A phishing attack is a cyberattack strategy that seeks to deceive users in order to obtain some benefit. This attack is most common through fake emails, but it can also be carried out via banners and advertisements on websites, social media messages, calls and SMS.
The targets of these attacks can be common users, searching for account login data, banks, cards and portals, and even companies with the aim of carrying out financial transactions.
With the help of social engineering, criminals use tricks and disguise themselves as companies, brands and people that the victim knows or knows. Understand better how social engineering works with this video:
In most cases, the main objective of this attack is for the victim to provide confidential data, such as personal documents, banking information, passwords, confidential files, among others.
Another strategy used in phishing are malicious links, which when accessed, cause the victim to be redirected to a fake website or install files with viruses and malware.
How this scam can reach your business
Phishing targets are generally not specific and can cause a lot of damage to a company . This is a type of attack that can be present in different locations and affect any type of user. Here are some ways:
Common phishing
This tactic is broader and does not have any specific target. In this phishing attack, a mass email is sent, which may be disguised as a company, group or service that the victim may know. As it is a more comprehensive scam, the criminal only relies on chance and luck to collect user information , or install malicious files that could encourage other types of attacks.
Spear phishing
This type of attack is targeted at a specific group of victims. In this case, it can be carried out against employees of a company, customers of a brand, a government agency, among others. The objective of this type of phishing is to access sensitive data such as: confidential files, user and customer information or financial reports.
Clone phishing
With this attack, cybercriminals make an identical copy of a legitimate website to lure their victims. They can create websites for large companies, e-commerces, Government pages, banks, or any institution that has a large number of users . As a result, the user ends up getting confused, accessing this page and entering their personal information, such as account numbers, passwords, access data, personal documents, among others.
Whaling
Originating from the word whale, this type of attack is focused on targeting people with more relevance, purchasing power, visibility or who hold high-level positions in companies. They may seek to collect information from CEOs, directors, managers, etc. To pique the interest of victims, these attacks can bring false notifications about the company, such as legal subpoenas.
Vishing
Just like conventional phishing, this attack also seeks to collect sensitive and personal data from victims. However, it is done with a direct voice call to the victim's phone. With a convincing approach, this attack can deceive the victim and obtain financial benefits through fraud.
Smishing
Using the SMS service, this type of phishing attack seeks to make the user access a malicious link that indicates that the user must open to obtain a prize, verify access information, check an extrajudicial notification or receive some value.
Phishing through social media
Irresistible promotions, discount campaigns and markings in publications are all resources used for a phishing attack on social networks. Using fake profiles from large companies, these criminals seek to request data and information from victims, and even demand fraudulent payments .
Which companies can be targeted by phishing?
In general, there is no “ideal profile” of a company that could suffer a phishing attack. Virtually all companies that have any process or system connected to the internet can be targeted. For this reason, more and more users may be subject to all types of cyber attacks, and it is essential that the company has an internet usage policy that helps increase the security of your information and protect your devices in the best possible way. .
Employees need to be very aware of the use of the internet in the company and know how to identify possible pitfalls that could cause judgment for the business.
In addition, the company can also use access control tools that help keep this type of threat away from users and prevent undue access, such as entertainment sites, social networks, e-commerce, among others, which increase the chance of any of the users fall for this type of scam.
Since phishing targets are not specific , it is very important that all businesses find smart ways to protect their resources and information.
Is protection possible?
The main tip to protect yourself from this type of scam is to pay close attention to content received unsolicited, anonymous, containing a meaningless sequence of letters and numbers, spelling and grammatical errors, etc. These are the main warning signs that the content may be a trap.
In the case of emails received in the name of friends or co-workers, it is also important to pay attention to warning signs , such as: if the writing is compatible with the profile of the person sending you, if he mentions your name, if presents generic content, among other information.
It is very common for phishing emails to contain threats such as “if this email is not responded to within 48 hours, your account or access will be cancelled”. This type of email usually contains links to pages or forms for you to enter your information .
As we said previously, your company can count on an efficient internet access control tool, which helps to avoid some accesses that could lead to virtual traps.