Phishing at Work
Phishing is a form of social engineering and cybersecurity attack that impersonates a trusted person or entity via email, SMS text messages or phone to trick the victim into divulging sensitive information such as passwords or financial account numbers. This information is used to access or sabotage an organization’s systems, steal money or intellectual property and more.
While phishing attacks can occur via other means, including SMS, social media or phone, email is the most common method used by attackers to target employees at work. Attackers rely on busy users to quickly review their communications and click embedded links or open attachments before fully evaluating them. They also rely on people’s tendency to fulfill requests of friends or colleagues before checking their authenticity and to respond to emails that appear urgent or contain an overabundance of information.
Cybercriminals can gather a great deal of information about their targets using public resources such as LinkedIn, Facebook and Twitter to uncover names, job titles and more to craft a believable phishing email. They also utilize artificial intelligence (AI) to create payloaded websites or documents, and to power responses that sound like a real human voice in an unsolicited call from the attacker’s computer.
The sophistication of phishing campaigns has continued to increase. From the less-than-convincing Nigerian prince asking for financial backing to the 2003 Mimail virus that appeared as an email from PayPal and convinced countless people to enter their username and password credentials, to CEO fraud (or “whaling”) where criminals target senior leadership, phishing has evolved to be more targeted and effective.