If you’ve ever been fishing, you know how it feels to bait a hook or use a lure to imitate the movements of a real fish.
Well now imagine that you are the fish, and cyber attackers are phishing in your inboxes. Their messages will imitate brands or people you know and trust, all to entice you to take the bait.
While you might think you can spot the hook, just remember, so did every fish you’ve ever caught.
Read our guide to phishing cyber attacks, including how to spot them, and how to protect yourself from them.
What are Phishing Cyber Attacks?
Phishing cyber attacks are a type of social engineering attack that steals a victim’s personal information through deception. Victims unintentionally share their information with attackers when they interact with communications that appear to be from someone else.
Phishing criminals imitate close friends, financial institutions and even government agencies. Their fake messages often contain psychological triggers that undermine the victim’s rationality.
How Dangerous are Phishing Cyber Attacks?
According to the Notifiable Data Breaches Report 2021, data breaches have risen by 6%. 55% of those breaches were a result of criminal attacks, 32% of which were phishing scams. That’s a lot of attacks!
Phishing scams were responsible for the largest number of malicious data breaches. Unfortunately, with new methods of digital communication being invented all the time, they are likely to continue being one of the most serious cybersecurity threats.
Another thing that makes phishing dangerous is the delay between noticing your details have been compromised and taking action. Unlike ransomware attacks that withhold or destroy data, phishing scams often don’t affect the victim at first.
In one notable case, a hacker gained access to an email account and lurked for 120 days before intercepting a $40,000 payment. Phishing attacks often unfold in two stages, the hacker gaining entry into a network or account, and then waiting until the perfect time to strike.
Often, the consequences of unnoticed cyberattacks get worse over time. So when phishing scams finally cause damage, it is often a lot of damage!
What Types of Messages can be Affected by Phishing Scams?
Phishing attacks are possible in most forms of digital communication. If you’ve ever received an SMS asking you to click a suspicious link, or you’ve received a friend request on Facebook from someone you are already friends with, you’ve likely experienced a phishing message.
Phishing messages can imitate:
- SMS messages
- Social media messages
- Website addresses
- Wifi Networks
Depending on the hacker’s level of skill, these trap messages range from being indistinguishable from what they are imitating, to being really sloppy and obvious. The trick to avoiding them is to understand the different tactics and schemes that phishing scammers use.
Common Phishing Tactics
When you make a decision, there are two modes you can be in. The first is a more primal, reactionary one. It’s useful for spotting and running from a predator, or swerving away from a car that pulls into your lane. But it isn’t great for evaluating whether an email is genuine or not.
The second mode is more long-term and logical. It’s the mode you might be in if you are comparing phone plans or deciding whether to take a job or not. Scammers use emotional triggers to keep you in the first mode. Remember, they want you to react impulsively.
While every phishing cyber attack is different, there are four main tactics that phishing scammers use to lower your defences. These tactics don’t have to be used separately, they are actually more powerful when used together.
A Common Example
You’ve probably received emails or SMS messages claiming to be from a computer software company. They’ll usually tell you your computer is ‘compromised’ or ‘infected’ and you’ll need to give them access or pay to download their antivirus before it’s too late.
We’ll use one of these phishing scams as an example to demonstrate the different tactics at play.
Creating a Sense of Urgency
The first emotion these messages are designed to evoke is fear and panic. Suddenly finding out that your device has been hacked will make you desperate for a quick solution which the hacker conveniently provides. Ironically, it’s the fear of being hacked that lowers your defences to the real hacker.
Without the sense of urgency, you might take a few days to find the best antivirus, or you might decide to deal with it later, and then call the real company and expose the hacker. Messages will include assertive language like ‘act now’, ‘don’t delay’, and ‘before it’s too late’ to avoid that and force an impulsive decision.
This makes you feel like you don’t have a choice but to follow their directions. Then, once you pay for an ‘antivirus’, or give them remote access to your computer, they can steal your payment details and personal information.
Exploiting Familiarity or Trust
Another crucial part of these messages is who they pretend to be. Microsoft, Apple, or notable antivirus companies are all brands that most victims know and trust. These scams are usually sent in bulk, so just through the laws of probability, if they claim to be from Microsoft, a large percentage of people will have a Microsoft device.
At this stage, you have a brand that you are familiar with and trust, telling you to take urgent action. That’s pretty compelling!
Exploiting a Lack of Knowledge
One thing that might save you is knowledge. If you are more tech-savvy, you might know how to check your computer yourself, or know that companies will never reach out to alert you to a compromised device.
The problem is, for people who don’t know for themselves, especially elderly people, this lack of knowledge makes phishing scams even more effective.
