Expanded Definition: Phishing

What is phishing?

With so many cybersecurity tools available today, humans are often the weakest point in an organization’s cybersecurity posture. We’re curious creatures, and it’s often tempting to open that mysterious email, click that link, or download that attachment. And all of these temptations are parts of phishing.

Phishing Definition

If you’re looking for a phishing definition, it’s straightforward: Phishing is a form of social engineering where threat actors try to trick users into an action that compromises their account, device, or network. They do this by posing as a trusted source. Like the name implies, these threat actors are fishing for someone who will share details that can be exploited for financial gain—and they often catch a bite. 

In fact, according to the 2020 Verizon Data Breach Investigations Report (DBIR), 22% of attacks were perpetrated via social methods, and 96% of all social attacks were delivered through email.

Oftentimes, phishing takes the form of emails that:

  • Appear to come from an important organization, such as a service or software provider
  • Look like they come from a trusted colleague or employee

These emails may ask the user to do something, including:

  • Sending sensitive information over email
  • Wiring money or sending payment somewhere
  • Clicking a link to reset a password 
  • Requesting personal information or other credentials
  • Downloading a file (which can contain ransomware or other malware)

Phishing poses a significant risk to organizations of all sizes; from big organizations to small to mid-sized businesses (SMBs), any individual, company, or industry can fall prey to a phishing attempt. 

The MSP role in stopping phishing

Even with great training, firewalls, antivirus software, and email filtering, phishing presents an ongoing concern for organizations of all sizes. Social engineering attacks such as phishing and its cousin smishing (phishing via SMS / text messages) continue to be common forms of attack because they are effective. 

MSPs can help clients defend against phishing in several ways.

1. Provide tools to catch bad emails and prevent damage

One of the best ways to prevent an end user from engaging with a phishing email is to prevent them from ever receiving it in the first place. Strong spam and email filtering tools can help block many phishing emails.

In the event that a phishing email breaks through and a cybersecurity incident occurs, MSPs can help organizations by catching the problem quickly (see point number three below) and addressing the problem with strong anti-malware software. By moving quickly, MSPs can reduce the impact of possible malware, such as viruses or ransomware.

2. Offer cybersecurity training to clients 

When bad emails do slip through filters, ideally the end user will know better than to respond, share information, or download an attachment. The only way they can learn that, however, is with training.

With headlines about cybersecurity breaches, you’d be surprised how many end users still ask: “what is phishing, anyway?” MSPs can help their clients prevent risky behaviors by offering cybersecurity training to employees. 

For example, a cybersecurity training session could include:

  • A phishing definition, information on phishing emails, and what to look for
  • How to securely manage passwords and other account information
  • Caution in web browsing and email usage, especially on mobile devices 
  • Best practices for keeping their physical laptops, desktops, or mobile devices secure

A little education can go a long way when it comes to phishing. With the right awareness, end users may think twice before emailing a password, sharing a sensitive document, entering credentials into an online form, or downloading a potentially dangerous file.

3. Monitor every endpoint, all the time 

Phishing is a widespread phenomenon, so it’s possible for an incident to occur even with great cybersecurity tools and training. That’s why an around-the-clock, robust endpoint management program is crucial to protecting clients from not only phishing attempts, but from a range of other cybersecurity threats as well.

MSPs should use a remote monitoring and management (RMM) tool to keep an eye on every endpoint, all the time. With ongoing visibility into clients’ systems, MSPs can keep an eye out for any unusual activity, reset passwords as needed, and investigate unauthorized programs or suspicious activity.

FAQs

Phishing is a type of social engineering attack where hackers use some type of “bait” to lure end-users into opening malicious emails or downloading infected links or attachments. These attacks play on the curious, vulnerable human nature of non-IT employees. Often, phishing emails come from fake accounts posing as trusted sources. If end-users aren’t trained on these types of emails, they can be very easy to fall for.

Phishing attacks can come in any number of formats, so it can be hard to tell if a particular email is threatening. Here are 5 signs to train your clients to look for to help their team spot malicious emails:

  1. Spelling Errors – Hackers misspell certain words intentionally to dodge email spam filters
  2. Unusual requests – companies may ask users to provide personal information, redeem gift cards in their name, etc. to gain personal information or money
  3. Asking for personal information – Be wary of fake invoices or emails. Some may look like they come from government organizations to trick users into giving out their contact info. Legitimate companies won’t ask for sensitive information via email.
  4. Strange email addresses – companies should have their own domain email. For example, if a user receives an email from Costco Wholesale, but the email address is “…@cbcbuilding.com” it should raise a red flag.
  5. Unusual email content – If the subject of an email seems strange or irrelevant, it may be a sign it’s a phishing scam. Avoid clicking links or giving information in any emails that ask you to send money to sick family members, invest in a new startup, or offer you amazing returns on a can’t-miss investment.

A phishing email is an email used as “bait” to trick end-users into giving away sensitive data. These emails could request personal information, login information, or prompt a user to download a malicious file or link. 

Phishing emails are handled by the Federal Trade Commission. If anyone on your team or your clients’ teams receive a malicious email, it can be reported by forwarding the email in question to: reportphishing@apwg.org.

Additional resources

blog icon How to Conduct an Effective Cybersecurity Analysis: A Guide for MSPs

Do your clients know their risks? A cybersecurity analysis can reveal areas of risk—such as employee education around phishing—and offer an opportunity to educate clients on how they can improve their cybersecurity posture.

Blog post >>
work plan icon The SMB Cybersecurity Checklist

Chances are, your SMB clients may not fully understand their risks and exposures. Use this 30-item checklist to start the conversation around cybersecurity, help them understand the cybersecurity landscape, and assess their security posture.

Checklist >>
strategy icon MSP+ Cybersecurity Framework & Playbooks

If you want to expand your offerings to include cybersecurity support, take a look at our MSP+ framework and playbooks. This starter kit includes information on where to start, how to expand, and what your MSP needs to be thinking about today.

Playbooks >>
case study icon Creating Opportunity from Adversity: The State of SMB Cybersecurity in 2020

SMBs are not immune from cybersecurity risks—quite the contrary. Our 2020 survey of 700 SMB decision makers uncovered interesting findings about how these businesses are thinking about cybersecurity, their spending plans, and what motivates them when it comes to security.

Report >>
blog icon The Basics of Cybersecurity Training for End Users

Your clients need training so that they can help keep themselves safe from cybersecurity threats—but what should that training include? This post from a ConnectWise cybersecurity expert lays out several key areas to cover in  cybersecurity training.

Blog post >>
blog icon Should You be Offering Security Awareness Training?

All it takes is a click to fall prey to a phishing email, but many of your clients’ employees may not understand what to look for and when to be suspicious. This blog post explores the value of providing security awareness training for clients.

Blog post >>
blog icon Five Email Security Gaps Your Clients are Probably Overlooking

Email is one of the most basic tools for businesses today—it’s impossible to exist without it. And yet, email can pose a big threat via phishing. This post explores some of the things your MSP’s clients may be missing when it comes to protecting their inbox and company.

Blog post >>