Phishing is a huge issue for organisations of all sizes. In fact, most cybersecurity attacks start with a phishing email. And it's no wonder why - phishing is a very effective way to steal information or get access to systems. In this blog post, I’ll discuss three common types of phishing attacks that your company should know about. I’ll also talk about why businesses are targeted by these attacks, and how you can train your employees to prevent them from happening.
Why companies receive phishing emails
Phishing is a common way for criminals to steal information from businesses or gain access to their systems. Phishing has been around for a long time, and continues to pose a threat to most organisations.
But why are organisations, and perhaps you, scared of falling victim to these types of attacks?
One reason is that phishing has become much more sophisticated and harder to identify. Today, attackers are experts at creating phishing campaigns that look like legitimate messages sent from reputable brands or even trusted employees within your organisation.
Here are a few more reasons you should be cautious against phishing:
- Your organisation has valuable or sensitive information that attackers want to steal. They can use that information to blackmail your company or trick your customers.
- You have systems, such as email systems or financial systems, that attackers want to access.
- Attackers might target your organisation to trick employees into sending them money or clicking a link containing malware.
- Finally, most organisations don’t invest enough resources into employee training, resulting in many employees lacking awareness of how to identify and handle phishing attacks at work.
These are some of the reasons why your company might get targeted. Next I’ll go through the phishing methods that cybercriminals often use when targeting organisations.
3 common types of phishing attacks targeting businesses
Traditional phishing emails aim to get as many people as possible to perform a certain action, such as clicking a link or transferring a sum of money. Most people know about and can easily detect these rather obvious email scams.
Which is great!
But the reality is that many of today's phishing attacks are not created with this purpose. Rather, they are tailored to specific businesses and employees, and target one specific company at a time. They range from relatively low effort to very well researched and customised campaigns.
Three phishing methods that use these types of sophisticated techniques are spear phishing, CEO fraud and whaling. Next, I’ll go through why these methods work so well in targeting businesses and how we managed to phish employees by sending out a fake spear phishing e-mail.
Spear phishing – targeting specific employees
Spear phishing is a phishing method where cybercriminals target and impersonate specific people in your organisation. It makes sense that most employees aren't suspicious of emails that come from someone within the organisation. Unfortunately, cybercriminals take advantage of this trust between colleagues and use it to trick employees into revealing sensitive data, paying an “overdue” bill, or clicking a link infected with malware.
Spear phishing relies on social engineering techniques
Spear phishing emails have something in common. They often contain social engineering techniques to manipulate behavior and exploit the feelings and mistakes that make us human.
You are likely to come across social engineering when receiving a spear phishing email. For example, you might be promised a gift card as the first person to complete a certain action, or the email might contain a short deadline or fake sense of urgency. So, always stay alert when you see these signs!
Spear phishing employees
People are more unaware of how convincing spear phishing can be, and how easy it is to be fooled by it than they like to think. We saw this happen in one of our simulated phishing campaigns that we used for training employees in identifying phishing e-mails.
Our orchestrated attack consisted of what appeared to be a new emergency evacuation plan, that “all employees had to read”. 30% of those who received the phishing email clicked on the link in the e-mail. This action opened a fake version of their company's internal work system.
Almost everyone, of those that clicked on the link, attempted to log in to the fake system. By doing so they exposed their real usernames and passwords. In other words, these employees weren't as alert as they thought they would be.
Whaling – a type of spear phishing attack
Whaling is a type of spear phishing that targets CEOs and senior executives. The aim is to trick the CEO by impersonating an employee, client or partner. Whaling targets are carefully chosen and the campaigns are based on extensive research into the person and the organisation.
When targeting those in power, fewer people are involved in the process and it’s therefore less likely that the scam gets noticed. For example, a whale phishing email can contain an invoice from a supplier that only the CEO would oversee, before making the transaction.
The quality of these campaigns in combination with the power of the targets makes whaling a dangerous phishing method. To be prepared against these types of attacks, CEOs and senior executives should be aware of the signs of whaling and know how to respond to an attack.
CEO fraud – impersonating CEO's
Who the sender is plays an important role in how and when we react to emails, especially when that person is someone high up in the organisation. Cybercriminals are well aware of our habits, and we see many organisations fall victim to this kind of fraud.
CEO fraud is a phishing method where cybercriminals pretend to be a CEO, or another high-ranking member within the company. This method relies on the persuasiveness of authority, and employees “doing as they are told” without questioning those higher up in the organisation.
Ceo fraud can have serious reputational and financial impact
CEO fraud is used to trick employees into revealing sensitive data or transferring money under the false belief that they are acting on a request from their boss. This scam has led many employees to unknowingly pay an invoice straight to the scammers.
This fraud method can have serious financial and reputational impacts. In the UK, CEO fraud cases rose by 29%, with losses increasing by 165% to £12.7m in 2021. To protect your company against CEO fraud, your employees’ ability to identify and react in the right way is your strongest defense.
In the next section I’ll go through how you can prepare your employees against the above-mentioned phishing attacks, and that way strengthen your defense.
How to prepare your employees against phishing attacks
You now know why and how scammers might target your organisation. To stay protected, not only you, but all employees must be aware of the risks and understand their own responsibility. With the right type of employee training and measurements in place, you can prepare your employees and keep your organisation protected.
Use these three strategies to strengthen your employees against phishing attacks:
1. Educate employees about phishing
Ensure your employees are your strongest defense by giving them the right training. Phishing attacks take advantage of and manipulate people's behavior. Knowing about the different methods and the techniques behind them will make your colleagues more aware of how and when they are being tricked.
Use this guide to create a training program in phishing and social engineering.
It's also important that your employees know what to do when they receive a phishing email, as warning other employees and reporting potential scams will help protect your organisation.
2. Practice identifying phishing emails through simulated attacks
While most of us feel confident identifying phishing emails promising a free trip around the world, some will likely struggle to detect the spear phishing, whaling and CEO fraud emails discussed in this article. Sending out simulated phishing emails is a hands-on way to train employees in recognising and taking the right action against all types of attacks.
Receiving simulated emails, and perhaps even falling for the bait, might make some employees realise the importance of training and how easy it is to fall for these attacks when not being observant.
Fake phishing emails can also reveal if your employees know how they should report real phishing emails. If you are not getting the results you hoped for, you might need to remind them about the reporting process or make it easier for them to follow it.
Here you can find our best tips on how to create your own simulated phishing email.
3. Make IT-security part of your company culture
To make cybersecurity more seen and talked about, we recommend you use a variety of learning materials. In addition to training, and fake emails, you can assign time for questions during meetings or hang up themed posters in the office. These awareness posters act as fun reminders that also help to encourage discussion about cybersecurity issues.
Lastly, talk about cybersecurity in your organisation and do so regularly. This will not only keep your employees reminded of the risks but also encourage them to bring up questions and have more discussions about security issues.
Final Notes
Phishing attacks have become harder to detect as they nowadays are tailored after the specific organisations that they aim to target. At the same time, new technology and AI tools like ChatGPT make phishing attacks even easier for cybercriminals to carry out. Keeping your organisation protected is a shared responsibility, and all employees must know how to detect and act when receiving phishing emails. Employees are often seen as an organization's weakest link, but they can also become your strongest defense when you equip them with the right knowledge and training.