Think about when you go to the mechanic. If you don’t know anything about cars you have to trust what the mechanic says. In times where we don’t have knowledge, it’s natural to defer to the authority of someone who says they do.
Targeting People in Compromised Positions
Even if someone knows how to look out for all of the above, they can still find themselves in a situation where they lower their guard. For the victims of the recent Optus cyber attack that stole information from thousands of Australians, fear of being hacked could make them more susceptible to phishing scams.
For example, SMS and email phishing scams targeting the victims have been on the rise. These claim to be from Optus or the Australian government, and range from alerting the victim that they have been hacked, to offering to replace their compromised identification documents for a ‘fee’.
Given the uncertainty that many people have felt since the massive breach, these messages combine all four of these phishing tactics and pose a serious risk.
Well-Known Phishing Schemes
Now that you know how to spot the tactics used by phishing cyber attackers, it’s time to learn the common schemes as well.
Ambulance chasing is most commonly used in the wake of a disaster or crisis. For example, many Australian victims of the mass flooding in May 2022 fell victim to ambulance chasing schemes. Messages offering fake insurance claims or requests for charitable donations were rife, and targeted victims in states of extreme desperation and stress.
Bulk phishing campaigns don’t target based on the victim’s details, they simply send out generic emails or texts and see what they can get. This scheme is the closest to the fishing comparison, because scammers are basically throwing a line out and seeing who they reel in.
These messages will copy a well known brand, like a popular streaming service, and the message will usually be something fairly simple, like requesting that payment details be updated. These campaigns are low effort and low cost to the hackers, so they don’t need to trick many people to get a return on their investment.
If you’ve ever been spear fishing, you’ll know that you want to let the smaller fish swim by while you search for a bigger target, and when you find it you need to be incredibly accurate.
Spear ‘phishing’ is the same concept. Spear phishers only care about their target, not any other people that they haven’t done their research on.
Spear phishing is most commonly used when a hacker is trying to infiltrate the communications of an organisation. They’ll single out a vulnerable employee and send a personally tailored message posing as another member of that organisation, or a partner organisation.
Since the messages appear to come from an internal source, and include specifics about the recipient, they are one of the most persuasive and effective forms of phishing schemes.
One of the most successful examples of spear phishing was the case of a man creating a fake computer manufacturing company and invoicing Facebook and Google employees for $100M over three years. The money was then deposited into his own accounts.
Whale phishing is similar in concept to spear phishing, but rather than targeting an employee, it will target the boss. Whether that’s the CEO or another equivalent position, it has a higher potential to earn money for the hackers because the boss will have higher executive power.
Perhaps the most costly whaling attack in history was the loss of over 70M euros at the Crelan bank in Belgium. The CEO’s work email was infiltrated through a whale phishing scam, and was then used to order an employee to transfer the money to the hacker’s account.
How to Protect Yourself From Phishing Cyber Attacks
There are a range of ways you can protect yourself from phishing attacks, from properly educating yourself and your team, to software solutions.
The first step is to use the information in this article to slow down and evaluate any communications you receive, no matter how ‘urgent’ they seem.
Check links, logos, addresses and look for anything suspicious. Does the URL have the business name in it, does your browser authenticate it? Is the person emailing you someone you’ve never seen or heard of at work before? These are all questions you should be asking.
Even with this vigilance, technology advancements make phishing scams more convincing every year. So your golden rule should be to never transfer money or provide your card details unless you can cross-reference the payment. If you are ever in doubt, give the person or organisation a call to confirm.
Security Awareness Training
While you may be aware of phishing scams, your team might not be. Make sure you educate your team on the risks and warning signs of phishing cyber attacks. If you don’t feel capable of doing this, an IT company can help educate your team for you. They’ll run phishing simulation campaigns and specific online training to educate employees.
Most fraudulent emails will be filtered out by installing spam filters. You can install one yourself, either through free or paid versions, or an IT company can install it for you.
One Central Coast business was operating without a spam filter and was receiving large numbers of phishing emails. The team weren’t educated enough on the risks of phishing cyber attacks, and it was just a matter of time before someone clicked a suspicious link. With spam filters in place, and some thorough educating, the risk of a data breach was greatly reduced.
Contact an IT Company
To find true peace of mind, the best way to protect yourself and your business is with an IT company. They’ll identify any opportunity areas in your team behaviour and your software set up.
OneCloud IT Solution provides sophisticated cybersecurity based on the Essential 8 model recommended by the Australian government. We’ll conduct a complete audit to find any vulnerabilities in your existing solutions, and we’ll fix and enhance them.
Feel assured that you are protected from phishing cyber attacks, as well the other forms of malicious data breaches. If you’d like to enquire about our service, get in touch with us today.