Businesses today are more reliant on digital tools than ever before. Those tools have created impressive gains in productivity and capability, but they have also added complexity and risk to the modern business.
Phishing is one of the risks that has developed in our connected world. Individuals fall prey to these schemes daily, causing significant personal and business disruption. Below, we’ll explain what phishing is, why it’s so dangerous, and how leaders can help protect themselves and their businesses from this digital threat.
What Is Phishing?
Phishing is a term that refers to any number of digital attacks that attempt to bait people into a particular action. The connection to regular fishing (with an f) is straightforward: In real-life fishing, you bait the hook with a worm or lure in an attempt to convince a fish to bite.
But in the phishing world, you’re the fish. Someone sends you digital bait, attempting to get you to bite (or, in this case, click).
The goal of most phishing schemes is to steal your login credentials (your username or email address plus the associated password). You may also encounter phishing schemes that seek your social security number or other sensitive data. These aren’t as common because the success rate is lower: people are very accustomed to logging in to a website, but they tend to be more skeptical of giving out their SSN.
You may be wondering why anyone would willingly give up this kind of information, and that’s a fair question. People don’t want to get their information stolen, just like the fish in the lake don’t want to end up on a dinner plate.
But remember that we used the term “bait.” We bait fish with the prospect of a tasty meal. And bad actors bait us with something similar: the promise of a freebie, or a dire warning about a problem we need to fix.
Now that you understand the basics of what phishing is, we’ll show you how these phishing schemes usually play out.
How Do Phishing Schemes Work?
While phishing can take many different forms, most schemes these days are predictable and email-based. In the olden days, we’d see phishing attacks originate from pop-up advertisements, but these are rare now (except for in the seedier corners of the internet). Today’s attacks most frequently take the form of emails.
Here’s how this category of phishing scheme usually plays out.
Step 1: Crafting the Bait
A bad actor somewhere crafts the bait, in the form of an email. This email will be convincing, and it will look like it comes from somewhere you trust. Often phishing emails mimic a trusted company (like Apple or Microsoft). Others impersonate an authority (like your boss or the IT department).
It’s important to note that these emails will often be convincing. Years ago, phishing schemes didn’t have to be all that convincing. Enough tech-phobic people would fall for the bait regardless. But as consumers have become more savvy, so have the phishers. Today’s most successful phishing campaigns look very convincing.
Step 2: The Call to Action
The phishing email will also always call you to action. Usually, using either reward (Bill Gates wants to give you $1000!) or fear (We’re afraid your account has been compromised!), the phishing email will compel you to click on a link. “Click to claim your prize” or “Reclaim your account details here” are examples of the kind of language you might encounter.
What the phishers are trying to do is short-circuit your critical thinking skills. They’re trying to get you either excited or panicked to the point that you don’t look too closely or think too hard.
It’s the online equivalent of those robocaller scammers that flood your voicemail, telling you that the IRS has a warrant out for your arrest. If you stop and think about it (or look it up), you’ll know that the IRS doesn’t even do that. But by creating a sense of urgency, the scammers short-circuit people’s critical thinking, and thousands have given up their personal information in this way.
This false sense of excitement or urgency is the first warning sign: view any email that uses these tactics with great suspicion.
Step 3: The Hook
Of course, the email isn’t from Microsoft or Apple or the IRS. It’s from a bad actor, someone who is out to steal your information. And if you click that link, you’re about to face the hook.
You’ll land on some kind of website, one that may even look pretty authentic. But it’s not legitimate. It’s an impostor. Inevitably, you’ll be asked to log in. If you do, you’ll encounter some kind of an error, like a “404 page not found.” You might give up at this point and walk away.
Even worse, you might receive a message like “your username and/or password are not correct,” leading you to try multiple passwords. As soon as you enter any information here, it’s too late. Your login credentials have gone straight into a database somewhere. The hackers have your information now. You’ve been phished.
Why Is Phishing So Dangerous?
So why is phishing so dangerous? If you suspect an account has been compromised, you can always go change the password. That will fix the problem, right?
Here’s the scary part: phishing is far more dangerous than most people realize. Here are some of the ramifications that can occur when a single employee gets phished.
Danger #1: Caching Data
A bad actor doesn’t need access to, let’s say, an employee’s corporate email account for long to do some serious damage. Within just minutes, a hacker can download the entire contents of an email inbox. This is even scarier when you consider that many corporate email accounts also have access to the provider’s cloud storage. The hacker could copy off all those files, too.
