What Is Phishing and How Can Your Business Avoid It?

The devil is in the data: according to Cleardin, 83% of organizations experience phishing attacks each year, and that figure’s bound to grow. About 15 billion spam emails are sent each day — roughly 30% of which are opened — cementing phishing as the third most common type of scam reported to the FBI, regardless of company size, type or location.

The reality is that bad actors continually victimize a business sphere that finds itself increasingly online, but this nasty practice is just as old as it is proliferated. The longer time marches on, the more phishing attacks grow in persistence, number and effectiveness — and the more vital it becomes to equip your business with security you can trust.

What Is Phishing? 

Phishing occurs when bad actors contact targets by email, phone or text posing as a legitimate organization or trusted institution. Under this guise, phishers lure individuals into sharing sensitive, private and exploitable data, such as personal ID info, banking details or passwords. With info in hand, phishers can access important accounts, carry out identity theft and drain victims of their finances. 

And, yes, phishing is a crime — a cybercrime, to be exact. In fact, the first phishing lawsuit was filed way back in 2004, setting a legal precedent that we continue to follow to this day.

5 Types of Phishing

As we become increasingly online, bad actors, phishers and scam artists continue to leverage all the unique ways in which we connect to their malicious ends. The many types of phishing run a whole gamut of shakedowns, scams and ripoffs, but the pros at IT Governance note that these are the five most common types.

1. Email Phishing

As we’ve learned, most phishing attempts arrive via those billions of spam emails sent each and every day. Characteristically, phishing emails pose as messages from trusted organizations — commonly banks or popular retail sites, for instance — in an attempt to draw sensitive info from the target. 

2. Spear Phishing

Spear phishing can manifest through email as well, but it’s more specific (and thus more malicious) than run-of-the-mill phishing attacks. Spear-phishing cybercriminals already have information about a specific person or business — such as names, job titles or specifics about their company role — and they use that info to gain trust from the victim. 

3. Whaling

Whaling is another variation of spear phishing using the same personalized tactics to elicit trust in order to extract personal, identifying or financial information. The difference here is that the phisher specifically targets those at the higher end of the business chain, such as senior executives, often by posting as senior staff themselves. Those execs are the “whales” phishers are after.

4. Smishing and Vishing

No, we didn’t just make those words up. Unfortunately, both exist. Smishing is a phishing attack that arrives via text message while vishing is a phone call. Commonly, both types pose as financial institutions in order to capture your banking info (for instance, a text alerting you of bank fraud with a suspicious-looking link may be the actual fraud).

5. Angler Phishing

The newest among the most common types of phishing, angler phishing is a cybercrime that takes place on social media platforms. Here, phishers use DMs and comments posing as official accounts to persuade social media users to divulge info or click on malware links. Worse, the fraudsters may use public info from victims’ social media profiles to personalize their messages and garner trust. The nautical theme continues, but none of these are a day at the beach. 

What Is a Common Indicator of a Phishing Attempt? 

About 97% of people don’t know how to properly identify a phishing scam, per Cleardin. So let’s change that. According to the nonprofit preventive organization Phishing.org, key red flags such as these commonly indicate that phishing is at play:

• Does an email or message seem too good to be true? It probably is. Boisterous notifications that you’ve won a contest you didn’t enter and offers of free cash and prizes out of nowhere are a no-go — especially on business accounts that have no business entering them in the first place.
• A sense of urgency or threatening nature is also the purview of cybercriminals. Messages that give you a harsh time limit for a response or threaten to close accounts are suspect — these are tactics phishers use to put the pressure on and encourage rash decision-making. 
• Hyperlinks and attachments may also indicate phishing scams. Unsolicited attachments may contain malware or software that phishers use to mine for sensitive data, while shady links can also lead to malware downloads. Keep an eye out for misspellings of popular, trusted sites, and always hover over links to preview the URL before clicking.

How To Avoid Phishing: Best Practices

Now that you know some of the most prominent types of phishing and how the attacks manifest, you need to know how to avoid phishing altogether. Take preventive steps, including best practices recommended by the Federal Trade Commission (FTC), now to protect your business from advancing and persistent threats (or APT) down the line:

• Always make sure your software operating systems, BIOS and firewalls are up to date. Regularly distributed updates can be annoying, but they ultimately harden your security platform. Enable automatic updates where they’re available. This goes for mobile, too.
• Likewise, don’t just protect your business computers with pro-grade security software, keep that software up to date so that it can handle the most current developments and trends in phishing attacks.
• Be smart about account access. Doling out irresponsible access to sensitive email accounts makes for major vulnerability. If the bad guys can access an employee email account, they can introduce massive risk to the enterprise. 
• Eliminate much vulnerability by imposing two-factor authentication (2FA) on all devices outside the secure office campus whenever possible. Most platforms support this login tech, which requires a one-time code or other verifying factor on top of a regular password to access resources. 
• Back up your data. In addition to living persistently on secured cloud storage platforms, always keep backups of essential operating and financial data on routinely updated hard drives that aren’t connected to the network.

Prevention Is Protection

The key to beating phishing is to cut the line before you’re on the hook — as always, proactive measures are the key to long-term security. If your business relies on discretion and confidentiality — and any business making regular transactions, from day-to-day sales to M&A activity absolutely does — consider those best practices your baseline of action; they serve as a foundation, but that foundation needs walls. That’s where CapLinked’s virtual data room (VDR) comes in. Our secure connections, advanced 256-bit encryption standard and premium-grade security protocols make for the most secure, easily-configurable VDR and document management software on the market.

When sensitive information is at stake, convenience should take a backseat to aggression. Find out how a CapLinked virtual data room can help you protect against data breaches and reputational risk to your next deal. Get started with a free trial today.

Sources

Clearedin – Top 10 Phishing Attack Statistics

Phishing.org – What Is Phishing?

IT Governance – The 5 Most Common Types of Phishing Attack

Federal Trade Commission (FTC) – How to Recognize and Avoid Phishing Scams

How To Protect PowerPoint Presentations Across All Platforms
June 14, 2022

How Safe Is Peer-to-Peer File Sharing?
May 17, 2022

SSAE 16 and SOC 2 Security for Sensitive Documents, Transactions and Beyond
May 12, 2022

What You Should Know about PCI DSS Requirements and Compliance
May 5, 2022

Why Your Company Needs an Established Data Contingency Plan
April 26, 2022

Data Governance 101: Framework for Businesses
April 14, 2022