Phishing is one of the risks that has developed in our connected world. Individuals fall prey to these schemes daily, causing significant personal and business disruption. Below, we’ll explain what phishing is, why it’s so dangerous, and how leaders can help protect themselves and their businesses from this digital threat.
What Is Phishing?
Phishing is a term that refers to any number of digital attacks that attempt to bait people into a particular action. The connection to regular fishing (with an f) is straightforward: In real-life fishing, you bait the hook with a worm or lure in an attempt to convince a fish to bite.
But in the phishing world, you’re the fish. Someone sends you digital bait, attempting to get you to bite (or, in this case, click).
The goal of most phishing schemes is to steal your login credentials (your username or email address plus the associated password). You may also encounter phishing schemes that seek your social security number or other sensitive data. These aren’t as common because the success rate is lower: people are very accustomed to logging in to a website, but they tend to be more skeptical of giving out their SSN.
You may be wondering why anyone would willingly give up this kind of information, and that’s a fair question. People don’t want to get their information stolen, just like the fish in the lake don’t want to end up on a dinner plate.
But remember that we used the term “bait.” We bait fish with the prospect of a tasty meal. And bad actors bait us with something similar: the promise of a freebie, or a dire warning about a problem we need to fix.
Now that you understand the basics of what phishing is, we’ll show you how these phishing schemes usually play out.
How Do Phishing Schemes Work?
While phishing can take many different forms, most schemes these days are predictable and email-based. In the olden days, we’d see phishing attacks originate from pop-up advertisements, but these are rare now (except for in the seedier corners of the internet). Today’s attacks most frequently take the form of emails.
Here’s how this category of phishing scheme usually plays out.
Step 1: Crafting the Bait
A bad actor somewhere crafts the bait, in the form of an email. This email will be convincing, and it will look like it comes from somewhere you trust. Often phishing emails mimic a trusted company (like Apple or Microsoft). Others impersonate an authority (like your boss or the IT department).
Step 2: The Call to Action
The phishing email will also always call you to action. Usually, using either reward (Bill Gates wants to give you $1000!) or fear (We’re afraid your account has been compromised!), the phishing email will compel you to click on a link. “Click to claim your prize” or “Reclaim your account details here” are examples of the kind of language you might encounter.
What the phishers are trying to do is short-circuit your critical thinking skills. They’re trying to get you either excited or panicked to the point that you don’t look too closely or think too hard.
It’s the online equivalent of those robocaller scammers that flood your voicemail, telling you that the IRS has a warrant out for your arrest. If you stop and think about it (or look it up), you’ll know that the IRS doesn’t even do that. But by creating a sense of urgency, the scammers short-circuit people’s critical thinking, and thousands have given up their personal information in this way.
This false sense of excitement or urgency is the first warning sign: view any email that uses these tactics with great suspicion.
Step 3: The Hook
Of course, the email isn’t from Microsoft or Apple or the IRS. It’s from a bad actor, someone who is out to steal your information. And if you click that link, you’re about to face the hook.
You’ll land on some kind of website, one that may even look pretty authentic. But it’s not legitimate. It’s an impostor. Inevitably, you’ll be asked to log in. If you do, you’ll encounter some kind of an error, like a “404 page not found.” You might give up at this point and walk away.
Even worse, you might receive a message like “your username and/or password are not correct,” leading you to try multiple passwords. As soon as you enter any information here, it’s too late. Your login credentials have gone straight into a database somewhere. The hackers have your information now. You’ve been phished.
Why Is Phishing So Dangerous?
So why is phishing so dangerous? If you suspect an account has been compromised, you can always go change the password. That will fix the problem, right?
Here’s the scary part: phishing is far more dangerous than most people realize. Here are some of the ramifications that can occur when a single employee gets phished.
Danger #1: Caching Data
A bad actor doesn’t need access to, let’s say, an employee’s corporate email account for long to do some serious damage. Within just minutes, a hacker can download the entire contents of an email inbox. This is even scarier when you consider that many corporate email accounts also have access to the provider’s cloud storage. The hacker could copy off all those files, too.
Your employee may even realize they made a mistake and change the password quickly, but the bad actor may have already gained access and downloaded data. There’s no getting control of that data again.
For weeks, even months, the hacker may continue to exploit the data they downloaded. It only takes a few seconds, but the damage can go on for some time.
Danger #2: Get One, Get Them All
You might not think it’s a big deal if one of your social media accounts gets compromised briefly. But if you’re in the 65%, it is. If your social media password matches your bank or credit card password, you could have a serious problem on your hands.
Danger #3: Personalized, Deeper Phishing Expeditions
Most phishing schemes are somewhat random, and they can do damage. But far more dangerous are what’s called spear-phishing campaigns.
Spear phishing is targeted phishing: a bad actor impersonates someone you trust in an effort to scam you or steal your information. Again, phone scams offer a great illustration. There’s a phone scam targeting the elderly where the caller claims to be a grandchild in trouble, needing bail money or some cash to cover a bill. Without the right information, this scheme isn’t terribly effective. But when the scammer knows the grandchild’s name and the city he or she lives in, it’s much more effective.
How does this usually work in the phishing world? A bad actor gains and retains access to a corporate account via regular phishing and learns enough company lingo to sound plausible. Then the bad actor then sends targeted phishing emails while impersonating the compromised employee, seeking even greater levels of access.
Danger #4: Access to Contacts, Banks and Password Resets
One other significant danger is that, with access to your email, a hacker can gain access to many other accounts.
Think back to the last time you forgot a password on a website. You clicked a button, entered your email address, and immediately received an email that let you create a new password. If a hacker gains control of your email account, he or she can do the exact same thing for any site that ever sent you a confirmation email containing your account name.
In this way, an enterprising hacker could gain access to bank, retirement and credit card logins. And once the hacker gets into those, it’s not at all hard to change billing and mailing addresses so that payments route directly to the hackers. One estimate pegs the amount of theft perpetrated using this method at $3.5 million for 2019.
How to Protect Your Company Against Phishing
As we’ve seen, phishing is a serious threat to any connected company. It’s more successful and effective than other digital attacks, and it’s easier to orchestrate, too. So how can you help protect your company against this threat?