Cybercriminals depend on social engineering (the act of mentally or emotionally manipulating someone through persuasion, mind games, and general trickery) to get what they want from their targets. Like a grifter or con man, a cybercriminal employs social engineering tactics during an attack to deceive victims and gain illegal access to their information.
In an interaction, the scammer tries to present themselves as a reliable source in hopes of gaining their target’s trust. Their tactics will aim to bait the target, luring them into following through on a specific action that would give the criminal access to sensitive data and leave the victim vulnerable to financial loss, reputational destruction, legal trouble, and more.
Phishing is the most prominent social engineering attack individuals encounter, and there are several variations of phishing scams anyone can fall victim to.
What Is Phishing?
Phishing is the most popular social engineering scam. In it, a cybercriminal sends fake communication to a recipient with a suspicious attachment or a dangerous link and a message instructing the recipient to open the attachment or follow the link. The goal is for the recipient to carry out the action specified in the message, which will grant the sender access to sensitive information they would not be able to access otherwise.
According to the most recent studies, it is estimated that cybercriminals send out a collective 3.4+ billion phishing emails every day, or:
- 8+ billion emails in one week
- 7+ billion emails in one month
- 24+ trillion emails in one year
That’s 1,240,000,000,000+ opportunities to fall victim to a phishing scam within a 365-day period.
The global average cost of a single phishing-related data breach for an organization is more than 4 million dollars.
What Are Scammers Phishing For?
The goal of a phishing scam can vary, but scammers are usually out to obtain:
- Usernames
- Passwords
- Credit card numbers
- Banking information
Their goal is to access personal private information they can use for economic gain.
How Do Scammers Go Phishing?
There are many ways a scammer can phish for victims, but the more prominent methods include:
- Text message
- Social media communication (either via comments or direct messages)
- Phone calls
Email is the most common form of communication used for phishing (remember how roughly 1.24 trillion phishing emails are sent in a year?), and malicious actors use fraudulent emails to exploit employees and businesspeople of all kinds, from interns to long-time leaders.
Anatomy of a Phishing Email
With more than 3.4 billion phishing emails sent daily, the quality of these emails ranges from highly suspicious (low-quality) to somewhat believable (higher-quality).
Regardless of how believable or unbelievable a phishing email may be, in most cases, there are a few indicators that point to its illegitimacy:
Strange Sender Address
Many phishing emails come from a sender whose email address is familiar to the recipient but is also a little off.
Scammers often try to mimic a legitimate email address. For instance, if a company’s CEO has the email address john.smith@abccompany.com, the spammer could try to emulate it with john.smith@a_b_c_company.com, johnsmith@gmail.com, or some other variation of the address.
Unless the attacker hacks the sender’s email account, there will always be something a little fishy with the address.
Messaging That Seems Threatening or Urgent
Because phishing is a type of social engineering scam, it’s common for phishing emails to include manipulative wording that urges the recipient to act fast, creating a sense of danger or pressure. The less time the recipient has to think clearly, the more likely they are to follow the scammer’s instructions.
Threatening language often targets the recipient’s job security or financial status. Urgent language may promise fast financial gain or urge the recipient to help the sender quickly.
Messages That Require Action
In order for a phishing email to work, the recipient has to follow the sender’s instructions and provide the information the sender is looking for.
Examples of phishing messaging can include:
- “Immediate action is required to prevent your account from deactivating! Follow the link ASAP to reactivate.”
- “Your recent order did not go through. Follow the link to finalize your order.”
- “You have been selected in our recent giveaway! Click on the link to claim your prize!”
If an email is trying to emulate a company leader or manager, the messaging may seem a bit more personal. Examples can include:
- “Hi [name], There is a problem with our company’s email account. Log in to your account here to help us resolve it.”
- “Hi [name], I need your help placing an order. Will you see if you can place it? Please follow the link and fill out the form.”
- “Hi [name], I need you to purchase some gift cards from [store]. Send me the numbers on the back ASAP.”
Suspicious Links or Attachments
Whatever the instructions are in the main message, the email will include a malicious link that takes the recipient to a login or form on a website that feeds whatever information they submit directly to the scammer. Or, it will include an attachment designed to install malware onto the recipient’s device or the network they are connected to.
Types of Phishing or Social Engineering Scams
In addition to your typical phishing scam, there are several additional types of social engineering scams businesses can fall victim to, including:
Spear Phishing
Spear phishing is a type of phishing scheme that targets particular individuals of a company, not just the general team. Instead of more generic messaging, the emails are personalized with details that pertain to the individual.
Whaling
Whaling is a phishing scam that targets the “big fish’” or the higher-ups in the company. Targets of whaling are usually senior executives or those in c-suite positions. Because the targets are important players in the company, the emails are often more serious in content with more carefully orchestrated manipulation tactics.
Pretexting
Pretexting is a phishing scam in which the scammer creates a scenario with pretext to trick the user into handing over sensitive information. Examples could include pretending to be the user’s accountant, an IRS auditor, a financial advisor, or someone else the user either has prior knowledge of or may be familiar with.
SMS phishing
SMS phishing, sometimes called smishing, is phishing done through text messages rather than email. Similar to email, the recipient will receive a text that includes a link to a malicious website with a message instructing them to follow the link and take whatever action the scammer wants them to take.
Phishing Scams Occur Every Second of the Day. Protect Your Business From Falling Victim by Partnering With MHD.
MHD provides solid Managed IT Services to companies throughout Florida, placing the right protections around your network, servers, and devices. As phishing scams become increasingly sophisticated, it’s becoming too easy to fall victim to one. Cybersecurity from MHD works to safeguard your company’s data and operations, stopping suspicious activity before it can lead to devastation for your business.
To learn more about our IT services and security solutions for your Florida business, contact an MHD specialist today: 833-MHD-INFO (833-643-4636)
MHD is your premier IT partner, serving businesses in and around Tampa, Florida, and West Palm Beach, Florida.
Recent Articles
The Most Common Cybersecurity Threats for Florida Businesses