GOT is, hands down, the most iconic show ever made — most people have watched it. And those who haven’t watched it have heard of it. And why are we talking about it while focusing on cyber phishing? Well, that’s because a phishing attack and all phishing techniques are similar to GOT characters and themes!
We’re not kidding!
Whether it was The Red Wedding or the iconic Beheading of Ned Stark, these classic incidents had one thing in common — they happened when the characters dropped their guards.
Similarly, a phishing scam happens when you least suspect it and loosen your grip on cybersecurity practices. That’s when hackers use different techniques such as email phishing, whale phishing, voice phishing, and spear phishing to catch you off-guard.
Don’t see the urgency yet? Let’s talk some numbers then – these 2023 cyber phishing stats are as chilling as the massacre of the infamous GOT incident — The Red Wedding!
- As per reports, close to 3.4 billion phishing emails are sent daily
- Cloudflare has reportedly blocked about 250 million malware-laced phishing emails between May 2022 to May 2023
- About 33 million records can fall victim to email phishing and ransomware attacks by the end of this year
Intrigued? Want to know how phishing can affect your business? Keen to understand what is phishing in cyber security and what a phishing email tries to do? If yes, you’ve hit the jackpot. We have covered the ins and outs of all types of phishing attacks in this post.
This article is an honest initiative to answer all your questions related to phishing — How to prevent phishing? What to do after clicking a phishing link? And much, much more!
Dive in!
What is a Phishing Attack in Cyber Security?
It was shocking when The Red Woman — Melisandre — manipulated Stannis Baratheon into burning Shireen, his only child, alive. Ramifications? The entire clan came to its end in the aftermath of the incident. This incident is the exact phishing definition.
Scammers use different phishing techniques and manipulate users into clicking a phishing link.
Via a Phishing Link In an Email
A phishing link is laced with malware that gets downloaded in the system as soon as unaware and unprepared users click on the link that usually comes as an attachment in an email. These kinds of emails are known as phishing emails.
Links in a phishing email can also redirect unsuspecting users to a shady website – the results are disastrous. Any information that the user shares on the malicious website gets instantly stolen!
Via a Phishing Link In SMSs & Voice Calls
Also, you must know that phishing has evolved beyond emails — SMSs and voice calls are also used to carry out phishing attacks nowadays. When done via an SMS, the phishing attack is known as smishing. When done via a voice call, the phishing attack is known as vishing.
Phishing intends to steal sensitive info, including — but not limited to – credit card details, login credentials, and social security numbers!
How can Phishing Attacks Affect SMBs?
The FBI’s Internet Crime Complaint Center confirmed in 2021 that many small and medium-sized businesses lost approximately $7 billion to phishing scams.
And we’re not talking about big fishes like Google or Microsoft — we’re talking about businesses like yours!
In one such chilling event, Pat Bennett, an entrepreneur from Cleveland, fell into the trap of a phishing attack on her business Instagram account. Bennett, a seller of homemade granola, claims she receives most of her orders through Instagram DMs. And despite all efforts, she has failed to regain control of her account.
Bennett was asked to pay a ransom of $10,000 if she wanted back control of her business account. She refused to pay the ransom. Result? She had to restart her business from scratch!
This is just one story – there are many more. And not everybody gets a chance to restart!
Phishing attacks are fairly common, and the techniques scammers use are so advanced that companies even go bankrupt!
If you truly value your business and want to survive the test of cyber terrain, learning everything about cyber phishing attacks is pivotal!
What does a phishing email look like?
Arya Stark in GOT joined the death cult, the Faceless Men. The cult had unstoppable assassins who had magic masks. Those masks could make the killers resemble any person they wanted to. Hence, they carried out murders easily, without failing — because they could not be distinguished from the person they were pretending to be! That’s precisely what a phishing email looks like – harmless, impersonating a legit brand/firm/person.
The more skilled the scammers are, the more legit the email looks. And the more legit it looks, the harder it becomes to spot the scam.
Here are some real phishing examples.
Paypal Phishing
Paypal phishing email is a classic example of how sophisticated phishing attacks cash in after pressing the target’s panic button.
Phishers impersonate PayPal and send phishing emails to customers, citing that the customer’s account has been locked. They provide a CTA button or a link that claims to fix the issue.
Once the customers click on the link, they are redirected to an imposter PayPal website, something like PayPpal or PayyPal, instead of PayPal. Such minor changes are hard to spot in one glance.
