Phishing is a method with which cyber criminals try to steal (sensitive) information from you. This is done by sending you a fraudulent message, often in the form of an email. It can also be used by attackers to make you install malicious code or ransomware. It is the most common cyber attack, with 86% of businesses being attacked by some form of phishing in 2020. You might have experienced a phishing attack on your personal account as well, through emails, text messages on social media or other platforms.
The biggest personal risk for individuals from phishing is that you can reveal important information to criminals, such as login credentials to your online bank account. For companies, losing credentials to criminals can be even more severe, as their security can be compromised. It’s important to be aware of common phishing tactics and what you can do to protect yourself against them.
Types of phishing
Bulk phishing
This is the classic email phishing method, which most people have experienced at least once in their life. You get an email saying you have won a new iPhone, and you only need to click on the link and fill in your credentials to get one.
Also common are emails from ‘your bank’, which ask you to change your password since some nefarious activity was found on your account. Other examples include emails from services that people often use, such as Gmail, Microsoft, LinkedIn, PayPal or Dropbox. These are but a few of many different types of bulk phishing, but what they all have in common is that they are not personalised and are sent to many people at once with the hope of tricking you.
Spear fishing
Spear phishing is the opposite of bulk phishing, in which it’s not about many generic emails being sent out, but rather one targeted email. The target is often a single person and research has been done to make the message seem as legitimate as possible, by including information that would only be relevant for the target. Spear phishing is often used against executives within a company who have access to sensitive information and/or financial services.
Smishing and vishing
Other methods of phishing include “smishing” (phishing through text messages) and “vishing” (phishing through voice messages, or calls).
With “smishing” you might receive an SMS with an urgent message, pretending to be a bank, government agency or other institution with a link. After clicking on the link you’re asked to provide your credentials. It can be more difficult to see whether a link is trustworthy or not on a mobile device, which makes it harder to spot if it is a legitimate link.
“Vishing” is a phishing method where pre-recorded voice messages are often used to make you think that you are speaking to someone from a service you use, like “Microsoft Windows” or other “support”. They will often redirect you to a supposed employee that will help you, but who then asks you to provide your credentials or other information.
How to prevent phishing
There are two general ways to combat phishing, a user approach and a technical approach. In the user approach it is all about making users aware of how to spot a phishing email. This ranges from checking the email address and making sure it is from a valid domain, to validating the sender.
If you’re unsure about the legitimacy of an email or message, do the following:
- Check the domain of the sender.
- Hover over any link in the email to see where you will be taken.
- Contact the person who supposedly messaged you, through verified contact details if you know them and verify that they reached out to you. Don’t do it through the contact details mentioned in the possible phishing email.
- Consider if it’s reasonable that the sender would have approached you like this, for example an email seemingly coming from the bank asking for your credentials.
“The most important thing regarding phishing is to continue to verify! Verify the sender, verify the link, and think before you click.”
Kim Morgan Gilja, Security Manager at Visma
The second general method of combating phishing attempts is to block them using technical approaches. A good example of this is a spam filter, which is included in most email providers. More advanced methods include machine learning and AI, which are trained to recognise phishing attempts and either block them or notify you that this might be a dangerous email. A third method, not aimed at blocking phishing, but rather mitigating the negative effects, is Multi-Factor Authentication (MFA), which requires you to use your phone as an extra step before logging in. Even if a criminal obtains your credentials, they still would not be able to log in, because they do not have access to your phone.
In Visma, we use a user-focused and technical approach. The Visma Security Awareness Programme aims to increase the cyber hygiene for all employees, and help them recognise dangers and phishing emails.
With most large email providers, you will be notified if an email looks suspicious and external emails will have yellow tags notifying that it originated from outside your workplace. With a yearly phishing campaign, Visma aims to motivate and help people to spot the dangers of phishing.
