What is phishing and how can I protect against it?
Posted: Mon 11th Mar 2024
We all know to never click links or open attachments that don't look right to us. Yet despite our wariness, phishing remains a lucrative technique for cybercriminals. And small businesses are as open to these attacks as anyone.
In this article, we explain what phishing means, how it works, and what the outcomes are. We also tell you what you can do to protect your business against phishing scams.
What is phishing?
Phishing is a technique cybercriminals use to steal your passwords, banking and credit card details, and other sensitive personal information.
The cybercriminal contacts you by email, phone or text, pretending to be someone from a legitimate organisation you might expect to have dealings with. They trick you into giving up personal information that they then use to access your accounts and steal from you.
How might a phishing attack happen?
Unfortunately, small businesses are as vulnerable to these phishing scams as anyone else. A cybercriminal can bait, hook and catch a phishing victim in minutes. A typical phishing attack might play out like this:
1. Choosing a victim
A cybercriminal contacts either some random recipients (often using details they've stolen in a separate data breach) or employees inside a specific company or industry. In this phishing example, a worker of ABC Manufacturing, Jane, is randomly targeted with a phishing email.
2. Setting the bait
Jane opens the phishing email. It contains a message asking her to download a document from a file-sharing application she uses frequently as part of her job. The email looks legitimate as it carries the application’s branding. On top of that, the email appears to have come from her boss.
This is an example of a technique called spear phishing. A cybercriminal sends a malicious email impersonating someone, with the aim of tricking the recipient into taking a particular action (such as clicking a link or downloading a file).
3. Hooking the target
Because Jane is very busy at the time she receives the email, she clicks the malicious link within the message so she can get on with her work. The link takes her to a fake website where she’s asked to enter her log-in details.
She types them in and opens the document, which contains hidden malware (software designed to disrupt, damage or gain access to a computer system).
4. Taking malicious action
The malware downloads to her device and then rapidly spreads across ABC Manufacturing's company network. This allows the cybercriminal to steal credentials and sensitive data along the way.
At some point in the attack, ransom notes begin popping up on employees’ screens and the business's operations come to a halt.
What happens if I fall victim to a phishing attack?
Once you've taken the bait, the cybercriminal can do a number of things:
Use malware to take control of your device
Gain access to your account details, so they can steal data, money or other types of currency
Access your email inbox and contact list, to gather details of more people they can target
Spread malware (including ransomware) to other devices on the same network
Gain access to other company systems, data or intellectual property
When a cybercriminal has success with one of their phishing scams, the impact to the business can be devastating.
In a 2021 survey, 60% of the people who responded cited lost data as the consequence of the phishing attacks they'd suffered. Compromised accounts or credentials was the second biggest impact, mentioned by 52%, with ransomware infections close behind with 47%.
How do I protect my small business against phishing attacks?
To guard your business against phishing scams and the damage they can cause, there are a number of measures you can adopt.
First, educate yourself on the signs of phishing and what to look out for. If you have employees, give them anti-phishing training and information on a regular basis to help them recognise phishing campaigns.
Second, always assume mistakes will happen, regardless of how much training or warning you've given people. It's all too easy for someone within your business to accidently click a malicious link, open a malicious attachment, or provide log-in details to a fake website. To help limit the damage a successful phishing attack could cause, make sure employees keep their anti-spam and antivirus software up to date on their devices.
Third, secure traffic on your network to further reduce the risk of phishing. Avast Secure Web Gateway (SWG) blocks phishing attempts by analysing and blocking bad sites, as well as blocking malicious downloads and known malicious URLs from entering the network.
Why is a phishing email particularly threatening?
Research by consulting firm Deloitte found that 91% of all cyberattacks begin with a phishing email to an unsuspecting victim. Using this method, cybercriminals gain log-in details, steal money and data, and hold businesses hostage by impersonating email and file-sharing service providers, pretending to be suppliers or jobseekers, posing as financial institutions, and much more.
According to the Anti-Phishing Working Group (APWG), roughly 200,000 new phishing sites appear every month. The group's Phishing Activity Trends Report reveals that the number of phishing attacks doubled throughout 2020, with a record 225,304 new phishing sites appearing in the October of that month alone.