What is Phishing, and How Can I Protect Myself?

Digital representation of Phishing — NightCafe (by author)

Phishing (pronounced ‘fishing’) is fraudulent communication that appears to come from a reputable source, generally through email, which aims to steal sensitive data like login information or credit card details.

Phishing is a type of social engineering attack that targets an institution or individual in hopes of gaining valuable sensitive information by using some common techniques. Educating yourself and your peers will go a long way in preventing these attacks from being successful.

Spear phishing is a highly targeted phishing attempt where the attacker chooses its target carefully and crafts a well-designed phishing email. These attacks are becoming more prevalent on businesses and individual users around the world.

Every attacker has different motivations, but ultimately the goal is to extract personally identifiable information (PII) and/or login credentials to commit fraudulent behavior.

Phishing Statistics

-The most commonly seen type of BEC attack is spoofed email account (71%) followed by spear phishing at 69%²

-Almost 1 out of 3 organizations (30%) state that more than 50% of links received via email lead to a malicious site²

-57% of malicious links in phishing emails intend to steal credentials²

-43% of organizations have experienced a security incident in the last 12 months, with 35% stating that BEC/phishing attacks account for more than 50% of the incidents²

-71% year-over year increase in cyberattacks that use stolen or compromised credentials³

-32% of cybersecurity incidents involved data theft and leakages³

-In 2020, 6.95 million new phishing and scam pages were created, with the highest number of new phishing and scam sites in one month of 206,310⁴

-From March to July, during the initial lockdown phase in the U.S., phishing URLs targeting Netflix jumped 646%. Other popular streaming services saw similar spikes at corresponding times.⁵

-By the end of 2020, 54% of phishing sites used HTTPS, indicating that checking for the lock icon in your browser’s address bar is no longer an adequate way to gauge if a website is legitimate or not.⁵

-More than 80% of cybersecurity professionals state that phishing attacks represent a top security concern.⁷

-The global average cost of a data breach in 2023 was 4.45 million USD, a 15% increase over 3 years.⁸

-Identity deception threats are rising — and millions of them “passed” SPF, DKIM, and DMARC checks.⁹

Most Common BEC attacks²

Most Common BEC impersonation attacks²

Percentage of malware detected delivered via email²

Intentions of Malicious Sites²

Departments most targeted by spear phishing²

Results of a security incident²

Traffic on the Internet in 2020⁶

Top 20 Countries targeted by phishing emails in 2022⁷

These statistics tell us that malicious attacks, especially phishing and spear phishing, are becoming more common, and we need to prepare ourselves and our businesses to repel these ever-increasing attacks. The finance department, CEO, and IT department need to be especially aware as they are the most targeted. More than ever, there is a presence of bad bots on the internet that are trying hard to steal your data.

Bad bots interact the same way as a legitimate user, but they enable high-speed abuse, misuse, and attacks on websites, mobile apps, and APIs. The bad bot operators are able to perform a wide range of malicious activities such as web scraping, competitive data mining, personal and financial data harvesting, brute-force login, digital ad fraud, spam, and transaction fraud.⁶

With SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance), one assumes that phishing attempts will be thwarted before arriving in a user’s inbox, but according to Cloudflare’s 2023 Phishing Threat Report, deception threats are getting more complex and passing these checks.⁹ A lot of our automated safeguards are being tricked, so it’s imperative to arm yourself with the knowledge and use diligence when checking and responding to your email.

9 Most Common Signs in a Phishing Email

1. Unfamiliar Tone or Greeting
2. Grammar and Spelling Errors
3. Inconsistencies in Email Addresses, Links, & Domain Names
4. Threats or Sense of Urgency
5. Suspicious Attachments
6. Unusual Request
7. Short and Sweet
8. Recipient Didn’t Initiate the Conversation
9. Request for Credentials, Payment Info, or other Personal Information¹

Most Common Signs of Phishing in Emails¹

What about the 10th item? Well, it’s not really a sign, but more a call to action. If you think something looks phishy, you should report it immediately. Even if it turns out to be legitimate, it’s better to be safe than sorry, especially when at work as it can cost the company millions of dollars if a data breach is successful.

Phishing Prevention Techniques

If you are working in an organization, you should use these phishing prevention techniques:
-Deploy tiered security solutions¹⁰

-Conduct regular awareness training¹⁰

-Avoid posting contact information online¹⁰

-Develop unique email address conventions¹⁰

-Deploy secure messaging platforms¹⁰

-Create and use phishing simulations¹¹

-Take down spoofed websites¹¹

-Authenticate email servers¹¹

-Institute Zero Trust Security¹¹

-Set up Access Controls¹¹

-Use encryption¹¹

-Set up Multi-Factor Authentication and Passwordless Technology¹¹

-Use anti-phishing software tools¹¹

Filter DNS traffic¹¹

But what if you are just an individual on a home network?

