Cybersecurity can be a highly complex topic. Here it Hillstone Networks, discussions about the latest and greatest cybersecurity strategies are often couched in terms that people not in our industry would not understand. Yet surprisingly, some of what threat actors do is fairly simplistic. Take phishing. It is one of the least sophisticated ways to launch an attack and yet it’s highly successful.
Every organization should be concerned about phishing – even yours. No business, nonprofit, or government agency is immune. Computer networks of all types contain valuable information hackers would love to get their hands on. If they can accomplish their goals with a simple phishing attack, you can bet that is exactly what they will do.
A Global Problem
Phishing continues to be an issue because it is a scam that works. Moreover, it is a global problem. Statistics from 2022 demonstrate that 84% of organizations around the world were targeted by some sort of phishing scam.
Fortunately, most of the attacks were addressed early on. Damage was kept to a minimum. But it only takes one attack to expose sensitive information involving millions of people. Yet it is not just personal data threat actors are after. They are also interested in corporate secrets, government security secrets, and more.
The Most Common Types of Phishing
Every organization’s cybersecurity policy manual should include a comprehensive section intended to combat phishing. But in order to prevent phishing, one needs to know what it is. In simple terms, phishing is the tactic of using social engineering techniques to encourage victims to willingly give up usernames, passwords, and other sensitive information.
Here are the most common types of phishing globally:
1. Basic Email Phishing
The most basic form of phishing is email phishing. This is where a threat actor sends out an email designed to look like a legitimate company or organization, complete with what appear to be legitimate links. The email encourages victims to call a phone number or visit a website through which information will be solicited.
2. Spear Phishing
Next is something the industry refers to as spear phishing. It is usually pulled off via email and is perpetrated against victims for which the threat actor already has relevant information including name, employment, and job title. Spear phishing is more targeted than basic email phishing.
3. Whaling
Whaling is an even more sophisticated email attack launched against individuals savvy enough to recognize fake emails and other basic tactics. Wailing messages target busy executives and government officials. The messages are designed to look as though they come from colleagues in need of assistance.
4. Smishing/Vishing
Smishing and vishing are similar to email phishing except they target phones. The former relies on text messaging while the latter involves a direct telephone conversation between hacker and victim. The goal is still the same: to get the victim to voluntarily solicit information.
5. Angler Phishing
The newest of the group is something known as angler phishing. This is a type of phishing that takes advantage of social media. Criminals scrape information from social media posts while also using games, social apps, and other engineering tactics to steal information.
This list of the most common phishing methods clearly demonstrates that virtually anyone can be victimized. Our position at Hillstone Networks is that every organization should be on the lookout for phishing scams. The best defense against phishing is employee training.
Training employees in how to spot phishing attacks makes them less likely to fall victim. The more they know about how they could be manipulated, the better equipped they will be to not let it happen.
