How to Keep Your Business Safe From Phishing Scams?

Business organizations are increasingly being targeted by phishing activity, with over 88% of them reporting phishing attacks, and 32% of them confirmed data breach. Hackers often lure the target into clicking on a link, visiting a website, opening a malicious attachment, or providing personal/financial information.

Phishing can be defined as the use of digital and telecommunication means to commit cybercrime. It is executed by using various technological modes such as e-mail, text messages (SMS & chats), call, etc. to lure victims into revealing personal or sensitive information. Phishing attacks can be classified as two types, one that steals information and others that deploy malware; hence, it could be considered the initial step in a sophisticated breach operation. Malware that follows a successful phishing attack either further extracts detailed information (spyware) or causes significant disruption to systems (ransomware).

Is Phishing a Concern for Your Organization?

Yes, businesses of all scale (small, medium, and large) are affected by phishing attacks, the obvious reason being financial gains obtained through this process. Suppose a hacker is able to intrude on an organization's IT infrastructure. They can then deploy malware to encrypt or exfiltrate data that could be either sold on the dark web to competitors or back to the organizations they stole from in exchange for ransom.

Studies have reported that since the exponential rise in phishing attacks since 2019, 71% of these attacks were financially motivated, and business organizations lost more than $1.7 billion to phishing in the year 2019 alone. Though the primary mode of phishing attacks on any organizations involves the use of e-mail (i.e., system-based attack), with the development of mobile applications and its incorporation in an organization's digital infrastructure, mobile-based phishing attacks are on a continuous rise, with surveys reporting 57% of their surveyed organizations to experience mobile-based phishing attacks in the year 2019.

Types of Phishing Attacks Experienced by Businesses

E-mails, calls, and messages form a large part of organizations' operational process (especially IT organizations), with some departments such as marketing, being completely dependent on them. As organizations send and receive hundreds of e-mails every day, it should not come as a surprise that 94% of malware is delivered by mail. Phishing attempts made towards any business organizations need to be carefully measured as organizations have a better security feature to combat cyberthreats. Hence, the hacker has selected modes, as listed below.

  • Spear Phishing: As organizations and employees are protected by at the least basic spam filters, hackers need to customize their e-mails to pose as vendors, clients, job aspirants, entrepreneurs, or other legitimate entities. This process is also known as spear phishing, and nearly 65% of attacks use spear-phishing as the primary vector. By using such a method, hackers could send malware to these targets as an attachment, where 48% of the malicious attachments are Microsoft office files.
  • Filter Evasion: Another method to get around or bypass the advanced spam filter involves filter evasion techniques such as using cloned mails or e-mails with a modified security certificate. Images could also be used in place of text messages to bypass the basic textbase spam filters.
  • Whaling: Phishing attempts can also be customized for specific peoples with higher authority such as executives, directors, network admins, etc. to obtain highly sensitive data or privileged credentials, which could be later used to gain privileged access into the organization's network. This mode of customizations to target higher authority profiles is also known as whale phishing or whaling, for short.
  • Clone Phishing: Suppose the threat actors get hold of any previous e-mail or divert packet (eavesdrop on the conversation) between two parties (where one belongs to the target organization) through DNS based attacks such as man-in-the-middle attack. The hackers could clone that specific mail to make the malicious mail look like the follow-up or a reply mail containing a malicious attachment. This process is also known as clone phishing and involves rigorous reconnaissance on the part of the hacker.
  • SMiShing and Vishing: With an increase in the incorporation of mobile devices into an organization's IT infrastructure, hackers increase their phishing attempts onto mobile devices, with 87% of them using a method other than e-mail phishing, such as Vishing (Voice phishing) and SMiShing (SMS phishing). Using the AI (Artificial Intelligence) technology, SMiShing and Vishing could be further enhanced to carry out the attack effectively.
  • USB Baiting: Not all phishing attacks require direct communication (such as e-mail, SMS, or calls). Attacks like USB baiting (USB dropping) do not directly contact the employees to spread malware into the organization's system/network but is conducted by planting USB sticks with malicious software, at places where there are generally found by the targets. Suppose the employee, out of curiosity, tries to plug the USB stick into a system. In that case, it will create an opportunity for the malware to intrude into that specific system. By secretly escalating privileges, the malware could also gain access to the complete network.

