Phishing Explained: Don't Get Hooked | Blog | ThreatWarrior

Phishing Explained: Don’t Get Hooked

by

If you have an email account, it’s likely you’ve experienced a phishing attack.

Simply put, a phishing attack is when a person with nefarious intent sends you an email that appears to be from a company or person you know. The text of the email often warns that there is a problem with your account that needs your attention and a link is provided.

When you click on the link, you are taken to a website with an official-looking logo of the organization that supposedly sent you the email. The page appears authentic, but it is not. You are requested to provide your username and password so you can gain access to your account and settle the issue the email describes. However, when you log in, the information does not go to the company. Instead, it is sent to the individual who sent you the email. (For example, this phishing scam that hit Gmail users in 2017.)

Now that person has what they need to access your real account. What’s more, sometimes the phony website also contains malevolent code that compromises your device when you click the link.

Also, be aware that phishing emails can include malware attachments that can infiltrate your systems if opened.

Types of Phishing Attacks

There are three types of phishing attacks – phishing, spear phishing and whale phishing.

Phishing is a broad term for any attack like the one described above. They are impersonal and usually sent to a mass audience.

A spear phishing attack is more personalized than plain phishing attacks. This makes it more convincing and increases the chances of the recipient taking the bait. This type of phishing requires that the attacker research the target (some quick Google searches and public profile scanning can turn up much more than you think) to present themselves as a familiar entity.

Lastly, a whale phishing attack targets high-profile executives of a company including the CEO, the CFO or others that have unrestricted access to sensitive information. These attacks are designed to look exceptionally corporate and critical with the masquerading website or email taking a more serious tone.

Identifying A Phishing Attack

If you are cautious and observant you should be able to identify phishing emails. These emails include:

  • Generic greeting instead of using the recipient’s name
  • Requests for personal information that most legitimate companies would not ask for
  • A request for an urgent response making a recipient believe that their account is in peril or they will lose access to important information if no immediate action is taken
  • Inauthentic links that lead to phony websites
  • Messages with many spelling and punctuation errors
  • An address that is similar to, but not authentic of the real company’s email address

Ways To Protect Yourself From A Phishing Attack

If you suspect you’re the target of a phishing expedition, hover the cursor over the link or business logo in the email to confirm your suspicions. A pop-up bar will appear that provides the website address that’s linked. If it is unfamiliar and directing you to an unofficial domain, do not click on it.

Here are other things you can do to protect yourself:

  • Communicate personal information only by phone or secure website
  • Do not click on links, download files or open attachments in emails from a sender you do not know
  • Beware of emails that ask for personal information and that includes links
  • If you receive a suspicious email, call the real company or person who supposedly sent it to confirm it is not a phishing attack
  • Never provide personal information in a pop-up screen
  • Do not click on links that appear in a pop-up screen
  • Include a firewall, spam filter, anti-virus and anti-spyware software on your computer
  • Check online accounts and bank statements periodically to ensure that no unauthorized transactions have been made
  • Only give personal information on websites that are secure. Website addresses that start with “https” are secure
  • Verify website security certificates
  • If you have doubts about an email’s authenticity, do not click links or open attachments

Ways To Protect Your Business From A Phishing Attack

If you are a business leader and suspect your organization could be the target of a phishing attack, take the following precautions:

  • Educate all employees – including executives – on how to identify phishing attempts
  • Initiate mock phishing attacks to test employees
  • Make certain that executives of the company have little if any personal information on public profile pages (this helps prevent whaling)
  • Flag emails that come from outside the company network
  • Executives who receive emails requesting money or information that is not commonly communicated via email should call the stated sender to verify authenticity

Phishing attacks may seem scary, but it’s all about staying alert. As long as you are observant and cautious, you should be able to identify attempts. And remember, people are the weakest link in your security chain. If you are a business leader or owner, make sure to educate all employees on how to avoid falling victim to a phishing attack.

Pete Slade

Pete is an expert in threat intelligence and network security with more than 30 years of experience in cybersecurity, information technology, and machine learning. He has designed and built systems for both commercial and intelligence communities, and is a regular public speaker on cyber defense, national security, AI, and entrepreneurship. Pete is also a patented inventor, a Fellow at the Institute for Critical Infrastructure Technology, a member of Forbes Technology Council, and a congressional advisor on the topics of systems and infrastructure security.

Related Insights

Request A Demo

Let our team of security experts show you how ThreatWarrior can help you see everything happening on your network, learn behaviors and patterns, and act efficiently to stop threats other solutions miss.