From whaling to vishing, phishing can come in many confusing forms. In this guide, we unpack this method of cyber attack and explore how to defend against it.

Share this Blog post

Ever heard of vishing? How about smishing? Whaling? Ok, we’ll stop there. When it comes to this particular method of cyber attack there are plenty of different variations and offshoots.


Despite the humorous name, however, phishing can have some pretty serious consequences for businesses if left undetected. From data breaches and identity theft to financial losses and reputational damage, a successful phishing attack can bring even the strongest business to its knees.


In this blog, we investigate what phishing is, how it works, and how your business can best defend itself against this form of cyber attack.

 

What is phishing?

‘Phishing’ refers to a specific method used by cybercriminals to trick individuals into divulging sensitive or important information by sending fraudulent messages pretending to be someone else. Anything from financial data and classified information to private passwords is at risk from this form of cyber attack — essentially, anything that will give a malicious outsider a ‘way in’ to a business.


This is where the term “phishing” initially came from as this method of cyberattack essentially ‘fishes’ for sensitive information, passwords, and usernames from a sea of users — with only a few successes among many attempts.


This method involves an individual (the cybercriminal) posing as a trustworthy or well-known individual or stakeholder in order to gain the trust of their victim or victims. Usually, attackers pose as a company CEO, a bank, or a similar reputable organisation.


How does phishing work?

Phishing involves the creation and circulation of fraudulent emails and/or messages to a business or person pretending to be someone known to them. The hope is that the receiver will fall victim to the social engineering techniques in the email and share the information or click on a link that downloads malware or a virus onto the computer to steal data.


Social engineering & phishing

The reason phishing is so effective is its leveraging of social engineering in a cybercrime context. Social engineering refers to the use of deception tactics to manipulate individuals into giving out their information for fraudulent or criminal purposes.


Phishing attempts utilise social engineering to gain the information needed to do damage to a company — such as gaining access to its systems or banking accounts. The individuals responsible for the phishing attempt usually create a false sense of urgency in order to coax information out of their victims. At a basic level, a simple phishing email might look something like this:


“Hi, it’s me [insert name of someone the victim knows], I’ve been locked out of [insert company system], can you share the details with me again?”


The future of phishing

Just as cybersecurity is evolving, so are the methods of cybercriminals. Now, thanks to advancements in things such as artificial intelligence, cybercriminals are able to produce increasingly convincing phishing emails. For example:


●      Deepfake technology can make it look like someone at a company has sent a video of themselves asking for sensitive information or doing something compromising that could be used as blackmail.


●      Generative AI tools that help with writing can be used to enhance the content of phishing emails to make even long-term, well-educated employees fall victim to them.


So, now more than ever, it is essential that businesses arm themselves against phishing attempts — understanding what they are, how sophisticated they can be, and (most importantly) how to protect themselves against them.




The different types of phishing

Before we launch into how your business can defend itself against this ever-developing form of cybercrime, it’s a good idea to get to know it in its many forms first.


So, below, we have detailed the most common types of phishing attacks to help you know what you're dealing with and spot even the most subtle of attempts.


1.   Spear phishing

Phishing itself, we’ve covered, refers to a broader umbrella term of using fraudulent material, social engineering, and posturing to obtain sensitive information.


Spear phishing is a much more targeted form of attack. Under this method, a particular group of individuals — such as employees of the same company or residents in a certain area — are targeted.


2.   Vishing

This method of phishing is conducted through voice calls — hence the “v” instead of the “ph”. This is where an attacker will obtain a targeted list of phone numbers (or call at random) and ring individuals pretending to be someone else in order to gain their sensitive data, credit card information, and so on.


One of the most common vishing forms is someone saying they are calling from a corporation like “Microsoft” to inform businesses or individuals that they have detected a virus on your computer and need credit card details to install an antivirus program.


If successful, the attacker not only has your details and access to your bank, but they also likely have installed malware onto your computer that can steal yet more data.


3.   Smishing

Another clever name, smishing is a type of phishing attack that uses text messaging or short message service (SMS) as its method — hence the name.


This usually relies upon individuals clicking a link or replying to an SMS message with valuable data. As such, it often involves criminals posing as a banking company with the excuse that your account has been compromised and requires re-verification of your details and so on. If completed successfully, the attacker can gain access to your bank account, locking you out — all thanks to a simple text.