If the customers fail to recognize that the site they’ve landed on isn’t the actual PayPal site, and they enter any information, it gets promptly stolen.
Apple Phishing
The most common Apple phishing email that scammers send appears to be coming from either the App Store or the Apple Pay Account.
You will receive a spoofed email citing that your Apple account is locked. Alongside, you will receive some sort of unlock button. And once you click the button, you will be asked for sensitive information.
Here are some other common Apple Phishing scams to watch out for in 2023 —
- The Apple Pay suspension scam
- The Apple gift card scam
- The Apple ID order receipt scam
FedEx Phishing
The FedEx phishing email that commonly targets customers goes around with the subject line – FedEx: Delivery Problem Notification.
Scammers trick customers into clicking a malicious link that looks like a way to contact the Delivery Manager. Once the customers click the link, they’re redirected to a spoofed website resembling the actual FedEx website.
What are the Different Types of Phishing Methods You Should Know?
Tyrion Lannister once famously said, “A day will come when you think you are safe and happy, and your joy will turn to ashes in your mouth”. And the cyber terrain agrees with him!
Unethical hackers have engineered so many tricks that phishing has evolved. You might come to believe that your business is safe. And then, one day, all it will take to burn your joy to ash is one legit-looking phishing email and one unaware employee!
Why, you ask us?
Well, that’s because when people (you or your staff) in a company aren’t trained to identify actual emails from a phishing scam, it’s only a matter of time before malware spreads within the entire network.
And if you want to protect your business from phishing attacks, you must know the most damaging types!
That’s what we’re here to help you with.
Here are the different types of phishing attacks scammers use against SMBs.
Spear Phishing
Lord Varys always knew everything! How? His network of spies – his little birds – were his eyes and ears. In short, Varys always did his research! Hackers launching a spear phishing attack follow this same approach. They proactively collect information about their targets.
Spear phishing is a targeted approach where hackers zero down a potential target, usually a ground-level employee from an important department like the Finance department. This is the first step towards attempting to hack the entire company.
Now, suppose you are the target of spear phishing. The phisher will scout all the information about you that’s present on the web.
- Names of your friends and family members
- Where do you (even your friends) stay
- Your personal interests
- Names of the different banks you have accounts with
- Your email address
Because the scammer knows so much about you, the email you will receive will be highly personalized and legit-looking.
Such spear phishing emails try to persuade the target to share sensitive information like the username and password of the system.
Can you imagine the same thing happening with your employees? If the hackers get access to the system of any of your employees, they can steal the company’s data and spread the malware further.
Whale Phishing
The whale phishing attacks are almost similar to the spear phishing attack. The difference is that hackers target highly influential people in an organization through the whaling phishing technique. One example is the CEO of a company. This type of attack is more popularly known as the CEO Fraud.
One high-profile whaling phishing example is the 2016 scam that led to the sacking of Walter Stephan, the then-CEO of FACC. The scammers broke through the servers of the company in 2016 and studied the writing style of Walter Stephan. They then used the exact same writing style to draft an email instructing the finance department to transfer €42 million to a bank account.
One employee who failed to spot the scam carried out the transaction and the company lost all the money. The scammer was never found! Ultimately, FACC sacked the CEO, the CFO, and the employee who had carried out the transfer.
Business Email Compromise (BEC) Phishing Scam
This form of cyber phishing is almost similar to CEO Fraud. The difference is that in BEC, high-level executives aren’t the targets. Instead, hackers impersonate these people. They send phishing emails to other people within the company by impersonating high-level executives.
One heartbreaking but very famous example of phishing of this kind is the 2014 phishing attack on Scoular — an agriculture company in the US.
Hackers tricked Keith McMurtry, the then corporate controller at the firm. McMurtry received an email from the CEO to wire a whopping $17.2 million to an offshore account. He failed to spot that the email was a phishing scam. All the money was lost!
Voice Phishing (Vishing)
Almost everybody loved Margaery’s sweet whispers – her mad husband Joffrey, her second husband Tomman, and the entire city of King’s Landing. Everybody trusted her counsel; they couldn’t ignore her opinion even if they didn’t like what she said. And this is exactly how scammers operate vishing scams!
They sweet talk to customers on the phone and try to trick them into sharing sensitive information by creating urgency and panic or cashing in on greed!
