Phishing Attacks: Protecting Against Them

Phishing attacks are a serious threat in the digital world.

Phishing is ingeniously designed to steal sensitive information by masquerading as trustworthy entities. These attacks exploit human psychology and technological sophistication, making them a critical concern for individuals and organizations alike.

Today, phishing is the most prevalent cybersecurity threat in the digital world, with the victim count totaling well over 4.75 million unsuspecting internet users in 2023. That's a 58.2% increase from the year before — and that's why we're taking a look at this concerning trend here.

In this article, we'll start by defining phishing attacks and exploring how they happen. Then, we'll discuss the threats that phishing attacks pose to individuals and organizations. Finally, we'll provide measures to prevent you from falling victim to these attacks.

What are phishing attacks?

Phishing is a cyberattack in which hackers, identifying themselves as trusted identities, trick you into sharing sensitive data. They can also trick you into installing malicious malware on your computer or device in order to steal sensitive data or money.

Attackers can use various types of phishing attack techniques, including:

• Social engineering
• Link manipulation
• Voice phishing
• LNK phishing
• Spear phishing
• Clone phishing
• And more

How phishing works

Phishing is all about trickery. The adversary impersonates a legitimate entity — an individual or an organization, often a financial institution — to convince the user to take the desired actions. (The name, of course, comes from fishing: the attacker throws out some bait and sees who will respond.)

Phishing attempts are typically aimed at unsuspecting users without much context about the targets. Typically, victims fall prey to phishing attempts due to a lack of security awareness.

Let's look at  a common example of how phishing works: Let's say you receive an email from someone impersonating a large social media platform, like LinkedIn. This email is a spoof (its masquerading as the real thing), alerting you, the target, to reset your password. That email often cites a security risk such as an unauthorized login attempt.

If you're not paying attention to small details, you may think this is a legitimate email, with a legitimate security request. In that case, you may click to reset your password, and even then you may not realize it's not for the website or app it purports to be.

Ultimately, you follow the instructions in the phishing email and shares your current password. Now, the adversary captures this information. The phisher's attempt was a success.

What about spear phishing?

Spear phishing targets specific individuals with personalized "bait", increasing the success rate of the deception. This attack adds context, making it more convincing for the target to fall prey. Spear phishing works through impersonation.

For instance, a victim may receive an email purporting to be from the organization's IT department asking them to reset passwords. The email includes a link that supposedly leads to the company's internal password reset page, (but it is not a legitimate page). 

The victim, trusting the legitimacy of the email, enters a current password and a new one. The attacker now has the victim's login credentials, which they can use to infiltrate the company network, access sensitive data, or launch further attacks.

(Read our entire guide to spear phishing: seeing and stopping these attacks.)

Examples of phishing attacks

Phishing attacks have been a threat for many years. Below are some real-life examples. 

US government agency impersonation

In 2023, a US government agency finance employee fell victim to a phishing scam and transferred $218,992 to the attacker's account. The criminal, impersonating a genuine supplier, convinced the employee to update the contractor's genuine banking details to fraudulent ones.

Twilio phishing attack

In this case, attackers sent text messages to Twilio employees. The messages contained links to fake log-in pages to the company's portal. The hackers stole and used the employees' login credentials to access Twilio customer data.

Booking.com phishing attack

Hackers sent phishing emails to hotels that use Booking.com's platform. These emails contained links that, when clicked, downloaded malware onto the hotel's systems. The hackers stole booking data from hotels and sent text messages and emails to guests asking them to update their payment details. The aim was to capture credit card information.

(Related reading: malware detection.)

Reasons for phishing

The earliest attempts of phishing emerged in 1996 when hackers lured AOL users into sharing sensitive personal information.

The bad actors used a variety of bait tactics that caused urgency among the targeted victims to click on malicious links and share their personal information online. This information was then sold among the hackers to gain access to a victim’s account and lock them out—in exchange for financial compensation. Back then, phishing was usually motivated by…

• Financial gain. Victims were tricked into paying to regain access to their social media account; hackers would sell victim information among other hackers for monetary gains.
• Identity stealing. Using a victim’s social media account to bait their contacts into sending money or purchasing products online using a compromised account.
• Notoriety. The hacker culture was real and thriving. Any hobbyist with a stolen account would brag about their notorious achievements in their communities.

