Phishing is a form of attack where criminals deceive their victims into revealing sensitive information, such as login credentials and credit card details, through fake emails, websites, messages, or malware. Cybercriminals convey a sense of urgency to convince their victims to click on a link or provide sensitive information over the phone, for instance, leading them to perform an action that is not in their best interests.
Phishing is the most common form of social engineering attack and can occur through vishing, smishing, whaling, spear phishing, or pharming. This attack vector is popular with hackers because it’s often easier to trick an individual into sharing personal information than forcing entry into a company’s network or systems. Yet, successful phishing attacks can lead to credit card fraud, ransomware attacks, and data breaches for a business, resulting in huge financial and reputational losses.
How does a phishing attack work?
With phishing attacks, victims are manipulated by fraudsters who pretend to be an authority figure like an official from the IRS or someone the victim knows like a family member or business supplier. One way they gather the details they need to fool their victims is through social media, learning about the person’s likes and dislikes, and hobbies and affiliations, for instance.
How can banks reduce the risk of phishing attacks?
Financial institutions can protect themselves and their customers from phishing attacks through security awareness training, as well as by keeping their security technology up-to-date with multi-factor authentication measures, behavioral analytics, and machine learning tools that detect and stop financial fraud.
Example:
A hacker poses as a FedNow employee. They send an email to their victim requesting them to change their login details. The email implies a sense of urgency regarding an issue with the individual’s account that needs to be resolved, or their account will be suspended. If the user clicks on the malicious link in the email they are directed to a fake website where their login details are collected by the fraudster when they type them in.