Different Types Of Phishing Scam And How To Protect Your Business
Phishing has become part and parcel of life in the digital world. Some stats suggest that as many as 1 in 3,722 emails is a phishing attack in the UK. This might not sound all that common until you consider nearly 9 billion emails are sent every day in the UK alone.
Based on these numbers, that would mean there are around 2.5 million phishing emails sent in the UK every single day.
If you’re a business owner, phishing scams are something you need to be aware of. They are one of the most common causes of data breaches and can end up costing businesses thousands. The average cost for an SME is around £16k.
In this article, we look at the 5 most common types of phishing scams and how to safeguard your business.
Types of Phishing Scam
Bulk Phishing
As the name would suggest, Bulk Phishing attacks involve targeting many people within an organisation with the same email.
They generally involve asking the target to click a link or download something to their computer.
This then allows the attacker to steal their information or infect the user’s device with some kind of malicious software.
These phishing attacks are usually unsophisticated but can still catch people off-guard.
The most common things to look out for are suspicious email addresses that don’t match the purported sender and emails urging immediate action.
Spear Phishing
Spear Phishing differs from bulk attacks in that they are usually targeted against specific people within an organisation. Depending on the attacker, the targets can be well researched which can make them easier to fall for.
This normally involves the attackers posing as an organisation or individual who that target knows and is therefore likely to engage with.
The aim of these attacks is usually the same as a bulk phishing attack but is simply carried out in a more sophisticated manner.
Whaling
Whaling is very similar to Spear Phishing, as Whaling involves the targeting of one or two specific individuals. In these cases, targets are usually senior members of a business who could be considered high-value targets.
These attacks are still aiming to gather sensitive information but more commonly target financial information.
These emails are usually very sophisticated and can be the hardest type to detect. Attackers are known to:
Pose as suppliers or business partners to gain trust
Follow up emails with phone calls to reassure the authenticity of the email
Pose as colleagues to establish trust.
According to the National Cyber Security Centre, the biggest financial losses from whaling attacks are in the tens of millions. Crelan Bank lost around $76 million in 2016 due to a whaling attack.
Smishing
Smishing is simply a phishing attack that happens through text messaging (SMS). While some of these attacks are relatively easy to spot, ‘spoofing’ can make them a lot harder to identify.
Spoofing is a technique which allows people to alter how their contact details are identified on a receiving device.
This has become far more common since the coronavirus pandemic. Smishing attacks from people posing as the NHS or vaccinators asking for individuals to make payment for either COVID-19 tests or vaccines caught many people off-guard.
Vishing
Vishing is a type of phishing attack that relies on voice messages. If you’ve ever had one of those strange, robotic voicemails saying you owe HMRC money, you’ve been targeted by a vishing scam.
Protecting your business
The most effective way of protecting your business is through the education of your employees and staying aware of phishing as a constant threat.
According to Microsoft, the most common things you should teach your staff to look out for are:
Links or URLs provided in emails don't go to the correct site or are pointing to a third-party site not affiliated with the sender of the email.
There's a request for personal information such as bank details or financial information.
Items in the email address will be changed so that it is similar enough to a legitimate email address but has added numbers or changed letters.
The message is unexpected or unsolicited. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect. Even if this person is someone within your organisation.
The message or the attachment asks you to enable macros, adjust security settings, or install applications. Normal emails won't ask you to do this.
The message contains spelling or grammatical errors. Legitimate emails are less likely to have typographic or grammatical errors or contain wrong information.
The sender’s email address doesn't match the signature on the message itself. For example, an email is purported to be from Jack at Personnel Checks, but the sender address is john@example.com.
There are multiple recipients in the "To" field and they appear to be random addresses.
The greeting on the message itself doesn't personally address you.
The website looks familiar but there are inconsistencies or things that aren't quite right. Warning signs include outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in websites.
The page that opens is not a live page, but rather an image that is designed to look like the site you are familiar with. A pop-up may appear that requests credentials.
Vigilance is key when it comes to phishing. It may seem minor but as many businesses have found out, it can cost far more than expected!