Alongside ransomware, phishing is the common cyberthreat targeting SMEs through email. While the technical aspects have evolved little over the years, it’s the social engineering used by cybercriminals that makes this type of attack particularly difficult for an SME’s employees to grasp. Here are the four main elements of a phishing attack.
1. It’s all a disguise
The logo, colours: it’s easy to be mistaken. Identity theft is the foundation of phishing, and fraudsters will always think big. Banks and insurance firms, energy suppliers, telephone and internet operators, social networks and even public bodies like tax agencies and national health services are all regularly impersonated in phishing attacks. Even though these attacks are directed at both private individuals and businesses, companies are especially at risk of being targeted by fraudulent emails appearing to come from web hosting services or social security. Evolution knows no bounds!
2. The aim of the game is personal data theft
Since we’re talking about cybercriminals, the disguise is not just for fun. Phishing aims to steal usernames and passwords on the pretence of updating information or payment methods, providing a refund or resolving technical issues. Sometimes all it takes for victims to drop their guard is for the sender to instil trust, the reason to be convincing – much more plausible than an inheritance scam or webcam blackmail, for example – and the email to be somewhat urgent. The phishing trap snares its victim once they click on the link and enter their personal information on a false site created by the criminals. They can then sell this data on or use it to embezzle money.
3. Beware of attachments!
Phishing scams targeting businesses can also take on the form of a malicious attachment – more perilous to a company’s operations than a fraudulent link. Several justifications can be given to encourage someone to download the attachment, but most of the time it’s a fake invoice. Once the toxic file has been opened, malicious software is installed on the infected computer and spreads to all the devices on the network. Most often, it is used to steal bank details and defraud the business. The same lure of money, just a different means to achieving one’s goal…
4. Spear phishing, the bespoke version
This is the most advanced form of phishing since it uses formidable social engineering techniques and expert technical identity theft. Whereas ‘low-cost’ phishing involves sending the same message to a huge database of business email addresses, spear phishing takes a more bespoke approach by targeting a small number of victims – employees of the same organisation or a specific person in particular. Following an initial attack that has given access to the company’s email system, the cybercriminal is able to send a personalised email to a high-ranking employee within an SME or even the CEO. The aim being to earn their trust so that they download the malware or approve the bank transfer…
Simply staying vigilant is not enough to thwart phishing: a complete cybersecurity solution offers maximum protection against email cyber attacks. To find out how effective your cybersecurity defences are, test your vulnerability to cyber attacks with our SME CyberCheck tool.