Phishing Solutions That Organizations Can Implement

The prevention and mitigation of various types of phishing attacks could be done in two ways, i.e., and organizations could incorporate advanced anti-phishing software and solutions throughout their digital network or train their employees on how to identify and respond to phishing attacks. Though many organizations have appropriate spam filters or related software installed on their systems, basic filters are pretty much ineffective against customized phishing attacks such as spear phishing or whaling. Similarly, only theoretical knowledge about these attacks may not be entirely sufficient. Even if your employees know about different types of phishing and how they are, whether they could differentiate between an authentic mail and phishing mail is very much dependent on their experience of dealing with phishing e-mails. Thus, it is important for organizations to ensure that their employees have practical experience of dealing with phishing attacks, which is only possible through simulation-based training and awareness programs.

OhPhish Phishing Solution

OhPhish provides a holistic phishing solution that involves training and initiating phishing simulations that mimic real-life attack scenarios. By sending phishing e-mails to your employees, you can gauge their level of susceptibility to phishing attacks and train and improve their understanding and awareness. As your employees could be considered the first line of defense and the weakest link in the cybersecurity chain, OhPhish simulation involves a wide range of customizable features for a thorough understanding of their employee's security awareness. Prominent OhPhish features include:

  • A web-based portal to test your employee's susceptibility to social engineering attacks
  • OhPhish application platform captures simulation responses and generates detailed reports and trends (on a real-time basis) that can be tracked according to the user department, designation, office, etc.
  • Customizable phishing template with the ability to assign multiple pieces of training in a single campaign
  • Customizable variants for vishing attacks, i.e., male or female voice option, Text 2 Speech, Conference call, play pre-recorded files.
  • OhPhish’s solution delivers targeted phishing campaigns (spear phishing and whaling) with flexible scheduling, i.e., time, date, and frequency of your campaigns.
  • Wide collection of simulation templates for e-mail, SMS and calls, which covers the most current phishing tactics and allows you to customize the level of difficulty
  • Establishing a baseline measurement for the susceptibility your employees to Vishing, SMiShing, and E-mail phishing, for you to measure their progress against the baseline
  • Gamification module using the mobile application
  • Identifying critical systems and susceptible candidates based on behavior towards 'lost and found' USB sticks
  • Flexible user management with direct integration with active directory, Microsoft O365, Google and OhPhish Address Book
  • CheckAPhish feature for reporting suspicious e-mails with easy configuration and plugin
  • Utilization of custom and legit domains to create and spoof employees with phishing e-mails, i.e., use of customizable sender address with the option to select e-mail IDs that do not actually exist.
  • Advanced reporting platform which includes branded reports, the board of director report, API reporting, KPI reporting, and report exporting features
  • Deployment modes include on-prem, Saas (Software as a service), and hybrid.


Q. What are the different types of phishing scams?

A. There are multiple types of Phishing attacks like Email Phishing, Spear Phishing, Whaling, Angler Phishing, Smishing, and Vishing.

Read more at:

Q. How to avoid phishing scams?

A. The prevention of Phishing for a non-technical person is improved with anti-phishing education and awareness provided by many reputable organizations such as OhPhish.

Read more at:

Q. Is an anti-phishing solution free?

A. EC-Council makes their Anti-Phishing Solution, OhPhish, Free for 30 days to Help Protect Teleworkers and Businesses.

Read more at:

Q. What is USB baiting?

A. Under physical media, baiters can leave an infected USB flash drive at an employee’s desk, labeling it as “Executive Salary Summary.”

Read more at: