In this post, we provide some phishing attack examples and share tips for reducing susceptibility to phishing and improving organizational resilience to attacks.
Why is Phishing Such a Massive Threat?
Phishing is a type of social engineering that involves deceiving the victim into taking an action of benefit to the attacker. Phishing attacks seek sensitive information such as login credentials or trick victims into running malicious code that triggers a malware download, which provides the attacker with access to their device and any networks to which that device connects.
Phishing is such a major threat to businesses because it is the primary way that cybercriminals conduct cyberattacks and gain initial access to computer systems and data. Ransomware is a major threat, but the access ransomware gangs need is frequently provided through phishing, and phishing is commonly used to gain access to corporate email accounts for conducting business email compromise attacks – the costliest type of cybercrime for businesses.
Phishing attacks have not only increased in number, they have also become more sophisticated and these sophisticated attacks are difficult for employees to identify. Below we have provided phishing attack examples explaining the common types of phishing, phishing attack examples of subject lines, and explain the key elements of phishing defenses.
Phishing Attack Examples: Attack Vectors
There are several different types of phishing attempts, each of which is concerned with either obtaining sensitive information, running malicious code, or taking actions such as changing payroll/direct deposit/bank account information.
- Email Phishing – The most common type of phishing – Email phishing is often conducted in massive campaigns involving hundreds of thousands of messages. The emails are not personalized and use simple lures to trick people into opening malicious attachments or visiting malicious websites
- Spear Phishing – A targeted form of phishing – Targets are extensively researched and emails are crafted and sent in small numbers, often to individuals or departments in an organization. These attacks maximize the response rate and help the attackers stay under the radar
- Whaling – A type of spear phishing targeting the big fish such as the CEO, CFO, or other board members. Their credentials and devices have the highest privileges and are therefore extremely valuable.
- Smishing – Phishing attacks that take place via SMS. These typically include links that direct the victim to a malicious website where Android malware is downloaded and commonly direct victims to spoofed banking websites where credentials are stolen
- Vishing – Phishing attacks that take place over the telephone
- Website Phishing – Phishing forms are loaded onto websites for harvesting credentials. These attacks are often combined with email phishing and smishing. Malicious adverts may be used to drive traffic to these phishing websites, and posts on social media networks are common
Phishing Attack Examples: Lures in Phishing Attempts
There are too many phishing attack examples to list, but there are lures that are used incredibly frequently, as they have proven to be highly effective. These phishing attack examples target businesses and closely mirror the types of emails businesses often receive.
- Shipping notices
- Outstanding invoices
- Order notifications
- Attempted deliveries
- Account upgrades
- Pending charges to accounts/transaction verifications
- Account closure
- HR Notifications
- Headhunting/job offers
- Collaboration requests
- Scanned documents
- Voicemail messages
- Security alerts
Phishing Attack Examples: Subject Lines
As is the case with the content of phishing emails, the subject lines can be diverse. That said, some words are commonly included in the subject lines that serve as a red flag that the email could be a phishing attempt. According to Symantec, the commonest words in email subject lines in phishing attempts are:
These words are used to get people to open the messages. The messages themselves are often disguised as important notifications, that the attackers claim must not be ignored.
Cybersecurity Solutions for Preventing Phishing
Security solutions should be implemented to block phishing via email and the web. Do not rely on email security alone, as while email security solutions will block the majority of phishing attempts, no email security solution – regardless of its cost or sophistication – will block every phishing attempt. The key to a robust phishing defense is to have multiple layers of protection.
96% of phishing attacks occur via email, so implementing an email security solution is one of the most important steps to take to prevent phishing attacks. SpamTitan is an award-winning email security solution that incorporates multiple layers of phishing protection. Front-end tests identify malicious IP addresses and those with poor reputations, the subject lines in the above phishing attack examples, and the solution is constantly fed threat intelligence of new phishing attempts. Dual antivirus engines and sandboxing block malware, SPF, DKIM, and DMARC block email impersonation, and outbound scanning identifies internal phishing attempts.
Around 3% of phishing attacks occur via the Internet, although many email phishing attacks include hyperlinks to websites where malware is downloaded, or credentials and other sensitive information are stolen. The WebTitan DNS Filter is a zero-latency web filtering solution that is fed threat intelligence from a network of 500 million+ endpoints about malicious URLs and protects all users from these sites within minutes of detection anywhere in the world. Administrators can also block risky categories of websites and malware downloads.
Reducing the Susceptibility of the Workforce to Phishing Attempts
Some phishing threats will arrive in inboxes, on mobile phones, via the web, or over the telephone. The above phishing attack examples are effective because many employees are unaware of the threat of phishing and do not know how to identify a phishing attempt. To reduce susceptibility to phishing, security awareness training should be regularly provided to all members of the workforce.
Security Awareness Training
SafeTitan is a security awareness training platform with an extensive library of interactive and enjoyable training content for creating business security awareness training programs. Training involves videos and more formal content, with quizzes to test security knowledge. The platform includes a phishing simulator for conducting fake phishing campaigns on the workforce to identify knowledge gaps and individuals who require extra training. SafeTitan is the only behavior-driven security awareness training platform that delivers training in real-time, in response to employees’ bad security practices.
For further information on improving your phishing defenses, contact TitanHQ today. Product demonstrations are available on request, and you can sign up for a free trial of TitanHQ anti-phishing solutions.