One of the main tools in a hacker's toolbox is the phishing attack. Hackers use these large-scale attacks to steal personal information from as many people as possible.
Hackers using phishing are digital con artists. With hidden malware and a convincing pretense, they con people into handing over their personal information. They then use this information for a variety of cybercrimes.
Examples of Phishing Attacks
You do not have to look hard to find examples of phishing attacks. In March 2015, a major phishing attack targeting Bank of America customers came to light. As part of the attack, hackers directed unsuspecting users to a fake Bank of America website. The website told them that they had to reactivate their accounts. It then directed them to a web page containing a reactivation form. This form asked them to hand over many personal details, including their names, birthdates, email addresses, online account IDs, passwords, and Social Security numbers.
A more high-profile case occurred in February 2015. After U.S. health insurer Anthem Inc. revealed it had a data breach, the company announced it would be contacting customers to offer them free credit monitoring. Hackers took this opportunity to launch a phishing campaign by sending out an email message that claimed to be from Anthem. The message invited the recipients to sign up for free credit monitoring by clicking a link. This link was part of a plan to steal their personal information.
Researchers note that there are significantly more phishing incidents during the winter holiday season, as more customers turn to online shopping. Hackers typically disguise their fraudulent email messages as ones from major retailers. For example, the email service provider AppRiver noted that in November 2014 it quarantined hundreds of thousands of malicious email messages that claimed to be from Amazon.
How to Spot Phishing Attacks
Phishing attacks have several key characteristics. First and foremost, they use email or text messages that appear to be from large, well-known organizations. Hackers will often make their messages look like an email from a bank or financial institution. Emails that look like they are from universities or major online organizations such as PayPal or eBay are also common. Hackers will send these fraudulent messages to thousands of people.
These messages usually have malware-ridden attachments. When people download them, the malware infects their computers. Another tactic is to include a link to a website controlled by the hacker. The hacker then uses the website to spread malware or steal information. Hackers use stolen information to steal identities or break into their victims' online accounts.
Fake email messages often have spelling and grammatical errors. They also frequently include an indirect threat. For instance, a message might state that if you do not reactivate your account, it will be terminated. By using scare tactics, hackers can more effectively con people into clicking a link or downloading a file.
How to Defend against Phishing Attacks
Educating your staff about phishing is a critical way to counter these attacks. In particular, employees should learn how to recognize a fraudulent email message. Besides watching for spelling and grammatical errors, employees should pay close attention to the sender's email address.
Hackers frequently use email addresses that look like the addresses of legitimate organizations. As an example, a hacker might send out an email message using the address firstname.lastname@example.org instead of the real @amazon.com address. Deceptive email addresses increase the chance of someone falling for the scam.
Your employees should also check the authenticity of links in their email messages. If employees are in doubt about a link, they can hover their mouse cursor over it to see the address of the website that it will actually go to. If the website address seems suspicious, the link is likely part of a phishing campaign. Employees can perform an online search to see if the website is associated with any cybercriminals.
Another red flag that employees need to watch for is requests for personal or financial information. Banks and other legitimate organizations will never ask their customers for this type of information in an email. As a result, any email message that asks for it should be considered malicious. Furthermore, organizations will not threaten their customers in a heavy-handed way. If an email message is written in a tone of extreme urgency and includes threats like immediate account deactivation, it is probably a phishing attempt.
Keep Your Data Safe
Thwarting phishing attacks is important if you want to keep your company's data safe. But there are many other types of online attacks, so you need to develop a strong cybersecurity strategy. Experienced experts can help you come up with the best way for you to keep your data safe from digital threats.
Download our latest White Paper on "How To Spot Phishing Attacks"