What Is Phishing? Phishing attacks are a category of cyberattacks that use deceptive “social engineering” techniques to trick people into divulging sensitive information, transferring sums of money, and more. Phishing attempts are usually disguised as harmless interactions that lure victims into trusting the attacker, and they may serve various ends, from simple profit to corporate espionage.

How Does Phishing Work?

The easiest way to commit a robbery is probably to convince the victims they aren’t being robbed at all. That’s the phishing scammer’s basic model.

Phishing attacks begin with an email, phone call, SMS message, social media post, or the like that seems to be from a reputable source. From here, the attacker may have all sorts of end goals, such as tricking the victim into offering up account information, making a PayPal transfer, downloading disguised malware, and so on.

Let’s look at a common example. The victim gets an email or text message from what appears to be their bank. The phishing message mentions an expiring special offer, suspected identity theft, or similar, and asks the victim to log in to their bank account. It links to a mock login webpage, and the victim unwittingly gives the attacker their login credentials.

The attack in this example, like most phishing attacks, carefully creates a sense of urgency that fools the victim into lowering their guard instead of taking time to consider whether the message is suspicious. That may be more easily said than done, however, as there are quite a few tricks in the attacker’s playbook.

Types of Phishing Attacks

Attackers have invented a wide variety of phishing techniques to exploit different technologies, trends, industries, and users. Here’s a glance at some common types:

• Email phishing: An email from a seemingly legitimate sender tries to trick the recipient into following a malicious link and/or downloading an infected file. The email address and any URL in a phishing email may use spoofing to appear legitimate.
• Smishing/SMS phishing: Via text message, attackers try to trick victims into giving out personal information, such as credit card numbers or other account numbers.
• Vishing/Voice phishing: Essentially the same as smishing but carried out over a phone call, these attacks are after credit card information or other sensitive details.
• Angler phishing: Posing as legitimate organizations on social media, attackers solicit personal information from victims, often by offering gift cards, discounts, etc.
• Pop-up phishing: A common attack on smartphones, an offer or warning message appears in a pop-up, generally containing a malicious link to trick victims into divulging personal data.
• Spear phishing: While many phishing scams seek out victims at random, spear phishing attacks target specific individuals whose personal details the attacker already knows to some extent. This extra detail can greatly increase the odds of successful phishing.
• Whaling: Attackers phish executives or other important members of an organization in an attempt to obtain information that will give them privileged access to the target environment.
• Clone phishing: Phishers send victims emails that seem to be from senders the victim trusts, such as financial institutions or business services. This is closely related to spear phishing and a common tactic of business email compromise (BEC) attacks.
• Evil twin phishing: Attackers lure victims with a trustworthy-looking Wi-Fi hotspot, and then carry out “man in the middle” attacks, intercepting data victims transfer over the connection.
• Pharming: Attackers hijack the functionality of a Domain Name System (DNS) server so that it will redirect users to a malicious fake website even if they type a benign URL.

How Dangerous Are Phishing Attacks?

Phishing attacks can be extremely dangerous. Large phishing campaigns can affect millions of people, stealing sensitive data, planting ransomware and other malware as well as gaining access to the most sensitive areas of a company’s systems.

Loss of sensitive data, reputational damage, and regulatory issues are among the many possible consequences of a successful phishing attack at the organizational level, Risks for any phishing victim can include loss or compromise of sensitive data, and organizations also face possible reputational damage and regulatory issues.

How Does Phishing Affect Businesses?

At the organizational level, the consequences of a successful phishing attack can be far-reaching and serious. Financial losses can stem from a compromised corporate bank account. Data loss can stem from phishing that leads to a ransomware attack. An organization can sustain major reputational damage from any breach of sensitive data that necessitates public disclosure.

Furthermore, any of these can have even more serious consequences in turn. Cybercriminals may sell stolen data on the dark web, including to unscrupulous competitors. On top of that, many breaches will need to be disclosed to industry or government regulatory bodies that may levy fines or other sanctions. It may even involve the organization in cybercrime investigations, which can be time-consuming and attract negative attention.

