Phishing, what you need to know before replying to this "urgent email".

Phishing is one of the most common cyber threats. In 2023, 1.76 billion fraudulent URLs were sent worldwide (source: Stoïk's 2023 Cyber Claims Report).

What are the characteristics of this type of online attack? How can I protect myself? What are the best anti-phishing tools? Here's all you need to know to minimize the risks and impact of phishing on your business.

See all software Antivirus

Definition of phishing

What is phishing?

Phishing is a cyberattack based on the principle of social engineering. In practical terms, this means that the heart of the scam lies in human error (overconfidence, lack of vigilance, etc.), rather than a genuine technical flaw.

In a phishing attempt, a hacker usurps the identity of one of your trusted contacts to send you an urgent e-mail or message. He usually acts on behalf of an institution (bank, delivery company, partner, customer, etc.), but in more targeted attacks, he may also pose as a colleague or superior.

The message asks you to "update" or "confirm" your data following a technical error, update, etc.

🔎 In reality, the hacker's aim is to recover personal or banking data in order to exploit it.

Typical sequence of a phishing attack

1. Preparation: selection of targets, collection of information needed to be credible, and choice of strategy.

2. Distribution: targeted or mass mailing of fraudulent messages using hijacked domain names.

3. Creation of a sense of urgency and exploitation of authority. The fraud appears credible, with a message with a coherent context, and visual elements copied (company logo).

4. Data capture through redirection to a fake domain name or input form.

5. Use of credentials, transfer of money to an account, resale of data on the dark web.

6. After the operation, deletion of fraudulent sites, concealment of the origin of the attack.

The different types of phishing

There are several types of phishing, depending on the target victim and the media used:

• Classic email phishing: a generic email sent en masse, impersonating legitimate organizations (banks, online services). The victim is then redirected to a domain name that reproduces the original sites. 💌

• Spear phishing: a targeted attack that requires prior research on the future victim with a personalized message.

• Whaling: a phishing attack that specifically targets "big fish" (executives, managers, etc.) with sophisticated messages and high financial stakes. 🐋

• Smishing: a form of phishing that is carried out by SMS with a short message urging the user to click on a link. 📲

• Vishing: phishing by telephone or videoconference, posing as members of an official organization.

• Quishing: a phishing technique using QR-code technology.

Spam and phishing: what are the differences?

Spam and phishing are both classified as unwanted messages. Spam is an unsolicited e-mail sent en masse to promote a product or service. It is invasive, but has no scam dimension. No identity theft, no information theft, just aggressive advertising.

What does a phishing attack look like?

How do you recognize a phishing attack? Here are the signs that you may be a victim of phishing.

Clue n°1: a suspicious sender address

In a phishing attack, the hacker indicates a sender address copied from that of an institution, but slightly different. Pay close attention to the ".", "-", numbers and word order of the address.

Example: amazon-service@gmail.com instead of service@amazon.com.

Clue n°2: pay attention to visual details

Pay close attention to logos, headers and the general layout of e-mails. Phishing attempts often use slightly altered versions of official visual identities: poor-quality logos, slightly different colors, unsuitable fonts. These small differences help you to identify the counterfeit!

Clue No. 3: Spelling and grammatical errors

With mass phishing, it's not uncommon to find numerous spelling mistakes in the messages sent. Of course, the more sophisticated the attempt, the fewer errors the e-mail will contain. However, you can always spot formulas that don't correspond to your organization's usual rules of communication.

Note: with the democratization of artificial intelligence, hackers are becoming increasingly subtle in their communications too.

Clue No. 4: Generic greetings

Mass phishing can't be bothered with individualization. So be very wary of e-mails that start with "dear customer" or "dear colleague", and which do not include any element of personalization.

☝️ But be careful, because spear phishing and whaling can still include targeted information about you and the person you think is the sender.

Clue no. 5: Excessive sense of urgency

It's very rare for companies, institutions and service providers to decide to close your account without prior warning. When you receive a threat of this type with very short notice, you're certainly the victim of a phishing attack.

✅ Your first reflex should be to contact the organization in question (via a channel other than the link provided) to verify the information.

Clue n°6: requests for sensitive information

It's very important to make your teams aware of the following idea:

No legitimate organization will ever ask you for your confidential information by email or message.

If your employees have this in mind, it's virtually impossible to fall victim to phishing.

Requests for full passwords, credit card numbers with security codes, or copies of identity documents should raise immediate alarm bells.

What are the risks associated with phishing?

To fully understand the risks associated with phishing, there's nothing better than a few examples.

❌ From 2013 to 2015, a fraudster took more than $100 million from Facebook and Google by posing as the company Quanta. He issued false invoices on behalf of this former partner of the two giants. As you can see, even the web's big guns aren't immune to phishing.