Your employee may even realize they made a mistake and change the password quickly, but the bad actor may have already gained access and downloaded data. There’s no getting control of that data again.
For weeks, even months, the hacker may continue to exploit the data they downloaded. It only takes a few seconds, but the damage can go on for some time.
Danger #2: Get One, Get Them All
Just about everybody knows they shouldn’t reuse passwords. But just about everybody does it anyway. Google concluded in 2019 that around 65% of people admit that they reuse the same password for some or all accounts. Here’s the thing: if we know this, so do the bad actors. Once they get one set of credentials, they will typically try those credentials on any number of sites. Sure, they’ll strike out a lot. But if you’re part of the 65% and you get phished, your other accounts are also in danger.
You might not think it’s a big deal if one of your social media accounts gets compromised briefly. But if you’re in the 65%, it is. If your social media password matches your bank or credit card password, you could have a serious problem on your hands.
Danger #3: Personalized, Deeper Phishing Expeditions
Most phishing schemes are somewhat random, and they can do damage. But far more dangerous are what’s called spear-phishing campaigns.
Spear phishing is targeted phishing: a bad actor impersonates someone you trust in an effort to scam you or steal your information. Again, phone scams offer a great illustration. There’s a phone scam targeting the elderly where the caller claims to be a grandchild in trouble, needing bail money or some cash to cover a bill. Without the right information, this scheme isn’t terribly effective. But when the scammer knows the grandchild’s name and the city he or she lives in, it’s much more effective.
How does this usually work in the phishing world? A bad actor gains and retains access to a corporate account via regular phishing and learns enough company lingo to sound plausible. Then the bad actor then sends targeted phishing emails while impersonating the compromised employee, seeking even greater levels of access.
This isn’t fiction or scaremongering. It happens every day. It’s how a church in Brunswick lost nearly $2 million. Bad actors impersonated church staff after gaining access. If it happened to them, it could happen to you.
Danger #4: Access to Contacts, Banks and Password Resets
One other significant danger is that, with access to your email, a hacker can gain access to many other accounts.
Think back to the last time you forgot a password on a website. You clicked a button, entered your email address, and immediately received an email that let you create a new password. If a hacker gains control of your email account, he or she can do the exact same thing for any site that ever sent you a confirmation email containing your account name.
In this way, an enterprising hacker could gain access to bank, retirement and credit card logins. And once the hacker gets into those, it’s not at all hard to change billing and mailing addresses so that payments route directly to the hackers. One estimate pegs the amount of theft perpetrated using this method at $3.5 million for 2019.
How to Protect Your Company Against Phishing
As we’ve seen, phishing is a serious threat to any connected company. It’s more successful and effective than other digital attacks, and it’s easier to orchestrate, too. So how can you help protect your company against this threat?
To protect your business accounts against phishing, you need multiple defenses. The first defense is phishing awareness training. Training is important, because the strongest firewall in the world can’t wholly stop your employees from giving away information. It’s incumbent on your team to make good choices. Therefore, it’s incumbent on you to provide proper training. Conduct regular training with your team on how to spot and avoid phishing attacks. Add it to your onboarding process as well. And then conduct regular tests to be sure your team is putting its training into use.
A second defense is 2-factor or multi-factor authentication (2FA/MFA). 2FA/MFA makes it significantly harder to get into your accounts. If 2FA or MFA is enabled, then the hacker needs more than just a username and password to get in. They also need a security code that is either texted to your phone or obtained through a code generator app. This additional line of defense matters, because even with the very best training, at some point, someone will fail to recognize a phishing attempt.
A third defense is the use of a password manager. A good password manager will provide a password generator, permission-based shareable vaults, and an easy-to-use method of accessing and storing passwords. The password generator helps reduce reuse and increase password complexity. Vaults provide secure sharing of credentials among team members. How the password manager helps defend against phishing is two-fold. First, you can quickly identify all accounts that use the same or similar to credentials to the stolen ones. Second, you can encourage habits among your team that prevent more than one set of credentials ever being stolen by a phisher.
At Southeastern Technical, assisting our clients with phishing training and testing is part of how we keep our clients’ data and businesses protected. We stay up to date on the latest cybersecurity trends, and we pass along those insights to keep your team safe. Wondering if your team is susceptible to a phishing scam, or worried about other aspects of cybersecurity? Try out our free phishing simulation with your team or get a free cybersecurity assessment for your business.