 in 2021 that we discovered that the healthcare industry, which specifically includes pharmaceuticals, is the most affected in the world by phishing attempts:
The ranking of the most attacked industries varies according to the size of the company, but it can be observed that the secondary sector also appears repeated in third place on the list, for large and small companies.
IBM itself reaffirmed this trend, when it found that the healthcare industry, even when not leading the ranking of the most hacked industries, typically suffers the most in terms of cost per attack.
But whatever your company, the threat is just around the corner and has become even greater with the advent of pandemic and the rise of remote working:
- Between February and March 2020, the number of phishing emails increased by 667% according to a Barracuda Networks study;
- Between the first and second quarter of the same year, according to an Abnormal Security study, this growth increased by 389% more than between February and March;
- A Microsoft report on the future of work showed that 80% of computer security professionals indicated an increase in the number of threats since the move to remote working. Of that 80%, at least 62% say that phishing campaigns have increased more than any other type of threat;
- A Zscaler study found that between January and March of the same year, the number of blocked suspicious messages targeting remote workers increased by more than 30,000 percent!
According to Interpol's cybercrime bureau, the main cyber threat related to COVID-19 was phishing and fraud schemes with 59% of the attacks recorded in 48 different countries. And of course a large part of these attacks came via email!
The data is a lot and it is natural that it alarms you. And it's even more natural to feel unsafe opening any email in the coming days. Because we understand this, we are going to answer the three questions that most business people ask us about phishing.
Phishing: Frequently Asked Questions
If any of these questions occurred to you during this article, take a moment to know the answer immediately below:
"How does the cybercriminal know that I am a customer of a certain company?"
Most of the time you don't know. If it seems otherwise it is likely that it was just luck!
In some types of phishing, the criminal sends a fraudulent message to thousands of people because he knows that a significant portion of these people may be customers of the company he is impersonating. Want an example?
If the criminal has a database of 100,000 Portuguese people and if he pretends to be Novo Banco, it is normal that among those contacts is a Portuguese who is a customer of Novo Banco!
Remember that cybercriminals usually pose as companies that have very large customer bases such as banks, airlines, large retailers, or telecom operators.
"What if the phishing email has my exact name or Social Security number?"
This type of message is uncommon, but still simple to explain: the criminal has probably gained access to a more complete database. This happens, for example, when an online store is hacked or when an employee resells information illegally!
As a general rule, even if the message contains your personal data, never disregard the possibility that you are facing a phishing attack.
"What if the message was sent to me by someone I know?"
Attention: even in these occasions it is possible that you are facing a phishing attack. For a simple reason: a relative or friend of yours may be forwarding you a message with a fraudulent link or attachment without realizing it!
How to protect my business?
This answer is neither easy nor short. But no one better than our commercial director Manuel Alves to summarize the care you should take, starting today!
If you feel you need support in implementing security solutions, remember that you can schedule a free 30-minute meeting with him or one of our experts. Even if you are not ready to make an investment in computer security, we will explain how to protect your company from the various phishing attempts that you will - most certainly - be receiving!