❌ In 2015, spear phishing enabled hackers to plant malware in the control systems of Ukrainian power plants. The result was nationwide power outages.

❌ Last example. In 2016, Austrian aerospace firm FACC fell victim to a whaling attack. The company's financial services sent almost 42 million euros to hackers posing as the company's CEO.

The main risk for organizations is financial. But the consequences don't stop there. Companies that fall victim to phishing see many of their essential data disappear, and lose reputation with customers and partners.

How can you protect yourself against phishing?

To protect your organization from phishing attacks, you need to combine a human and technical approach. Integrate digital best practices for all your employees and strengthen your cyber-defense arsenal.

The basic rule: never give out personal information

Establish strict processes for the transmission of sensitive information. No confidential data (IDs, passwords, bank details, etc.) should be shared by e-mail or telephone. This rule must be respected 100% of the time.

Even if the request seems to come from management, it must not be validated under any circumstances. On the contrary, it calls for even greater vigilance.

Our advice: for this type of request, put in place a reporting protocol that must be followed by all employees, on pain of sanction.

Train your teams and make them aware of the risks of phishing

Training must be tailored to the specific risks faced by each department. Finance teams, who are often confronted with "president fraud", need to focus on this type of threat.

Members of senior management, on the other hand, should focus on whaling, which concerns them directly. Organize regular training sessions with examples. We also recommend testing your teams' vigilance with simulated attacks.

Use an effective spam filter

Invest in a multi-layer filtering solution to reinforce your protection against phishing. To do this, select a tool that combines several detection approaches:

• Heuristic and behavioral analysis.

• Comparison with a database of malicious senders.

• Artificial intelligence technologies to identify zero-day threats.

Install and update an effective anti-malware solution

Integrate anti-phishing protection into your overall IT security strategy. After all, despite all the precautions in the world, the phisher may succeed in deceiving one of your employees. In this case, you can't afford not to have a comprehensive anti-malware solution. It represents your last line of defense and must be deployed on all your company's workstations.

💡 When making your choice, focus on the following features:

• real-time protection,
• behavioral analysis,
• URL verification,
• malicious site blocking
• and file modification monitoring (ransomware).

Make sure that the software is easy to use, especially if you don't have your own cybersecurity division.

What to do in the event of a successful attack?

Despite comprehensive human and technological protection, there is no such thing as zero risk. Here's how to react in the event of a successful phishing attack by a cybercriminal.

React quickly and report the incident

In the event of an attack, your first reflex should be to immediately disconnect the infected device from the Internet and your internal network. From another secure device, change the passwords of any potentially compromised accounts.

Then immediately report the incident to your IT security manager.

Once this first step has been validated, contact the other organizations concerned:

• Contact your bank if your account information has been disclosed.

• Report the fraud to the police and other relevant authorities.

• Inform the organization whose identity has been stolen.

Assess the extent of the damage

Identify exactly what information and data has been compromised. Scan your system for malware using anti-malware software. If malware is detected, follow the procedure recommended by your tool.

Implement a recovery plan

If you believe the integrity of your workstation has been compromised, completely reinstall the device's operating system. We also advise you to set up a backup system so you can restore a pre-attack version.

Learn from the attack and optimize your security

Analyze the attack in detail to identify and remedy any security flaws. Following this analysis, train your teams accordingly and improve your IT security procedures.

Anti-phishing software: our top 4

If you're looking for a tool to protect your systems from phishing, here's our selection of the best software on the market:

1. Altospam: The #1 solution for corporate mailbox protection. Thanks to its Mailsafe software, you benefit from a heuristic analysis that reduces false positives to less than 0.01%. The solution integrates seamlessly with Google Workplace and Microsoft 365.

2. Barracuda Email Protection: Comprehensive protection against phishing, ransomware and malware using advanced behavioral and heuristic analysis techniques plus AI technology.

3. Phished: An approach focused on employee training with results that speak for themselves: a reduction in the phishing rate from 40.5% to less than 5% among their customers.

4. Cofense: A combination of attack simulations and a global reporting network to stay ahead of hacker innovations.

See all software Antivirus

Definition of phishing: what does it mean?

Phishing is an IT risk that affects all organizations, whatever their sector or size. Despite the focus on the subject by cyber defense professionals and the authorities, phishing has never flourished so much. The reason? With AI, techniques are evolving.

The search for information is faster, and phishing techniques are even more effective. A case in point: videoconferencing with larger-than-life deepfakes.

Phishing reminds us of a fundamental truth: technology alone is not enough in cybersecurity. A methodical culture of doubt, respect for procedures and personal vigilance are also essential.