The term “phishing” comes from the word fishing, because the term describes a scenario in which scammers are fishing for sensitive information by appearing as a trusted authority, like a legitimate official company or a high-status employee. Email phishing is the most common type of phishing.
Email phishing is a form of scamming used by online attackers who send vicious emails to intentionally deceive people into believing a fraud. These attacks aim to manipulate email receivers into handing over sensitive data such as financial information, business secrets, login information, or system credentials. The most commonly used technique is to manipulate people by creating a sense of fear and urgency to perform an action, like clicking a malicious link or downloading a file containing malware.
Additionally, email phishing is a social engineering technique. Social engineering is used by online attackers with the aim to understand user behavior, so they can create manipulative techniques and subsequently scam people. The goal of social engineering is to direct and manipulate users into acting without thinking about their actions.
High-risk industries for email phishing
Types of email phishing
How does email phishing work?
An example of email phishing
Typical phrases used in phishing emails
How to secure your email from email phishing
How to protect your organization from email phishing
Here are a few examples of the industries that are commonly targeted by email phishing:
The common goal of many cyber-attacks is financial gain. Thus, targeting financial institutions, which handle vast amounts of money, is extremely common.
Another common goal of online attackers is identity theft. By impersonating a trusted social media network, attackers aim to collect login information and steal connected accounts and personal information.
By posing themselves as e-commerce stores, cyber-criminals aim to steal financial information like credit card data.
Using malicious links is typical in phishing emails. When an email receiver clicks on a malicious link, it typically takes the user to a scammy website or a webpage that is infected with malicious software, also known as malware.
Fraudulent links are made to appear trustworthy by using logos, company names, and credible images within the email. However, after a closer inspection, it is possible to spot errors or anomalies in the link. (More on how to secure your email from email phishing below.)
Malicious email attachments might look like legitimate file attachments, but they are actually infected with malware that can compromise computers and their files.
For example, in the case of ransomware (a type of malware), all of the files on the computer could become inaccessible. Another example of a malicious attachment is a keystroke logger, an app/software that could be installed to track everything a user types, including passwords.
Additionally, malware infections can spread from an infected computer to other networked devices such as servers and cloud systems.
These emails direct users to data entry forms to fill in sensitive information such as user IDs, passwords, credit card data, or phone numbers. Once users submit their information, it can be used by online criminals.
Anyone can be a target of email phishing – it can happen in one’s personal email as well as business email at work. The consequences of email phishing are severe in both cases.
The intention of most phishing schemes is to steal your login credentials (your username or email address and the associated password).
Problems that can come from email phishing attacks on your personal email include, for example:
Cybercriminals target businesses to gain access to sensitive information, data, business secrets, and money. Falling for an email phishing scam at work can lead to serious consequences including, for example:
Mary receives an email from her bank saying that she needs to update her credit card PIN as a security measure within the next 24 hours. She takes action quickly and follows the link provided in the email. She provides her credit card PIN and updates her so called new credit card information which leads to the website becoming unresponsive.
In a few hours, she notices a big purchase made on a random website with her credit card. She contacts her bank, and it turns out the email was not from her bank. It was an email phishing scam.
Most often online attackers use the word ‘request’ in phishing email subject lines, as the subject line is the first attempt to lure email phishing victims to open the email and click the malicious links or download a malware attachment.
Other popular key phrases can be: ‘follow up’, ‘urgent’, ‘important’, ‘payment status’, ‘invoice due’, ‘direct deposit’, ‘expenses’, and ‘payroll’.
One of the key precautions you can follow is to take time, read, and evaluate the information being sent to you. Starting with the email sender, subject line, and following with the email content, including images, logos, and most importantly links and possible attachments. Be cautious no matter what the email is suggesting.
A feeling of urgency and requests for personal data via embedded links are all warning signs. Take a good look at the sender’s email address. The email address often emulates legitimate company or authority names, but there might be small changes and errors in letters.
Avoid clicking any links provided unless you are absolutely certain that the email comes from a trusted source. Online attackers change the location of the “close” or “X” button on a popup window to trick users into opening a malicious site or downloading malware.
Secure your valuable information by changing your passwords frequently or by using a solution that protects your credentials for you. Make sure that your communication and data are well protected from malware by using updated data protection software.
Businesses are offered a variety of security tools – make sure that you select the right tools suitable for your business. The right secure business communication tools will offer businesses high-level, robust security and encryption in line with industry regulations and data privacy laws.
Don’t share financial or credit card data on a website that you are not familiar with. You should always deal with great caution with a website or an email that promises gifts or quick wins.
Remote working can create a risk for data protection as users often don’t have enterprise-level cybersecurity at home unless their employer provides the right tools. This may offer the attackers a higher chance of a successful email phishing campaign. It is extremely important for organizations to train their employees to be aware of online threats, such as email phishing.
Software and firmware developers release updates to remediate bugs and security issues. Remember to always install these updates to make sure known vulnerabilities are no longer present in your infrastructure.
Email encryption is an authentication process that forbids messages from being read by an unintended or unauthorized individual. It scrambles the original sent message and converts it into an unreadable format. Email encryption is essential, especially for businesses, when sharing sensitive information via email.
If you are sending sensitive or critical information, use a solution that verifies the sender before allowing the transmission of the email. Strong identification includes biometric, password-based, or token-based authentication. It is good practice to force the recipient to verify their identity before getting access to the email.
These two methods combined make email phishing more difficult to achieve.
MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a resource. Rather than just asking for a username and password, MFA requires one or more additional verification factors such as PIN code sent via a text message, which decreases the likelihood of a successful cyberattack.
There are ways for organizations to mitigate the risk of email phishing. We at SSH Communications Security recommend businesses send emails containing sensitive or critical information only by using solutions with enterprise-grade security.
An easy way to do that is to use encrypted secure email, like our SalaX Secure Mail. Its robust encryption ensures that the message cannot be intercepted in transit, and the sender-recipient verification and MFA give you the confidence that the email has been sent from a legitimate source and has been received only by the intended recipient(s).
Learn more about SalaX Secure Mail >>>
Start your journey toward enterprise email security and reach out to us to see SalaX Secure Mail in action >>>