Many people have tried to compile a concise phishing attack definition to explain what a phishing attack is, how it works, and what its consequences are. Unfortunately phishing attacks vary so much in nature -and evolve so quickly in sophistication – compiling a concise phishing attack definition can result in a definition difficult to understand, or one too simple to provide an adequate explanation.
In order to offer an adequate phishing attack definition, we have dissected this article into four sections. The first three explain what a phishing attack is, how it works, and what its consequences are. The fourth section – possibly the most important – offers effective solutions to combat phishing in order to prevent fraud, protect business from malware, and safeguard the identities of employees.
Phishing Attack Definition: What is a Phishing Attack?
In most cases a phishing attack takes the form of an unsolicited email, sent from a scammer but appearing to originate from a trusted source. The scammer´s motives for the phishing attack can vary from attempting to extract login credentials for a personal or corporate account, to manipulating the recipient of the email to perform a financial transaction that benefits the scammer, to persuading the recipient to unknowingly download malware onto their device.
This part of our phishing attack definition is not entirely complete, as a phishing attack can also take the form of a telephone call, an SMS or IM message, or a combination of either plus an unsolicited email. As business have grown more aware of phishing, scammers have grown more sophisticated. Often they will scrape details about their potential victims from public profiles posted on social media sites or their employer´s website to target their phishing attacks at specific individuals.
How a Phishing Attack Works
The success of a phishing attack relies on the email recipient acting on the scammer´s instructions. In order to achieve the desired reaction, the scammer will compose the phishing email to invoke urgency, fear or greed. In their haste to act quickly, the intended victim fails to notice tell-tale signs the email is not genuine and either divulges their login credentials (usually via a fabricated website especially constructed for the attack), performs the financial transaction, or opens a malware-laden attachment.
Reading this phishing attack definition in the cold light of day, you might think “How could somebody fall for a scam such as that?” Well, phishing emails are no longer full of obvious typos and poor language skills. Phishing attacks are formulated by intelligent and organized criminals with skill sets in writing, business communication and human psychology. In a stressful environment such as the workplace, it can be easy to overlook the obvious when informed your credit card is about to be cancelled.
The Consequences of a Phishing Attack
The consequences of a phishing attack can be devastating to individuals and businesses alike. If the recipient of a phishing email divulges their login credentials to a personal online account, the scammer can use the information to steal their money or, in some circumstances, their identity. When the login credentials to a business account are divulged, the scammer may be able create far worse mayhem – such as infiltrating a network to steal data that can be sold or used to commit fraud.
The consequences of manipulating the recipient of the email to perform a financial transaction are fairly obvious and have been well-chronicled. This form of “Business Email Compromise” phishing attack can cost businesses millions of dollars. Similarly, inadvertently downloading malware can also cost a business a considerable sum if the malware consists of ransomware or enables the scammer to extract valuable data that can affect the operations of the business.
How to Combat Phishing Effectively
No phishing attack definition would be complete without explaining how to combat phishing, and – more importantly – how to combat phishing effectively. Various solutions are suggested on the Internet from “don´t click on unrecognized links” to implementing email filters with SURBL filtering and Sender Policy Frameworks. The latter is more effective at preventing phishing attacks, but not entirely effective if the phishing email originates from a genuine email address that has been compromised by a spammer.
The most effective way to combat phishing is by phishing awareness training. This type of training conditions employees to recognize phishing attacks regardless of the vector used to deliver them. Provided the training is ongoing, employees receive regular reminders about the threats from phishing and updates on the latest techniques being employed – ensuring they never forget the phishing attack definition and focus on keeping the business network free from the consequences of a phishing attack.
Image credits: ©NetSec.news / Nirusmee, AdobeStock