Cybercrime can have devastating consequences. Simply by clicking the wrong link, a victim of cybercrime can put themselves at risk of identity theft and endanger their company’s data security.
According to cyber security experts CISCO, so-called ‘phishing attacks’ account for more than 80% of all reported cyber security incidents. This is because this method represents the easiest way for cyber criminals to access valuable information. Usernames, passwords and even banking details can be compromised in seconds. However, by learning to recognise the telltale signs of phishing attacks, you can mitigate the risks and stay safe online.
In this guide, we explain exactly what phishing is and how these scams work. We also investigate the different types of phishing attacks, helping you to identify them in the future. Finally, we briefly explain how cybercrime insurance can help you in the event your business falls victim to one of these attacks.
A phishing attack is a type of cybercrime that targets victims via email, phone call or text message. A cyber-criminal will pose as a trusted institution, such as a bank, to lure individuals into providing sensitive data. This data is then used by criminals to access valuable information, such as financial details and account passwords.
Phishing attacks usually work in four steps. They are as follows.
Phishing kits help scammers clone the login page of a legitimate website and load this fake page with credential-stealing script. Contained in a modified zip file, these pages can then be uploaded to a hacked site, where the files are unzipped. At this point the trap is set. Phishing kits are either created by experienced criminal coders or bought pre-made by criminals from the dark web.
Once the phoney site is ready, scammers will send out emails or text messages. These often convincing messages will contain an urgent ‘call to action’ and a link to the spoof site. Typically, the message will be along the lines of, ‘Your account has been compromised. Follow the link below to secure your account.’ These messages will be sent out to thousands of potential victims. The scammer is aware most will likely be unsuccessful, but knows they only need a few ‘bites’ for the attack to be profitable.
Eventually, if the scam messages are convincing enough, an unsuspecting victim will fall into the trap. This will typically see them follow the scam link and enter their details into the phoney login page.
Once credentials have been taken, data can be stolen. The cyber-criminal now has the personal information they wanted and can use it for nefarious purposes. This may involve stealing the victim’s financial assets, such as credit card and bank account details. Alternatively, a hacker may simply harvest personal data like national insurance numbers and wage slips and sell them on the dark web for a profit. If this is the case, the victim may not even be immediately aware they have been a victim of cybercrime.
This is the most common form of phishing. As described above, a criminal will create a fake web page that mimics the website of a genuine institution. Links to this fake site will then be emailed to thousands of addresses accompanied by a generic message. If this link is followed and credentials are entered into the fake site, data can be harvested by scammers.
The best way to spot a phishing email is to check the sender’s email address and the URL of the link provided. A fake email address will usually contain a random mix of numbers, as well as lower and uppercase letters. They may even contain misspelt words. Similarly, fake URLs will not resemble the URLs usually used by the site they are trying to mimic.
Spear phishing is a more sophisticated form of email phishing. Rather than sending generic emails, spear phishers will send targeted emails to specific people. The criminal will already have some details relating to the victim, such as a name, job title or place of employment. This information will have been obtained through a previous phishing attack or a data leak. These types of data leaks can happen if a bank’s data store is hacked, for example, or if your phone, tablet or laptop is connected to an unsecure WiFi source. For this reason, it’s essential you take the necessary precautions before connecting to public WiFi on a train or at the airport, for example.
The additional information makes phishing emails look more genuine and can mean they are more effective. Once again, checking the legitimacy of the sender’s email address and link URLs is the best way to identify spear phishing attacks.
Whaling targets business executives, celebrities and other high-net-worth individuals who tend to have more personal information in the public domain. Attackers use this information to craft highly personalised attacks.
A whaling email might use the pretext of a CEO calling a board meeting and sending a (fraudulent) link via email to a phoney video call. Or it may state the business is facing legal or financial trouble, instructing an employee to click on a link for more information. Here, attackers can use spoof sites to harvest valuable company data such as bank account details or tax IDs.
Smishing and vishing
Smishing is a form of phishing that involves fraudulent SMS text messages rather than emails. Similarly, vishing makes use of scam phone conversations.
Smishing follows the same process as email phishing. Scammers will send the link to a bogus website to a victim via text message, claiming to be a trusted institution. Vishing, on the other hand, sees attackers call victims pretending to be a scam investigator from a bank or other trusted company. They will ask the victim to provide card details, supposedly to secure the victim’s account, with the intention of stealing this valuable information.
Angler phishing makes use of fake social media posts. Under the guise of a genuine business or celebrity, anglers reply to the comments and concerns of real customers or fans. They will then use their false status to request personal information and financial data from victims, usually using direct private messages. These scammers will normally offer victims fake refunds or rewards as cover for their criminal activity.
The best way to identify angler phishers is to check if the account in question is officially verified by the social media platform.
Below, we’ve provided three real-life examples detailing some of the most infamous and successful phishing attacks.
Corporate email phishing
In 2015, hackers used fake emails, under the guise of LinkedIn account security, to steal contact information from Sony employees. Over 100 terabytes of data was stolen.
One of the founders of Australian hedge fund Levitas was the target of a 2020 whaling attack that cost the company $800,000. The senior individual clicked on a fraudulent Zoom link that installed malware on the hedge fund’s internal system.
In 2012, cybercriminals set up phoney Twitter accounts pretending to represent Domino’s Pizza. By engaging with customers looking to make genuine queries and complaints, the criminals were able to steal personal information.
While this guide provides top tips for identifying scams and avoiding cybercrime, we know it’s all too easy for some phishing attacks to slip through the cracks. While businesses are responsible for their own cyber security measures, having the right insurance policies in place can help protect your business and its employees. Covering the damages and providing crucial financial and legal support when your business is at its most vulnerable, in this day and age cybercrime insurance is essential.
Protects against claims of alleged negligence in your professional services, advice and designs.
Protects against claims of injury to third-parties or damage to a third-party's property.
Covers your business in the event of a malicious attack on your computer systems and data.