You’ve heard about ‘phishing’ emails, as a stealthy first step for online mischief. Some of those fraudulent attempts to elicit a response have likely landed in your Inbox. At which point you may have asked, why did the scammers pick me?
The answer is, it depends, because there are three types of phishing attacks.
Some phishing efforts target individuals, to gather information that gives them a toe-hold for climbing into one’s digital and financial life.
Other phishing emails are sent to company employees, seeking a way to worm their way into the company’s network or databases.
And some are kind of a hybrid; although the ultimate target is an individual, the initial phishing email poses as legitimate business-to-business communication.
In each case, the scammers are phishing for information they can exploit to eventually profit at your expense.
Phishing attacks on individuals: getting caught in a wide net.
Sometimes when you get one of these emails, it feels obvious; you wonder why someone would think you’d fall for it. Well, don’t feel insulted. You weren’t hand-picked as a gullible target; you just managed to land on a list.
Attackers use the ‘shotgun’ approach to target hundreds of thousands, or even millions, of people at once.
How did the scammers get their list? Other malevolent actors sold it to them. How did your email address even get on the list? Someone less scrupulous than your average vendor may have buried their liberal personal-information-sharing policies in the terms of service that you agreed to on some website.
Many people purchase compiled email databases. Some for legitimate purposes, such as marketing a real product. Others, however, will buy and use them as vectors for email phishing attacks.
Thinking back on all the times you’ve typed out your email address online may now make you vaguely nauseous.
Other lists come from shadowy vendors who indiscriminately ‘scrape’ email addresses off the web, or from Contact lists on compromised personal computers.
It’s a numbers game, and scammers have learned to play the odds.
With a huge database of people, of course no one attack is going to get a response from all the targets. The intention is to have such a widespread group that a Subject Line as generic as ‘Your Amazon Order’ gets enough people to open the email.
Even if just a few people click the link, and hand over their login information to a fake web portal, the whole effort will be adequately lucrative for the scammers.
The target group for personal email phishing is often characterized as ‘older’ or ‘less educated’ people. But if you’ve ever been tired, stressed or overworked enough to make snap decisions that aren’t the best, you’re in the target group too.
A well-rested person who knows what to watch for, or who knows how to undo the damage, makes a terrible target, even if they do fall prey to the attempt.
Phishing attacks on businesses: a more careful and targeted effort.
Since businesses typically have more money than individuals, scammers look to companies for a potentially much bigger payday. So the random shotgun approach is typically replaced by a much more focused selection process.
You’ve heard about ransomware attacks, where cybercriminals burrow into a company’s network; encrypt or ‘freeze’ it; then demand big bucks for returning access to the network’s owners.
In many if not most cases, that horrific attack began with a simple phishing email or phone call.
What draws a company into the scammer’s crosshairs? Vulnerabilities.
Here, attackers begin by searching for weak points in a firm’s IT network.
They might find one in outdated software, insecure connections with remote employees, a weak password system, a lack of two-factor authentication, or other lax security measures.
Finding those makes a company a prime target. That’s when the phishers start phishing, sending fraudulent emails to employees. When a distracted and/or unwittingly compliant worker responds, the attackers now have the opening they need to dig in and exploit the vulnerabilities they had previously identified.
To make any kind of business phishing effort worth their while, scammers look for companies that make at least $200K in yearly sales. With regard to ransomware-related phishing, criminals also eyeball those who would feel the most pain by having their websites or operations down for any period of time.
That’s why organizations and municipalities that provide crucial real-time services are also chosen as juicy targets who are likely to quickly pay up.
Scams targeting individuals can also start with business-related phishing.
The most common targets within a company are people working in Accounts Payable, Human Resources, and Management.
On a busy Friday afternoon, a worker in HR gets an email from the company’s pension plan management firm. It asks for information about a previous employee. The HR worker provides it, then gets back to work.
The email, unfortunately, was from hackers, who spoofed the pension firm’s From email address. The information gained will now be combined with other collected info to steal the previous employee’s identity. Yikes.
How did the scammers identify the HR person, to target for their phishing email? Many companies list key employees right on their websites.
Or, if your title or position at your company are listed on your LinkedIn profile, and why wouldn’t they be, it doesn’t take much to find out who you are and email you. Congratulations, you are now a target for a phishing attack.
What can you do to protect your business from email phishing?
The simple answer is, question everything. Unfortunately, the game hackers are playing is anything but simple.
Company-wide email protection, encryption and anti-virus solutions are available to help ensure that malevolent phishing efforts either don’t get through, or are clearly flagged. An experienced IT security expert can also help pinpoint any vulnerabilities in your network.
To learn more about keeping your company and your employees safe every day, contact The Harmony Group, and let’s discuss the options.