What is phishing?
Phishing is one of the most prevalent cyber threats to UK businesses. A recent UK government survey found that out of the 39% of UK businesses that identified a cyber attack in the last 12 months, 83% reported phishing attempts were the source.
Phishing is a type of social engineering, aimed at attempting to gather important credentials. These usually include email addresses and passwords, as well as other private information such as credit card numbers. Attacks are usually delivered via email, text message, instant message or phone call. Attackers pretend to be someone they are not in an attempt to trick victims into sharing sensitive information.
Phishing attacks can lead to a huge impact on businesses. Whether it’s loss of customer data, malicious access to confidential documents or direct business disruption, the repercussions can be devastating.
However, phishing has evolved beyond malicious links hidden in spam emails to become far more targeted and therefore threatening to businesses. Understanding the different types of phishing attacks is the first step in protecting your business from them.
Types of phishing explained
The most common type of phishing is email phishing, which is seen everywhere daily. This involves the attacker sending a fake email to the potential victim in an attempt to get them to provide information directly. Alternatively, victims can also be sent to a fake website that requests credentials for a legitimate website.
For example, an attacker might send an email from a spoofed email address which appears to the victim as Amazon Support. This email will ask the user to sign in with their Amazon credentials via a fake link. Once the user signs in with their legitimate credentials, these are sent to the attacker who will use them to log in to the real Amazon website.
Spear Phishing is a targeted form of phishing, usually carried out via email or text messages. The communications target a specific user in a company or organisation, rather than many users at once. Attackers will usually attempt to go after specific users, such as administrators. Spear phishing usually involves the attacker gathering information on the target, such as name, position and contact details which will aid them in the attempt.
Vishing is the shortened term for “voice phishing”. This method is much like other types of phishing, however, it involves the attacker attempting to steal information via phone calls instead of emails or text messages.
Tactics are remarkably similar, in which the attacker will attempt to trick the user into believing they are from a legitimate company. Attackers commonly pretend to be from banking and phone companies when carrying out these types of attacks. Their main aim is gathering bank details or selling the victim a fake contract.
Whaling, very similar to spear phishing, involves the attacker targeting a specific user. This form of phishing is primarily aimed at senior executives within a business. Whaling is digitally enabled fraud through social engineering, designed to encourage victims to perform a secondary action, such as initiating a wire transfer of funds.
This tactic tends to be more sophisticated than generic phishing emails. They carefully exploit personal information about the target while also conveying a sense of urgency within the messaging.
Evil twin phishing
Evil twin phishing is a technique that relies on the victim connecting to a fake Wi-Fi network set up by the attacker. These are typically in public spaces and act as legitimate ‘free’ Wi-Fi provided by businesses and shops, for example, Mcdonald’s. When users connect to these imitation networks, they will be asked for a username and password, gathering any information provided for malicious purposes.
How Aspire can help
At Aspire, we offer a range of managed cyber security services to combat phishing and all other types of online threats. From hosted firewalls and content filtering to advanced threat protection, anti-virus and endpoint detection and response, we will work with you to design and implement a full security solution.
We can implement tailored incident response plans, managed next-generation EDR & SIEM, e-mail protection, vulnerability management and more.