Phishing trends today

Despite widespread awareness efforts, phishing remains a significant threat due to its reliance on human vulnerabilities and the challenge of balancing security policies and operational flexibility. Today, the practice has emerged as one of the most prominent practices in the cybercrime ecosystem that's motivated solely by financial gain. Take a look at the following latest phishing stats:

• Origin story. Of all security breaches, 36% begin with a phishing attack.
• The vast majority. Over 80% of all business organizations globally have reported phishing attempts that target their employees.
• Not one-and-done. Phishing attacks are not one-time-only security incidents. The costliest phishing attack compromised thousands of emails and caused a financial loss of $1.8 billion — despite 20,000 complaints registered to the service providers.
• How many emails? 3.4 billion phishing emails are sent every day. Most of these emails are automated and aimed at a large audience without much context.

(Related reading: trends and stats in ransonware & extortionware.)

Where are the attacks coming from?

Years and years back, many phishing attacks were traced to Nigeria. These attacks were known as 419 scams, due to their fraud designation in the Nigerian criminal code.

Today, of course, phishing attacks can originate anywhere. Because of the ease and availability of phishing toolkits, even hackers with minimal technical skills can launch phishing campaigns. The people behind these campaigns run the gamut from individual hackers to organized cybercriminals.

(Related reading: cybercrime as a service.)

Key challenges for individuals & organizations

From a macro perspective, defending against phishing attempts has been a major challenge for both enterprise organizations as well as internet users adequately aware of the security threat. Users are frequently informed and educated on improving their security awareness. Technology companies embed security features into their systems.

Yet, somehow, social engineering remains successful in compromising the human element. This comes down to the following key challenges:

User education

Internet users who are less tech-savvy are more likely to fall victim to phishing attacks. It's important that they learn how to acknowledge these threats. This includes taking a critical approach to phishing emails that seem too good to be true and avoiding clicking suspicious links or downloading attachments.

Malware installations are invisible, slipping under the antivirus radar and taking effect in stealth mode. Websites that steal user information are incredibly deceptive and effectively impersonate a legitimate business.

(Related reading: cybersecurity awareness month.)

The human factor

Security mechanisms such as authentication and security alerts still rely on human behavior and knowledge. If the phishing attempt can trick users into sharing sensitive login and authentication credentials, adversaries can use this knowledge to pass authentication tests as legitimate users.

Security policies and flexibility

Business organizations must be flexible when enforcing security policies:

• Tight governance protocols mean that users have limited flexibility in accessing the network and sharing data, which may be critical for their routine jobs.
• If the access control rules are too flexible, anyone with employee login credentials or rogue internal users can leak sensitive business information.

Without an optimal plan to manage identity and access controls, any user with sufficient access privileges falling prey to a phishing attempt can cause significant damage to the organization. However, finding that optimal state is no simple task.

(Related reading: CIS Security Controls.)

Protecting against phishing

Protecting against phishing involves enhancing security awareness, employing multifactor authentication, and tailoring security governance to organizational needs. So, how do you protect against phishing? The answer to this question lies in resolving the very challenges responsible for effective phishing attempts:

• Improve security awareness among internet users with mandatory training and education programs. Show users how they can identify phishing emails. Phishing emails usually demand urgent action, use generic salutations, contain suspicious attachments, and are poorly written.
• Use security mechanisms that rely on foolproof multifactor authentication systems. MFA requires users to provide more than one form of identification, such as a username, a password, and a time-based one-time password (TOTP) sent to a phone.
• Adopt security governance policies based on the unique needs of your users and security threats facing your organization.
• Use anti-spoofing controls to prevent the spoofing of emails, phone calls, Domain Name System (DNS) servers, and IP addresses. Anti-spoofing mechanisms include creating email filters, using email authentication protocols like DMARC, DKIM, and SPF, and using anti-spoofing software.
• Always use supported devices and software updated with the latest patches to prevent users from installing malware. Also, restrict administrative privileges to only those who need them, reducing phishing risks associated with administrator accounts.
• Develop a phishing incident response plan that will help you minimize attacks and react quickly to potential attacks.
• Keep up with expert security research, like Monitoring for Phishing Payloads and GSuite Phishing Attacks from the Splunk Threat Research Team.

Splunk supports enterprise security

The right cybersecurity strategy can help you can stay ahead of phishing attempts. See how Splunk can help support these efforts and strengthen your digital resilience.