What type of phishing attack targets individuals groups or organizations?
No single cybersecurity solution can avert all phishing attacks. Your company should consider a tiered security approach to lessen the number of phishing attacks and reduce the impact when attacks do occur. This multilayered approach includes employee awareness training. When an attack makes it through your security, employees are typically the last line of defense.
Learn how to account for phishing attacks, how to recognize them, and what to do if you ever discern that you may have accidentally succumb to a phishing attack. Test your phishing knowledge by taking our Phishing Awareness Quiz.
How can I detect phishing?
On any email client: You can examine hypertext links, which is one of the best ways to recognize a phishing attack.
When checking for hyperlinks: The destination URL will show in a hover pop-up window near the hyperlink. Ensure that the destination URL link equals what is in the email. Additionally, be cautious about clicking on links that have strange characters in them or are abbreviated.
On mobile devices: You can observe the destination URL by briefly hovering your mouse over the hyperlink. As a result, the URL will materialize in a small pop-up window.
On web pages: The destination URL will be revealed in the bottom-left corner of the browser window, when hovering over the anchor text.
Tips to help prevent phishing attacks:
What should I do if I receive a phishing email?
If you receive a suspicious email, the first step is to not open the email. Instead, report the email to your company or organization as suspected phishing. Most importantly, you never want to assume that a coworker has already reported a phishing attack. The sooner your IT and security teams are forewarned to the potential threat, the sooner your company can take actions to prevent it from damaging your network.
If you discern that you have accidently engaged with a phishing attack and gave out any internal information, you must report the occurrence immediately. If you don't report a phishing attack immediately, you could put your data and your company at risk.
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.
An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.
Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.
An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.
Phishing attack examples
The following illustrates a common phishing scam attempt:
Several things can occur by clicking the link. For example:
Email phishing scams
Email phishing is a numbers game. An attacker sending out thousands of fraudulent messages can net significant information and sums of money, even if only a small percentage of recipients fall for the scam. As seen above, there are some techniques attackers use to increase their success rates.
For one, they will go to great lengths in designing phishing messages to mimic actual emails from a spoofed organization. Using the same phrasing, typefaces, logos, and signatures makes the messages appear legitimate.
In addition, attackers will usually try to push users into action by creating a sense of urgency. For example, as previously shown, an email could threaten account expiration and place the recipient on a timer. Applying such pressure causes the user to be less diligent and more prone to error.
Lastly, links inside messages resemble their legitimate counterparts, but typically have a misspelled domain name or extra subdomains. In the above example, the myuniversity.edu/renewal URL was changed to myuniversity.edurenewal.com. Similarities between the two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place.
Spear phishing targets a specific person or enterprise, as opposed to random application users. It’s a more in-depth version of phishing that requires special knowledge about an organization, including its power structure.
An attack might play out as follows:
By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of an APT.
How to prevent phishing
Phishing attack protection requires steps be taken by both users and enterprises.
For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they’re even receiving such an email.
For enterprises, a number of steps can be taken to mitigate both phishing and spear phishing attacks:
See how Imperva Web Application Firewall can help you with phishing attacks.
Request demo Learn more
Phishing protection from Imperva
Imperva offers a combination of access management and web application security solutions to counter phishing attempts:
What are the 4 types of phishing?
Types of Phishing Attacks.
What phishing attacks targets particular individuals groups of people or organizations quizlet?
Spear-phishing is a type of phishing attack that targets specific individuals or organizations typically through malicious emails.
What is a smishing attack?
Smishing is a phishing cybersecurity attack carried out over mobile text messaging, also known as SMS phishing. As a variant of phishing, victims are deceived into giving sensitive information to a disguised attacker.
What is phishing vishing and smishing?
Smishing and vishing are scams where criminals attempt to get users to click a fraudulent link through a phone text message, email, or voicemail.