What is a phishing attack?

About phishing attacks

A phishing attack involves a cybercriminal masquerading as a reputable source with an enticing request or offer, usually delivered by email. The attacker lures the victim into handing over their personal information, often high-value identity credentials, through deception. Once the cybercriminal acquires these credentials, business email compromise and account takeovers are the next steps. This is where the cybercriminal can do the most damage to your business because once they take over an employee’s legitimate account, they’re difficult to identify and stop.

Phishing attacks are among the most common ways to inject malware and ransomware into your IT environment. In fact, 66% of malware is now delivered via malicious email attachments. The reason phishing is so common is that it works. 41% of IT professionals are reporting daily phishing attacks on their environments. As long as employees and end users communicate via email, your company is at risk of a phishing attack.

How do phishing attacks work?

Cybercriminals carry out phishing attacks through email, social media, or text messages. Sometimes, social engineering is involved as well. Phishing email campaigns are the most prevalent method. These messages contain compelling content and a link that takes the user to a malicious website that appears to be the real thing—at first glance. The user is duped into sharing their personally identifiable information (PII), such as a credit card number or password. This information is then used to compromise an account, such as a banking or email account. From here, the attacker can exploit these credentials for personal gains, such as making fraudulent charges on a credit card; or injecting ransomware into a corporate email to access your company’s IT environment—called spear phishing.

Generally, phishing scams do not require a high degree of sophistication on the part of those cybercriminal. Phishing-as-a-service makes it as easy as a few clicks and the swipe of a credit card to launch a phishing campaign.

For cybercriminals, phishing schemes are a matter of volume and opportunity. Attackers relentlessly target individuals and organizations with spam emails and advanced socially engineered attacks until they pinpoint a weakness in your security defenses. Unfortunately, your end users are often an easy target and the weakest link.

What is spear phishing?

The National Counterintelligence and Security Center defines spear phishing as “a type of phishing campaign that targets a specific person or group and often will include information known to be of interest to the target, such as current events or financial documents.” Advanced spear phishing attacks cost businesses an average of $140,000 per incident. Spear phishing is a big business for cybercriminals because they target enterprises' crown jewels, such as financial data, customer information, intellectual property, private communications, and more.

What sets spear phishing apart from general or consumer phishing attacks is, the phishing victim isn’t the end target. They are only a stepping stone to gain access to an organization’s wider systems.

What is the goal of a phishing attack?

Attackers orchestrate phishing schemes to steal money, data, or both. Sometimes, this is done by injecting malware and ransomware into an environment once they’ve gained access to it through business email compromise or account takeovers. Phishing is one of the leading causes of ransomware attacks in organizations. Ransomware is particularly dangerous because it has the potential to completely shut down a business unless you agree to pay a ransom to the attacker.

Can a phishing attack be detected?

While phishing attack vectors are constantly evolving, it is possible for your employees to spot some of the telltale signs of phishing activity. Some common red flags that you are being targeted by a phishing attack include:

  • Language or email content that seems out of character. The sender’s name, company, or email address looks familiar at first glance, but as you read the email, the greeting or language seems “off.” Perhaps the tone of the email is too urgent or threatening. Remember, real emergencies don’t happen over email or text.
  • Requests for your personal information. Examples include links with instructions for you to update your password or demands for your banking information. Email subject lines such as “We need to confirm your info” are dead giveaways.
  • Unsolicited offers and award wins. “Congratulations! You’ve been selected…” It’s an opening line that should raise instant suspicion.
  • Websites with unusual URLs. One of the first steps you should take if you’re suspicious about a website is to look at the full URL. Are there misspelled words or domain names that aren’t quite right? Many victims are lured into clicking on a link in an email or text message that appears to be legitimate but redirects to a fake site.

You can ensure that your organization’s employees are able to spot these and many other telltale signs through phishing simulation attacks and anti-phishing education programs. These help train your end users and reduce the risk of them clicking on these malicious links and inviting cyber attackers to your door.

