By now, pretty much everyone who uses a computer has heard about phishing scams. For the sake of clarity, however, let’s recap:
In a phishing attack (typically carried out by email, but also increasingly by text messages and other communications channels), the hacker sends messages that are designed to look like they come from someone you have a business relationship with—a bank or other financial service company, the government, your internet service provider, or what have you. The ruse is designed to persuade you to provide information, such as online banking credentials or email account credentials.
Phishing vs. Spoofing vs. Spearphishing
Phishing is similar to spoofing in that they both rely on misrepresentation. However, the goal of a spoofing attack is to infect systems with malware of various kinds, such as viruses, spyware, botnets, and ransomware. Phishing perpetrators want information they can use to access systems and steal data, money, or both.
Both phishing and spoofing are based on social engineering, in which the hackers use threats to encourage you to respond. The threats usually are something along the lines of “You will lose access to your account if you don’t respond within 24 hours” or “Your account is locked and we need to verify your identity” or “There is a problem with your Amazon order, please log in to resolve.” Usually there is a link to a bogus website that captures the information you provide. Once you do, your troubles start almost instantly, and it can be a long, expensive process to get things right again.
A variant of phishing, called spearphishing, is more sophisticated and targeted than garden-variety phishing. Whereas regular phishing is often sent randomly to long lists of email addresses, spearphishing targets specific individuals. Spearphishing perpetrators have to do some research in advance to learn what specific victims to target, what entity to emulate, and what message will be most effective. The payoff for all this diligence can be quite handsome for the bad guys.
A Rising Tide of Phishing Attacks
Various recent surveysturn up some sobering statistics regarding phishing:
- Of businesses surveyed, 76% reported receiving phishing attack emails.
- Phishing rates are increasing for all industries and all types of businesses—small, medium, and large.
- A whopping 30% of phishing messages are opened by their victims, and 12% of users who open the messages click or tap on the response link—more than sufficient to encourage hackers to continue their attacks.
- Up to 1.5 million phishing websites are created each month.
- Perhaps the worst statistic of all: A full 97%of users are not able to distinguish a phishing message from a legitimate one.
That last statistic is important because human users are both the weak link in the cybercrime prevention chain and, often, the last line of defense keeping your systems safe. When you couple that with the fact that phishing attacks are becoming both more numerous and more sophisticated, your chances of being victimized by a successful phishing attack are close to 100%.
Yes, there are technical measures available, but they go only so far. Server- and client-side email filtering can recognize may phishing messages, but they are not 100% foolproof. Some phishing emails are bound to get through to users’ inboxes, and some legitimate email will be filtered out.
But that doesn’t mean you should give up. The cost of a successful attack can be quite high—in fact, many small businesses don’t survive a major cybercrime incident. So it’s worth your while to protect yourself, with a combination of preventive measures (filtering, policies, and user training) and solid response procedures in case an attack is successful.
To help you protect yourself from phishing and many other cybersecurity threats, we created our free cybersecurity checklist. Don’t wait until you’re already a victim—download your copy today.