4.   Whaling

Finally, we have whaling. Similarly to spear phishing, this is a specific targeted attack — but, as the name suggests, it’s exclusively aimed at bigger fish.


Whaling is when cybercriminals use phishing to go after high-profile individuals, for example, CEOs, CFOs, or any directors of a company. Usually, this takes the form of a fraudulent legal threat facing the company in an attempt to get them to take action, click a link, input their details, or share the email with other members of their team.


Often, the links are infected with malware and direct the victim to a page that further damages their computer. The stakes are high with this method, but the payoff is big as, if successful, the attacker now has direct access to the data of the most important person(s) in a business and can use this to their advantage.


Protecting your business from phishing

So, how can you make sure that your business doesn’t fall victim to phishing attempts?


Recognising phishing attempts

So, now that you know what phishing is, how can your business stay safe? One of the most important things is to know what to look for. Since phishing almost always relies on external messages or emails being sent to you or your employees, it is vital that your entire workforce is educated on what to be aware of.


Here are just a few of the red flags to keep an eye out for to avoid becoming a victim to phishing emails or texts:


●      Unexpected emails from unknown senders

●      Mismatched or ‘dodgy’ URLs

●      Grammatical errors and spelling mistakes in emails

●      Unusual font choices and font colours

●      Large attachments or images you weren’t expecting

●      Generic greetings that don’t match what you’d usually receive

●      ‘Pressure tactics’ that try to evoke a sense of urgency. Would the CEO really ask you for data via email immediately?

●      Requests for personal information or data the real sender would already have access to via password sharers.


Staff cybersecurity training

Phishing is a form of cyberattack that targets individuals and preys upon human error. So, in order to keep your business safe, you need to educate the humans who work there. According to IBM, over 95% of cybersecurity incidents originate in human error, illustrating how essential staff training truly is to business integrity.


Make sure your staff understand the importance of cybersecurity. Can they identify phishing emails? Do they know how to report and escalate any phishing-related issues they may come across? Are they briefed not to click suspicious links or input sensitive data?


On a wider level, does your business undergo regular staff training to ensure high levels of cybersecurity competence and digital literacy despite team changes? Read another of our blogs to find out more about cybersecurity awareness training.


Cybersecurity improvements

Going hand in hand with staff training comes the actual bolstering of your organisation’s digital infrastructure in order to protect it from phishing attacks.


Ask yourself the following questions about your business. If the answer to any is “no”, then there is more you could be doing by means of cyber defence for this method of attack.


●      Are your software and security systems updated?

●      Do you use strong, unique passwords?

●      Do you use two-factor authentication?

●      Do you invest in and use email filtering tools that can send suspicious emails to spam?

●      Do you have an in-company verification process for requesting sensitive information?

●      Do you have an up-to-date GDPR policy that all of your staff are aware of?

●      Do you regularly monitor the security of financial accounts and personal data?

●      Have you performed penetration testing? (This is a mock cyberattack to see how far a cybercriminal or malware would get into your system)

●      Do you have antivirus software and firewalls installed?

●      Have you looked into phishing simulation tools?

●      Do you have advanced threat protection solutions?


Need help with your IT security?

Need help navigating the intricacies of phishing? Keen to learn more about this method of cyber attack so that you can better protect your business? Contact our team of experts to find out how our managed IT support and security services can help you.


And, in the meantime, jog your memory on GDPR and cybersecurity best practices over on the ITRM blog.

Share this Blog post

Related Articles

5 Steps to Implement Vulnerability Management into your Business

5 Steps to Implement Vulnerability Management into your Business

Discover how you can implement vulnerability management into your business with our useful guide.

9th August 2024
Protect Your Mission: The Importance of Cyber Security for Charities

Protect Your Mission: The Importance of Cyber Security for Charities

In this blog, explore the current cyber threat landscape, why charitable organisations are at risk and how to protect your charity/not-for-profit so you can continue your mission...

30th May 2024
Visit our blog for more articles like these

Your privacy

By clicking “Accept all cookies”, you agree ITRM can store cookies on your device and disclose information in accordance with our Cookie Policy.

Cookie Settings

When you visit any of our websites, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and manage your preferences. Please note, blocking some types of cookies may impact your experience of the site and the services we are able to offer.