What is business email compromise?

Business email compromise (BEC) is a type of phishing attack that uses spoofed emails to lure the victim into taking a specific action, such as paying an invoice or sharing a password. The emails use the names and even the email addresses of real employees of the businesses. Essentially, cybercriminals impersonate someone who is familiar to the victim. If successful, the criminal can illegally obtain money or gain access to sensitive information about your business that can be used for malicious activities.

What is an account takeover?

An account takeover is related to business email compromise in that corporate email account credentials are targeted through deception. In this type of phishing attack, cybercriminals may use email, phone calls, or text messages posing as someone who is known and trusted. The goal is to gain the victim’s email credentials and then make a lateral move into a more high-target account. This could be another employee’s email, such as your CEO or CFO, or the proverbial “keys to the kingdom,” such as access to business-critical applications and systems. Once an account takeover is successful, it’s difficult for security professionals to discover bad actors because they appear to be a legitimate user.

In the case of account takeovers, cybercriminals may use more sophisticated, multi-layered attacks that involve impersonating a person or a business. For example, voice phishing, or “vishing,” lures victims by using real people who rent a voice system to set up call centers to speak with their victim over the phone, appearing to be legitimate representatives of a business.

What is ransomware, and how does it relate to phishing?

Phishing is the most common delivery mechanism for ransomware. If ransomware is the thief, then phishing is the car that drives the thief to your home. Ransomware is malware that  encrypts data or locks down systems, holding it captive until the victim pays a ransom to get it back.

Is my organization at risk of a phishing attack?

If you have employees and end users, you’re at risk. That’s why phishing has become a critical boardroom issue. While strong cybersecurity hygiene and cybersecurity tools can help thwart phishing and reduce risk significantly, there is always an opportunity for a phishing attack to succeed.

How can I stop employees from clicking on malicious links?

First of all, you should know that 30% of phishing emails sent by cybercriminals are opened by their targets. In the fight against phishing, your users are the weakest link. It only takes an average of 16 minutes for an end user to click on a phishing email. Investing in anti-phishing training is one of the best ways to prevent your employees from taking the bait. Through ongoing education, your end users can spot phishing emails. 

By providing security awareness and phishing simulation training, end users can become frontline protectors against these relentless attacks. With the right program, phishing simulation delivers a 31% reduction in employee susceptibility in just four training sessions. There are three critical stages to an effective phishing simulation:

1. Test: Send users imitation phishing emails based on real-world attacks.

2. Train: Educate users based on how they reacted to the simulation to ensure they will spot the real thing the next time.

3. Measure: Track progress and improvement by repeating the first two steps and more guided training as needed.

How can Managed Detection and Response (MDR) help detect and stop phishing attacks?

As phishing attacks increase and evolve in sophistication, many organizations have realized that battling this threat alone is no longer an option. The volume of attacks and the need to respond with urgency is simply too much for an organization to handle internally. The cost and resources associated with building your own team to handle phishing prevention, phishing simulation training, and ongoing detection and response are simply too high.

That’s why MDR is the most effective approach to quickly and effectively identifying and stopping phishing attacks around the clock. This is achieved through managed endpoint protection, business email security, and ongoing phishing simulation training. By partnering with a third-party managed security service provider, you benefit from a team of seasoned security professionals and a world-class security operations center to guard your organization against phishing.

MDR is cybersecurity-as-service. The best MDR service providers deliver:

  • A dedicated, world-class security operations center (SOC)
  • 24/7 managed threat detection and response
  • Expert-led threat hunting
  • Full-scale incident response services

Get in touch with Sophos today for more information on how MDR can help you strengthen your organization's defenses against phishing attacks.

Speak with an MDR Expert



Sophos 2024 State of Ransomware Report

How likely are you to be hit by ransomware? How many of your computers would be affected? Find these answers and much more in the Sophos 2024 State of Ransomware Report.

Download Now



Related security topic: What is spear phishing?