Phishing: what you need to know before replying to this "urgent email"?

Phishing is one of the most common cyber threats. Here's a figure to prove it: in 2023, 1.76 billion fraudulent URLs were sent around the world (source: Stoïk 2023 Cyber Claims Report).

What are the characteristics of this type of online attack? How can you protect yourself? What are the best anti-phishing tools? Here's everything you need to know to minimise the risks and impact of phishing on your business.

See all software Antivirus

Definition of phishing

What is phishing?

Phishing is a cyber attack based on the principle of social engineering. In practical terms, this means that the heart of the scam lies in human error (overconfidence, lack of vigilance, etc.), rather than a genuine technical flaw.

In a phishing attempt, a hacker usurps the identity of one of your trusted contacts to send you an urgent email or message. The hacker usually acts in the name of an institution (bank, delivery company, partner, customer, etc.), but in more targeted attacks he may also pose as a colleague or superior.

The message asks you to "update" or "confirm" your data following a technical error, update, etc.

🔎 In reality, the hacker's aim is to recover personal or banking data in order to exploit it.

Typical sequence of a phishing attack

1. Preparation: selection of targets, collection of the information needed to be credible and choice of strategy.

2. Distribution: mass or targeted distribution of fraudulent messages using hijacked domain names.

3. Creation of a sense of urgency and exploitation of authority. The fraud appears credible, with a message with a coherent context and copied visual elements (company logo).

4. Data capture through redirection to a fake domain name or input form.

5. Use of identifiers, transfer of money to an account, resale of data on the dark web.

6. After the operation, deletion of fraudulent sites, concealment of the origin of the attack.

The different types of phishing

There are several types of phishing, depending on the target victim and the type of media used:

• Classic email phishing: a generic email sent en masse impersonating legitimate organisations (banks, online services). The victim is then redirected to a domain name that replicates the original sites. 💌

• Spear phishing: a targeted attack that requires prior research into the future victim with a personalised message.

• Whaling: a phishing attack that specifically targets "big fish" (executives, managers, etc.) with sophisticated messages and high financial stakes. 🐋

• Smishing: a form of phishing which is carried out by SMS with a short message encouraging the user to click on a link. 📲

• Vishing: phishing by telephone or videoconference, pretending to be a member of an official organisation.

• Quishing: phishing technique using QR-code technology.

Spam and phishing: what are the differences?

Spam and phishing are both classified as unwanted messages. Spam is an unsolicited e-mail sent en masse to promote a product or service. It is invasive, but does not involve any element of fraud. There is no identity theft or information theft, just aggressive advertising.

What does a phishing attack look like?

How do you recognise a phishing attack? Here are the various signs that you may be a victim of phishing.

Clue no. 1: a suspicious sender address

In a phishing attack, the hacker indicates a sender address copied from that of an institution, but slightly different. Pay attention to the "." and "-", the numbers and the order of the words in the address.

Example: amazon-service@gmail.com instead of service@amazon.com.

Clue no. 2: pay attention to visual details

Pay close attention to logos, headers and the general layout of emails. Phishing attempts often use slightly altered versions of official visual identities: poor quality logos, slightly different colours, unsuitable fonts. These small differences help you to identify the counterfeit!

Clue No. 3: Spelling and grammatical errors

With mass phishing, it's not uncommon to find numerous spelling mistakes in the messages sent. Of course, the more sophisticated the attempt, the fewer errors the email will contain. However, you can always spot formulas that do not correspond to your organisation's usual rules of communication.

Note: with the democratisation of the use of artificial intelligence, hackers are becoming increasingly subtle in their communications too.

Clue no. 4: Generic greetings

Mass phishing cannot be bothered with individualisation. So be very wary of e-mails that start with "dear customer" or "dear colleague", and which do not include any element of personalisation.

☝️ But be careful, because cases of spear phishing or whaling can still include targeted information about you and the person you think is the sender.

Clue no. 5: the impression of excessive urgency

It is very rare for companies, institutions and service providers to decide to close your account without prior warning. When you receive a threat of this type at very short notice, you are certainly the victim of a phishing attack.

✅ Your first instinct should be to contact the organisation in question (via a channel other than the link provided) to verify the information.

Tip no. 6: Requests for sensitive information

It's very important to make your teams aware of the following idea:

No legitimate organisation will ever ask you for your confidential information by email or message.

If your employees have this in mind, it is virtually impossible to fall victim to phishing.

Requests for full passwords, bank card numbers with security codes, or copies of identity documents should be an immediate warning signal.

What are the risks associated with phishing?

To fully understand the risks associated with phishing, there's nothing better than a few examples.

❌ From 2013 to 2015, a fraudster took more than $100 million from Facebook and Google by posing as the company Quanta. He issued false invoices from this former partner of the two giants. As you can see, even the big names on the web are not immune to phishing.