These are some very convincing scenarios used to target victims of vishing –
- Hackers ask for the social security number, citing that the customer has yet to file the ITR
- Hackers impersonating bank officials — they ask for the bank details of the customer by citing that the bank has suffered a cybersecurity breach and the account of the customer is no longer safe
How to Identify a Phishing Email Scam?
If you can’t beat them, be them — that’s how Sansa survived her time in King’s Landing after her father was beheaded right before her eyes. She was watchful, diplomatic, and treated everything with caution.
That’s what you should do too. There’s no way to stop scammers from sending phishing links. But what you can do is be like The Queen of the North, Sansa – watchful and careful!
Here’s what she would have done had phishing been a problem in Winterfell.
Check the Domain carefully
Scammers copy the logos of brands to make phishing emails appear genuine to an unsuspecting user. But the domain name cannot be the same. There will be differences, no matter how minuscule. And spotting those differences is where your chances of survival are!
For example, if a scammer is impersonating Microsoft, they will either mask the ‘from’ email address or spoof the entire domain name. A spoofed domain name could be something like nicrosoft.com or rricrosoft.com instead of microsoft.com.
Pay close attention to the ‘from’ email address and the domain name.
- If a link in an email is redirecting you to some website, hover over the link and check if you can make out where the link will take you
- If the link you received is shortened, it could be an attempt at masking the actual malicious link
- If you’re redirected to a website, check the URL very carefully. Actual URLs start with https://. Phishing URL, on the other hand, could begin with http://
- If there’s no padlock next to the URL, it could be a spoofed website. Not having a padlock can be an indication that the website might not have an SSL certification
- If it’s a public email domain that you see at the end, it’s a tell-tale sign that the email you’ve received is a phishing scam. No company, not even Microsoft or Google, will ever send anybody an email ending with @gmail.com or @yahoo.com
Treat urgent demand emails with suspicion
While most subject lines we see these days are written to invoke some emotion in readers, subject lines that sound too greedy or desperate should be treated with suspicion.
The biggest red flags are those emails that cite that your account would be suspended or blocked if you fail to update so-and-so things immediately. 90 times out of 100, these emails are phishing emails.
Spot the inconsistencies in the email
Spelling errors and grammar blunders are the few things that should keep you on your toes. If you receive such an email in your inbox, the chances are that that email is laced with malware.
Although this is easy to spot, it can be challenging for people who are not native English speakers. So, if your business is in the Middle East or some other non-native country, ensure your employees get advanced cyber security phishing awareness training to spot scams.
How to Stop a Phishing Attack From Happening?
These 3 lessons from the women in GOT will help reduce the chances of a cyber phishing attack on your company.
The Daenerys’s way of winning a war: Raise an army of the Unsullied
How did Danny, the girl who was sold into marriage, become Daenerys – the most powerful woman in the history of Westeros? She upskilled herself and bartered the right things to finally own the most trained and fierce warriors in all the 7 kingdoms, the Unsullied! You could do that too.
Employees who aren’t trained to spot a phishing scam are liabilities. But when offered the proper cyber security phishing awareness training, those same employees will be no less than your own army of Unsullied – guarding your company against phishers.
Arrange for training sessions where you invite experts at your company to teach your employees about phishing – what it is and how to spot a phishing email.
The Arya’s way of dodging dangers: Never let your guard down
Arya was many things, but the one thing that she never was was careless! She trained to be a fierce warrior even during the time of peace when her father ruled Winterfell, and no harm could have come her way.
That’s one lesson you can take from Arya and never drop your guard.
Continuously practicing the following habits will reduce the chances of your business falling into the trap of phishers:
- Always keep the software updated
- Use strong passwords. Enable multi-factor authentication
- Install desktop firewalls as well as network firewalls
- Make network segmentation mandatory at your company
- Practice advanced cybersecurity techniques such as sandboxing
- Set up the Domain-based Message Authentication, Reporting & Conformance rules on the email server for administrators in your company
- Make a policy where sudden financial transactions have to be verified through a secure communication network, no matter if the request seems to be coming straight from the CEO
- Set up some policy where your employees can only use certain apps on their official laptops
- Encourage your employees not to use their work laptops to open their personal emails
The Sansa’s way of diplomatic dealings: Keep your enemy closer
She could return to Winterfell after years of misfortune at King’s Landing because she kept her enemies closer! That’s what you should do – keep them so close that they never know your next move!
Simply stating,
Take the help of ethical hackers. They have the same insane skills as unethical hackers. The difference is that ethical hackers find vulnerabilities with the intention to stop them from being misused.
