What is an Email Phishing Attack?
by Ryan Ozawa
If you have an email address, you’ve received an email phishing attack.
Email phishing—also known as email spoofing or email impersonation—is a malicious attempt to trick people into giving up personal and online account information in order to access and exploit more valuable and sensitive systems.
And while some email phishing attacks are targeted towards a specific person—known as “spear phishing”—others are broad and indiscriminate.
As with most email spam and scams, even one out of a million successful messages makes the attacker’s effort worthwhile.
Initially, phishing emails were easily recognized because they typically featured bad spelling, poor grammar, and terrible graphics. Today, phishing messages are so well crafted, they sometimes trick even skeptical, security-conscious users.
Humans remain the weakest link in most security systems, but technology can greatly limit our exposure to risk.
How does email phishing work?
Email phishing is the use of fake email sender information, fake design, and fake content to craft an email message that looks like it comes from a credible, trusted source, such as a bank or a utility company, or even a gaming, dating, or social media site.
The message will frequently be crafted to induce panic or quick action, describing an imminent account shutdown or a security breach in progress. They often capitalize on news events, like the coronavirus pandemic.
And the message will include a clear call to action that ultimately tricks recipients into providing information, often their account login credentials for the business or service being impersonated.
There are solid, helpful ways to recognize and avoid phishing attacks. But attacks are becoming more polished and sophisticated every day.
And they’re effective; Americans lost $57 million to phishing attacks last year. The risks and losses for businesses are even greater.
What is spear phishing?
Spear phishing is a targeted phishing attack, where the attackers are focused on a specific group or organization. Instead of sending a fake Netflix account notice to random people, hackers send fake Microsoft Outlook notices to all employees at a specific company.
By customizing the message, attackers can be even more effective in tricking targets into doing something, such as logging into a fake website or installing malicious software.
Successful attacks on average net hackers $1.5 million to $3.7 million each. Even companies like Google and Facebook are not immune. In 2017, both companies lost $100 million in a spear phishing attack.
But money isn’t the most common motive for spear phishing. According to a 2019 report from security company Symantec, 96% of spear phishing attempts were attributed to intelligence gathering.
Instead of tricking employees into wiring payments, attackers are getting into company networks and quietly spying on everything to steal proprietary and competitive information.
Phishing attacks frequently target healthcare companies, which collect some of the most sensitive information there is.
Everyone in the healthcare industry, from hospital administrators to insurance providers, must take steps to protect medical information from phishing attacks.
How to prevent phishing attacks
Paubox Email Suite Plus includes two key features that can effectively mitigate email phishing risks:
- Inbound Security: Robust spam, virus, ransomware, and phishing protection that stops threats before the reach your users’ inboxes.
- ExecProtect: Patent-pending protection from display name spoofing attacks, preventing hackers from impersonating your CEO or other company leaders to trick employees into compromising your security.
Every company should have a robust information security plan which includes initial and ongoing training to ensure employees are always wary of potential phishing attacks.
But using Paubox Email Suite Plus prevents phishing emails from reaching the inbox in the first place.