❌ In 2015, spear phishing allowed hackers to plant malware in the control systems of Ukrainian power stations. The result was nationwide power outages.

❌ Latest example. In 2016, Austrian aerospace firm FACC fell victim to a whaling attack. The company's financial services sent almost €42 million to hackers posing as the company's CEO.

The main risk for organisations is financial. But the consequences don't stop there. Companies that fall victim to phishing see many of their essential data disappear and lose their reputation with customers and partners.

How can you protect yourself against phishing?

To protect your organisation from phishing attacks, you need to combine a human and technical approach. Incorporate good digital practices for all your employees and strengthen your cyber-defence arsenal.

The basic rule: never give out personal information

Establish strict processes for the transmission of sensitive information. No confidential data (identifiers, passwords, bank details, etc.) should be shared by email or telephone. This rule must be respected 100% of the time.

Even if the request seems to come from management, it must not be validated under any circumstances. On the contrary, it should call for even more vigilance.

Our advice: for this type of request, put in place a reporting protocol that must be followed by all employees, or they will be penalised.

Train your teams and make them aware of the risks of phishing

Training must be tailored to the specific risks of each department. Finance teams, who are often confronted with "president fraud", should focus on this type of threat.

Members of senior management should be made aware of whaling, which concerns them directly. Organise regular training sessions with examples. We also recommend that you test your teams' vigilance with simulated attacks.

Use an effective spam filter

Invest in a multi-layer filtering solution to strengthen your protection against phishing. To do this, select a tool that combines several detection approaches:

• Heuristic and behavioural analysis.

• Comparison with a database of malicious senders.

• Artificial intelligence technologies to identify zero-day threats.

Installing and updating an effective anti-malware solution

Integrate your anti-phishing protection into your overall IT security strategy. After all, despite all the precautions in the world, the phisher may succeed in deceiving one of your employees. In that case, you can't afford not to have a comprehensive anti-malware solution. It represents your last line of defence and must be deployed on all your company's workstations.

💡 When making your choice, focus on the following features:

• real-time protection,
• behavioural analysis
• URL verification,
• blocking of malicious sites
• and file modification monitoring (ransomware).

You should also make sure that the software is easy to use, especially if you don't have a cyber-security division.

How do you react in the event of a successful attack?

Despite comprehensive human and technological protection, there is no such thing as zero risk. Here's how to react in the event of a successful phishing attack by a cybercriminal.

React quickly and report the incident

In the event of an attack, your first instinct should be to immediately disconnect the infected device from the Internet and your internal network. From another secure device, change the passwords of potentially compromised accounts.

Then immediately report the incident to your IT security manager.

Once this first step has been validated, contact the other organisations concerned:

• Contact your bank if your account details have been disclosed.

• Report the fraud to the police and other relevant authorities.

• Inform the organisation whose identity has been usurped.

Assess the extent of the damage

Identify exactly what information and data has been compromised. Consider scanning your system with anti-malware software to detect the presence of any malicious software on your workstation. If malware is detected, follow the procedure recommended by your tool.

Implement a recovery plan

If you think the integrity of your workstation has been compromised, completely reinstall the operating system. You are also advised to set up a backup system so that you can restore a version prior to the attack.

Learn from the attack and optimise your security

Analyse the attack in detail to identify and remedy any security flaws. Following this analysis, train your teams accordingly and improve your IT security procedures.

Anti-phishing software: our top 4

If you are looking for a tool to protect your systems from phishing, here is our selection of the best software on the market:

1. Altospam: The No. 1 solution for protecting corporate mailboxes. Thanks to its Mailsafe software, you benefit from a heuristic analysis that reduces false positives to less than 0.01%. The solution integrates seamlessly with Google Workplace and Microsoft 365.

2. Barracuda Email Protection: Comprehensive protection against phishing, ransomware and malware using advanced behavioural and heuristic analysis techniques in addition to AI technology.

3. Phished: An approach focused on employee training with results that speak for themselves: a reduction in the phishing rate from 40.5% to less than 5% among their customers.

4. Cofense: A combination of simulated attacks and a global reporting network to stay ahead of hacker innovation.

See all software Antivirus

Definition of phishing: what does it mean?

Phishing is an IT risk that affects all organisations, whatever their sector or size. Despite the focus on the subject by cyber defence professionals and the authorities, phishing has never flourished. The reason for this? With AI, techniques are evolving.

Information can be sought more quickly, and phishing techniques are even more effective. One example: videoconferencing with larger-than-life deepfakes.

Phishing reminds us of a fundamental truth: technology alone is not enough in cybersecurity. A methodical culture of doubt, respect for procedures and personal vigilance are also essential.