Phishing is big business for cyber criminals. Phishing attacks rose by 65% last year, with the average attack costing mid-sized companies $1.6 million in 2017.
Phishing scams are a form of cybercrime that involves defrauding users to obtain sensitive information. Cybercriminals act as legitimate companies or organizations to obtain the information. Phishing is the ultimate social engineering attack, giving a hacker the scale and ability to go after hundreds or even thousands of users all at once. Phishing scams involve sending out emails or texts disguised as legitimate sources. They may look like they are from a trusted vendor or a law enforcement authority, but secretly, they contain malware. These messages are specifically designed to trick the victim into opening the email through the tactics of fear and intimidation. Once a person opens it, the malicious software downloads onto their computer, and the cybercriminal is in your system. Common social engineering methods include sending messages with embedded URLs. Once the person clicks on the link, they are redirected to a phishing site. A phishing email can be sent with a malicious attachment that is rigged with exploits, often with the claim that the attachment is an unpaid invoice that needs attention. What it all comes down to is access, and your employees are the first line of defense. Even if you are a small company, if you serve a large enterprise, then you are a desirable target who can provide the portal that cybercriminals are looking for to get to the big payoff of accessing a multinational corporation.
Phishing remains cybercriminals’ method-of-choice to infect users’ computers. Corporate employees are particularly vulnerable since they are heavily targeted as an easy entry into sensitive data. Cybercriminals use social engineering to trick their victims into launching malicious files on their computers, opening a link to an infected website or sending criminals their private data. We’ll a look at typical phishing schemes, the evolution of phishing and tips for keeping your business safe.
Many people believe that they are no longer fooled by cyber criminals’ most common techniques to trick them into clicking malicious links and opening emails.
Experts say that phishing attacks are most successful when they create a sense of urgency, fear or curiosity, but when questioned, most people will put entertainment, social, recognition/rewards and job function as topics before these.Almost all scams that are accepted by staff prey on fear, urgency and curiosity. It’s bad enough that people are falling for these scams, but they are also struck by the Dunning–Kruger effect. The subjects of this study know enough about phishing that they believe they aren’t fooled by the scams’ attempts to make them fearful, etc., but they don’t know enough to spot and avoid such emails when they receive them.
Companies can reduce the threat of phishing with technological defenses such as spam filters, but these won’t always be 100% successful. Employees will therefore inevitably receive some phishing emails, and they need to be aware of the extent of the problem.
If employees aren’t fully educated on phishing, they are liable to underestimate the threat. Staff awareness courses can help organizations stay secure, but only if they cover the threat comprehensively and effectively.
More importantly, we can’t expect users to remain vigilant all the time, even if there were concrete signs to look out for. Being aware of the threat from phishes whilst at your desk (where users are probably most aware of the risk) is hard enough. But phishing can happen anywhere and anytime, and people respond to emails on their phones and tablets, and outside core hours. Clicks happen.
A simulated attack will establish how vulnerable your staff are to phishing emails and can help you:
• Satisfy compliance and regulatory requirements;
• Adapt future testing to areas and employees of greatest risk; and
• Reduce the number of employee clicks on malicious emails.
Phishing has become one of the most talked about threats in cyber security and so, quite rightly, organizations want to protect themselves against it. With phishing simple to carry out but potentially very financially rewarding — some of the highest profile cyber-attacks of recent years began with a phishing email — it’s no wonder that newbie hackers want in. Certainly, prevention is better than cure but… Detection is a rational way to avoid the bait. Think Security. Think Ahead.