What is phishing?
Phishing is a type of cyber crime involving a hacker, who pretends to be a trustworthy source, who tries to steal sensitive information (such as passwords, data or credit card numbers) from a victim.
There are different types of phishing
There are several ways a hacker can try to steal data, install malware or spy on its victims. Most of the time, an assailant will start by using a phishing attack, and social engineering, to gain access to his victim's resources.
Phishing can take on many forms, the main ones being via email, by phone (vishing or voice phishing), or via a text message (smishing or SMS phishing). The purpose of phishing is to gather sensitive information. This can range from passwords or identifiable information to even bank details. This data is used for identity theft or spam, fraud or corporate espionage just to name a few examples.
Phishing has been around since the beginning of the internet, but in recent years there has been a huge expansion of the number of phishing mails sent. Due to the growth of the internet, more and more people are coming into contact with e-mails (and phishing) every day. We can hardly imagine a day where we don’t check our email.
At this moment about 150 million phishing e-mails are sent every day. Of these 150 million e-mails, 16 million get through the spam filters. About half of these are opened, and 800,000 links are clicked. Every day, more than 80,000 people share sensitive information due to these types of phishing attacks.
This, in combination with the decreasing cost of sending these phishing e-mails, results in the continued increase of victims. That is why it is vital for your organization that your users are able to handle phishing emails and recognize them.
Different types of phishing
Phishing is the umbrella term we use when talking about this kind of attacks. It encompasses every conceivable method to steal someone's data or gain access to their networks, devices,... Phishing is originally used when speaking about email messages.
When an attacker uses text messages (SMS, WhatsApp,...) to make initial contact with a possible victim, we use the term smishing. Text messages are more difficult to check for veracity, which means that you always have to be careful when clicking a link in one.
When phone calls come into play, we use the term vishing - a technique that relies heavily on social engineering. This can be during initial contact or further down the funnel - when a hacker will try to convince you to cooperate by claiming dubious activity was spotted on one of your accounts. Never share sensitive information during a phone call!
Spear phishing is a specialised form of phishing. Regular phishing is usually done by casting a wide net: attackers will send malicious messages to as many recipients as possible, whereas spear phishing is often aimed towards one specific would-be victim.
Whaling is a specialised form of spear phishing: it aims resolutely at the biggest fish within an organisation. It is not to be confused with CEO fraud, where a hacker will impersonate someone at C-level, in order to pressure the victim into taking a certain action.
Angler phishing is where hackers pretend to be customer service or helpful social media accounts. They pretend to want to help you, but in reality they get your login details, credit card information and more.
How to prevent phishing?
Prevention is better than cure, especially in the case of phishing. An inadvertent click on a link in a phishing email or text message is not a disaster. Subsequently entering your details on a fraudulent website or passing them on to a hacker over the phone is. There is no single golden rule against phishing; it is best to take several measures. Here are a few tips to better recognise and avoid phishing:
Think before you click on a link. Watch out for typosquatting: this is a barely visible change to the domain name such as "@gmail.com".
Never give out personal information, neither over the Internet nor over the phone. Banks or insurance companies will never ask you for sensitive information through those channels.
Why does phishing increase during a crisis?
The number of phishing attacks boomed during the pandemic. Hackers are known to be good at tricking people by creating a sense of urgency. A crisis, such as severe weather or a pandemic, is the perfect time for criminals to take advantage of this.
After all, during a crisis people are tense and want information as quickly as possible. If a hacker then sends a well-made e-mail or text message in the name of the government or insurance companies, victims are quickly tempted to fall into the trap.
During the corona pandemic, for example, several people received e-mails with fake invitations for a corona vaccine. Hackers also play on severe weather: they send text messages in the name of the insurance company with a link to report water damage. So be extra wary of phishing during a crisis and arm yourself with our anti-phishing training.