How Do I Protect My Organization Against Phishing Attacks?

Fortunately, most types of phishing can be stopped if you take the right precautions. That means:

• Use effective cybersecurity countermeasures. Modern antivirus and anti-phishing solutions, alongside effective spam filters, will screen out many phishing attempts.
• Keep operating systems and browsers up to date. Software providers regularly address newfound vulnerabilities in their products, without which your system will be left exposed.
• Protect data with automatic backups. Implement a regular process of system data backup so that you can recover in the event of a breach.
• Use advanced multifactor authentication (MFA). Zero trust strategies such as MFA create additional layers of defense between attackers and your internal systems.
• Ensure your users are educated. Cybercriminals constantly invent new strategies, and email security won’t catch everything. Your users and your organization at large will be safer if all users understand how to identify suspicious email messages and report phishing.

What Are the Signs of Phishing?

When it comes to phishing, the safest users are the ones who know how to avoid getting hooked. While a short summary no substitute for focused security awareness training, here are a few key warning signs of attempted phishing:

• Discrepancies in domain names: Email addresses and web domains may have inconsistencies. For example, if you receive an email claiming to be from a well-known brand, the email address may not match it.
• Spelling errors: Although phishing attacks have become much more effective, the messages still often contain spelling or grammatical mistakes.
• Unfamiliar greetings: Sometimes, the style of a greeting or signoff can be a clue that something isn’t right. Take note of someone who always opens messages with “Hi!” suddenly says “Dear friend” instead.
• Short and sweet: Phishing emails often keep information sparse, relying on ambiguity to throw off victims’ judgment. If too many important details are missing, it may be a sign of a phishing attempt.
• Unusual requests: An email asking you to do something unusual, especially without explanation, is a big red flag. For example, a phishing attempt could claim to be from your IT team, asking you to download a file without specifying a reason.

Phishing Attacks: Statistics and Examples

• Phishing campaigns grew by 29% in 2021, according to the 2022 ThreatLabz Phishing Report by Zscaler.
• Phishing attacks were at an all-time high in early 2022, with the financial sector facing the most attacks, according to APWG’s Phishing Activity Trends Report, 1st Quarter 2022.
• 25% of all cyberattacks involve phishing, according to Verizon’s 2022 Data Breach Investigations Report.

Phishing and Remote Working

In a 2021 survey of enterprise IT security leaders, 80% believe remote workers are at greater risk of falling victim to phishing attacks. Even so, many organizations are still relying on weak security protocols. With most expected to continue facilitating remote or hybrid work for at least some of their workforce after the COVID-19 pandemic subsides, this could expose them to vulnerabilities.

Remote workers often rely on less sophisticated security software at home than they do in the office. They also may be using personal emails or other accounts not under the control of their organization’s IT team. Moreover, because they are away from internal business controls, remote employees aren’t always forced to practice good security hygiene, and it can be difficult, if not practically impossible, for IT managers to monitor or enforce.

To stay safe in the age of remote work, you need security that can account for the needs of your more mobile, distributed workforce.

Phishing Protection with Zscaler

Because it relies on exploiting human nature to succeed, user compromise is one of the most difficult security challenges to overcome. To detect active breaches and minimize the damage successful breaches can cause, you need to implement effective phishing prevention controls as part of a broader zero trust strategy.

The Zscaler Zero Trust Exchange™ platform, built on a holistic zero trust architecture to minimize the attack surface, prevent compromise, eliminate lateral movement, and stop data loss, helps stop phishing by:

• Preventing attacks: Features like full TLS/SSL inspection, browser isolation, and policy-driven access control prevent access from malicious websites.
• Preventing lateral movement: Once in your system, malware can spread, causing even more damage. With the Zero Trust Exchange, users connect directly to apps, not your network, so malware can’t spread from them.
• Stopping insider threats: Our cloud proxy architecture stops private app exploit attempts and detects even the most sophisticated attack techniques with full inline inspection.
• Stopping data loss: The Zero Trust Exchange inspects data in motion and at rest to prevent potential data theft from an active attacker.