Without a doubt, phishing is the most popular social engineering attack. It is widely prevalent since attackers manipulate victims to visit malware-laden sites and install malicious programs by clicking attack links and attachments sent via email.
In a recent investigation, security researchers analyzed billions of natural language messages, attachments, and link-based URLs sent via emails over six months in 2022 and found more than 255 million attacks. In addition, an analysis of at least 55 million emails found that one in ninety-nine email messages is a phishing email, with 25 percent of the emails bypassing default security measures built into Office 365.
With phishing attacks increasing every year, it is essential to understand what email phishing is and what you can do to secure your organization. Read on to learn more about the prevalent threat before you become a target or to know if you were a victim.
What is email phishing?
Attackers use emails to deliver the highest number of phishing attacks, with 96% of phishing incidents delivered through email. Hence, security professionals consider email phishing a numbers game, where hackers send thousands of emails, hoping that a small number of the recipients will fall victim and net substantial sensitive information and money.
Security experts’ analysis shows that the success of email phishing depends on several factors.
Firstly, attackers put a lot of effort into designing phishing emails to appear legitimate and gain a victim’s trust. The primary goal of email phishing is to trick victims into opening malicious documents and links, and therefore, they must appear trustworthy and legitimate. Specifically, hackers craft phishing emails to mimic emails from real organizations, such as banks, insurance companies, IT departments, or healthcare institutions. The attackers use the same logos, signatures, phrasing, and typefaces as the organizations they imitate to reduce suspicion and increase the probability that a victim will open the emails.
Additionally, cybercriminals create a sense of urgency in their phishing emails to push victims into performing actions like clicking the attached documents, software programs, or links. For example, a common technique is impersonating a financial institution and emailing potential victims about suspicious activities and security concerns with their accounts.
Ultimately, most people will likely open the emails and click the attached links to solve the problems. However, the links redirect to a spoofed website where attackers steal the login credentials and use them to access the victims’ accounts. Applying pressure and urgency causes most victims to be prone to costly errors and fail to perform sufficient due diligence.
What is email phishing?
1. Phishing emails request sensitive information
Ransomware is a type of malicious software that encrypts a victim's data and demands a ransom payment to unlock the data. If a club falls victim to a ransomware attack, it could lose access to important data, such as membership lists and financial records, which could disrupt the club's operations and cause significant financial losses.
Hackers use phishing emails to trick users into revealing sensitive information, such as login credentials, bank account details, and personal data. However, emails from legitimate organizations will never require users to provide sensitive data via emails. Thus, unsolicited email messages from an organization that requires you to click a link to input sensitive information are usually phishing attacks. In particular, be wary of phishing emails that insist on tax numbers, credit scores, credit card details, and usernames or passwords.
2. Phishing emails do not salute you by your name
As aforementioned, cybercriminals send thousands of phishing emails to trick as many people as possible into opening them. As such, they don’t know who they are addressing and often use generic salutations like ‘Dear customer,’ ‘Dear Esteemed Member,’ or ‘Dear Account Holder.’ On the other hand, legitimate companies have their customers’ relevant information and will salute you using your official name.
3. Legitimate organizations use domain emails
When you receive an email, check the email address to ensure it has been sent using a corporate email address. For example, all emails from PayPal customer service are sent from firstname.lastname@example.org. However, attackers looking to steal your PayPal details may alter the email address to make it look like it is from PayPal customer service. For example, they may create a unique email domain, such as email@example.com, which may be hard to differentiate from the official email address.
Common types of email phishing
1. Spear Phishing
Spear phishing emails target specific individuals. A spear-phishing attack occurs once a cybercriminal identifies the intended victims and researches them to know everything about them. The attacks are widely popular, with statistics showing that 88% of companies have been victims of advanced spear phishing attacks. Spear phishing emails can target individuals or an entire organization. For example, a spear phishing email may target a high-ranking executive, such as the CFO, where an attacker poses as an essential supplier requiring the company to complete payments on non-existent supplies. Also, spear phishing emails can target individuals by impersonating affiliated organizations to trick them into divulging sensitive information that hackers can use to commit additional crimes.
2. Phishing emails
Phishing emails don’t target specific individuals. Instead, cybercriminals send the same phishing email messages to thousands of individuals to increase the possibility that someone will open them and fall victim to a phishing scam. In most cases, phishing emails use tactics like scaring victims into performing specific actions like clicking a malicious link or attachment. Also, phishing emails arouse a user’s curiosity by promising gifts and sweet deals. For example, a phishing email may trick users into thinking that they have won a vacation or won a significant prize, and all they need to claim it is to click an attached link to fill in their details. Unfortunately, the attackers use spoofed websites to harvest the entered information for malicious use.
3. Business email compromise (BEC)
Business Email Compromise (BEC) is a sophisticated, financially-motivated phishing scam that targets individuals or businesses that handle financial transactions. It exploits the high dependence on email communication for official personal, professional, and business use. A BEC phishing scam involves an email message request that cybercriminals craft to appear like it is from a legitimate source. For example, the email may impersonate a vendor that deals with an organization regularly and may contain an invoice with updated bank details for pending payments. Also, a BEC email may impersonate a company CEO asking the CFO to wire funds to a specific bank account to close a major deal for the company. BEC phishing attacks increased by 150% in 2022.
How to protect your organization from Email Phishing
1. Employee training and awareness
Most email phishing attacks are successful since employees lack awareness of identifying a phishing email. Hence, a training and awareness program on email phishing can educate employees on the tell-tale signs of a phishing email, the details to look for when opening an unknown email, and how to report phishing emails to protect the company from attacks.
2. Implement anti-phishing email software
Anti-phishing software is necessary for modern organizations that use email as the primary form of communication. Most anti-phishing solutions come with powerful anti-spam and anti-virus protection to detect and protect against malware sent via email and malicious email attachments. Also, they leverage threat intelligence to detect and flag email messages that pose a security threat to the organization. In addition, anti-phishing software scans URLs sent via email to block users from accessing malicious websites. They also perform deep inspections on attached documents and files to identify malware and sandbox them to protect against malware attacks.
3. Multi-factor authentication
Some employees may still fall for an email phishing attack since it is a matter of when not if. In most cases, phishing victims reveal sensitive information like login credentials. Therefore, implement multi-factor authentication for all work email accounts, employee accounts, cloud accounts, and company-issued devices. Multi-factor authentication adds a security layer to prevent hackers from using compromised login credentials to gain unauthorized access to the work environment.