Phishing is a form of social engineering attack where a phisher masquerades as a legitimate entity to solicit personal and sensitive information or infect a user’s machine with malware. Phishing attacks are usually initiated in the form of bogus websites, emails, instant messaging or short message service (SMS), etc. which contain infected attachments or malicious links for the purpose of eliciting sensitive data (e.g. credentials, bank account or credit card details) and/or infiltrating users’ computers. Phishers may also impersonate known connections (e.g. friends, legitimate organisations) on social media platforms to deliver phishing attacks so as to extract users’ sensitive data and credentials.
According to a number of cyber security threat trend reports, phishing attacks continue to be the most common form of cyber attacks in recent years. A successful phishing attack may have serious consequences for the victims. For individuals, the attack can lead to account takeover, unauthorised financial transactions, credit card fraud, infection by malware or ransomware, etc. For organisations, the attack enables cybercriminals to perform malicious activities such as raiding privileged accounts, stealing sensitive information or disrupting business services, etc. To avoid falling victim to phishing attacks, it is important to understand how to identify and mitigate phishing attacks through raising security awareness of individuals, establishment of proper security policies and deployment of anti-phishing solutions.
Phishing attempt can be recognised by users who stay vigilant when they come across the following common characteristics of phishing messages and websites:
Users may fall victim to phishing attacks if they perform the following actions when receiving phishing messages:
With sensitive data obtained from victims, phishers can conduct various illegal activities such as transferring victims’ money to their pockets. Significant financial loss may also be resulted from the loss of valuable intellectual property, including trademarks, patents, trade secrets, etc.
Phishers can further make use of information obtained from users to blackmail, intimidate users’ contacts or even perform illegal activities, e.g. hacking into systems of users’ organisations to steal confidential information, causing users to be blamed or even get into legal and liability problems. As for an organisation being attacked, it may suffer reputational damage to its brand, and its customers may move their business elsewhere due to losing trust in the organisation in safeguarding their data.
A successful phishing attack can lead to identity theft. Phishers can impersonate a legitimate entity to trick users into providing sensitive data like PII or financial data through phishing and use the information obtained fraudulently to impersonate users for illicit purposes.
Phishers can disrupt business operations through phishing attacks. For instance, an organisation’s normal operations can be seriously disrupted if its computer systems are infected by malware caused by phishing attacks. Such type of disruption can even cause disasters to particular business sectors like the healthcare sector if malware-infected medical devices cannot function to provide much-needed care for patients.
Users should not overshare personal and sensitive information on their social media or other public channels as this would result in identity theft where personal data would be used by hackers to impersonate users for fraudulent purposes.
Phishers may initiate Wi-Fi phishing through public networks. Users can protect themselves against Wi-Fi phishing if they do not connect to unknown public networks. They can choose to use mobile tethering and hotspot capabilities from their mobile phones instead of an unsecured public Wi-Fi to set up a private and secure data connection.
Instead of clicking on the link sent via an email, users can type the URL into the web browser themselves to avoid falling victim to phishing attacks as phishers can mask the true destination of the URL that looks like the real one.
Enhancing user awareness of phishing is important since the risks and impacts of phishing incidents are escalating in recent years. Companies should conduct trainings like simulated phishing campaigns for employees regularly to strengthen their cyber security vigilance and reduce their chances of falling victim to phishing attacks.
Companies can consider deploying the following technological solutions to defend against phishing attacks:
Organisations should develop comprehensive anti-phishing policies for email encryption, social media and web access, access rights settings, etc. to protect organisations’ computer systems against possible phishing attacks. The policies should cover in considerable detail the legal, management, technical and procedural needs of organisations to build up proper anti-phishing practices and enable them to defense against challenges of evolving threats of phishing attacks.