Let ethical hackers mimic phishing attacks at your company. Such simulated phishing attacks will train your employees better at identifying the scams.
When you run bug bounty programs and invite ethical hackers to scrutinize your code/app, they’re able to spot high-risk vulnerabilities before unethical hackers can!
What Should You Do if You Click on a Phishing Link?
What did you learn from the two mad queens – Daenerys and Cersei? Here’s what we learnt – recklessness has serious repercussions!
Cersei set the entire Red Keep ablaze, killing her daughter-in-law, Margaery. Result? Her only living son, Tomman, chose death by suicide!
Daenerys torched the entire city of King’s Landing. Result? She died at the hands of her one true love!
Dealing with a phishing attack is almost similar. Once hackers have circulated the malware within the network, it’s mostly a Game of Nerves.
Financial losses will happen, but you can limit those damages if you keep your cool and don’t let panic take the better of you.
Here’s the plan of action you should follow in case you click on a phishing link.
Immediately, raise an alert in the company
Other employees in the company should quickly know that a phishing email has been circulated and a malware attack has happened so they can stop using their systems. This will reduce the risk of the malware spreading to other computers.
Report suspicious emails to the cybersecurity team
Report emails asking for sensitive information to your company’s cybersecurity team. In fact, report every suspicious email that you feel could be a cyber phishing attempt.
If you click on a phishing link that comes from a brand such as Apple or PayPal, alert their cybersecurity teams. All big companies have separate teams with dedicated email IDs handling such scams.
Conclusion
A phishing email intends to trick users into sharing sensitive information – credit card details, login credentials, social security numbers, and even ATM PIN – with the phishers.
The different phishing techniques that scammers use to attack SMBs include the spear phishing technique, whaling phishing technique, vishing technique, and business email compromise phishing technique.
You need to educate your employees about phishing scams so they can identify the tell-tale signs of phishing.
Some of those signs include –
- A misspelled domain name, such as rricrosoft.com instead of microsoft.com
- Phishing email coming from a public domain like @gmail.com. It might look like it belongs to some legitimate company. But it’s mostly likely the personal email ID of the phisher
- Emails that use excessive fear and immediate account suspension warnings to make you act
Frequently Asked Questions
Phishing attacks are carried out by sending emails in bulk to customers. These emails aren’t immensely customized. But they are still heavily doctored, making it hard to identify them from a legitimate email if an employee does not know what phishing is.
Spear phishing, on the other hand, is a more targeted form of phishing. Phishers choose their targets, which could be high-level executives within a company. These emails have such personalized info about the targets that they look incredibly legit at first glance.
Whale phishing is almost similar to spear phishing. But there’s one difference – unlike spear phishing where the targets are high-level executives, whale phishing intends to impersonate high-level executives in order to trick other employees. Another name for whale phishing is CEO fraud.
If you want to stop a phishing attack from affecting your business, you must focus on educating your employees about cyber phishing.
Some other ways include –
Practicing techniques such as network segmentation and sandboxing
Using firewalls
Enabling MFA authentication
Why Choose BUZZ?
You can’t run before you learn to walk — and the cyber terrain is too rocky!
We, at BUZZ, are committed to armor SMBs with the right tools and techniques to thwart hacking attempts and deal with the security crisis.
Here is why you should choose us.
1. Tailored CyberSecurity for SMBs
Our purpose isn’t to be your crutch! We do not want to cripple your business by creating dependency.
We focus on making cyber security accessible to SMB businesses, and understand that no one size fits all.
- We assess your systems.
- We provide you with tools and strategies to protect your systems.
- We train your staff to deal with the crisis.
2. We offer affordable personalized plans
One size never fits all — and we know it!
You don’t have to buy all our services when you partner with us.
We will assess the situation and provide you with insights.
You get to choose the service(s) you feel will amp up your company’s security against cyber attacks.
All our services are affordable because we, at Buzz, believe that every business deserves to be protected.
3. Our services come from experts with 25 years of experience
We’re your navigation compass, so you do not lose your way.
Our experts can assess, protect, and train — you get all you need under one roof!
BUZZ offers –
- Vulnerability assessment
- Risk assessment
- Security architecture review
- Incident Response Training
- Security Policy Development
- Data protection
- Customized training
- Executive training
CONTACT BUZZ NOW: [email protected] |LinkedIn
Your security is our priority. Let’s build a safer digital future together.