• Never provide your personal information in a response to an unsolicited request¹²
• If you believe the contact may be legitimate, contact the financial institution/corporation yourself (through verified means)¹²
• Never provide your password over the phone or in a response to an unsolicited request¹²
• Review account statements regularly to ensure all charges are correct¹²
• Learning to identify and check parts of a URL¹³
• Let your friends know of any suspicious activity on their email accounts or contact lists¹³
• Verify a sender’s identity before replying to emails requesting personal information¹³
• Look for signs of a suspicious email¹³
• Avoid donation scams¹³
• Type in the legitimate URL of the link instead of clicking it¹³
• Don’t automatically trust emails from friends or colleagues¹³
• If an email demands immediate action, be skeptical¹³

Top 9 free Phishing Simulations for Employee-awareness Training¹⁴

1. Infosec IQ
2. Gophish
3. LUCY
4. SpeedPhish Framework (SPF)
5. Social-Engineer Toolkit (SET)
6. Phishing Frenzy
7. Usecure — uPhish
8. Sophos — Sophos Phish Threat
9. King Phisher

Learn more and be better with cybersecurity — NightCafe (by author)

I hope you learned something about phishing and how important it is to stay vigilant while checking emails in any circumstance. If you found this article useful, I would appreciate if you shared it. I am trying to educate the cybersecurity community and help people learn more everyday!

Connect with Cybersecurity Stephen on LinkedIn

I am always looking to expand my network in the cybersecurity community, so add me on LinkedIn.

Buy Me a Coffee

If you appreciated the article or learned something valuable, consider buying me a coffee via the button below. Supporting me helps me stay motivated to write great educational content for everyone. No pressure, but I sincerely thank everyone that helps out. If you have any topics you would like covered, write them in a note, and I will write an insightful article for you.

References

(1) Cofense Email Security. (n.d.). 10 Signs of a Phishing Email. Retrieved on 5/27/2024 from https://cofense.com/knowledge-center/signs-of-a-phishing-email/

(2) Schulze, Holger. (2021). 2021 Business Email Compromise Report GreatHorn. Cybersecurity Insiders. https://info.greathorn.com/hubfs/Reports/2021-Business-Email-Compromise-Report-GreatHorn.pdf

(3) IBM. (2024). IBM X-Force Threat Intelligence Index 2024. https://www.ibm.com/reports/threat-intelligence

(4) Carlson, Brian. (2021, October 7). Top cybersecurity statistics, trends, and facts. CSO. https://www.csoonline.com/article/571367/top-cybersecurity-statistics-trends-and-facts.html

(5) Kurtz, Justine. (2021, April 21). Ransomware, BEC and Phishing Still Top Concerns, per 2021 Threat Report. Webroot. https://www.webroot.com/blog/2021/04/21/ransomware-bec-and-phishing-still-top-concerns-per-2021-threat-report/

(6) Hasson, Erez. (2021, April 13). Bad Bot Report 2021: The Pandemic of the Internet. Imperva. https://www.imperva.com/blog/bad-bot-report-2021-the-pandemic-of-the-internet/

(7) EasyDMARC. (2022, November 6). Phishing Statistics and DMARC. https://easydmarc.com/blog/phishing-statistics-easydmarc-report-january-june-2022/

(8) IBM. (2023). Cost of a Data Breach Report 2023. https://www.ibm.com/reports/data-breach

(9) Cloudflare. (2023). 2023 Phishing Threats Report. https://www.cloudflare.com/lp/2023-phishing-report/

(10) CISCO. (n.d.). What Is Phishing?. Retrieved on 5/27/2024 from https://www.cisco.com/c/en/us/products/security/email-security/what-is-phishing.html

(11) Balaban, Daniella. (2023, October 9). 10 Phishing Prevention Best Practices the Pros Swear By. Cybeready. https://cybeready.com/phishing-awareness-training/phishing-prevention-best-practices

(12) Office of the Comptroller of the Currency. (n.d.). Phishing Attack Prevention: How to Identify & Avoid Phishing Scams. Retrieved on 5/27/2024 from https://www.occ.gov/topics/consumers-and-communities/consumer-protection/fraud-resources/phishing-attack-prevention.html

(13) Inspired eLearning. (n.d.). Phishing Prevention Tips. Retrieved on 5/27/2024 from https://inspiredelearning.com/free-resources/security-awareness-tips/phishing-prevention-tips/

(14) Antipov, Andrei. (2023, July 27). The best 9 phishing simulators for employee security awareness training (2023). Infosec. https://www.infosecinstitute.com/resources/phishing/top-9-free-phishing-simulators/