When you ask someone to give an example of a cybersecurity threat, phishing is probably their first response. Phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware. Even though phishing attacks have been around for decades, their frequency has increased phenomenally in the last two years, and attackers are using far more creative (e.g. smishing, vishing) and advanced ways to deceive people into clicking malicious links.
The mass adoption of online services due to the switch to remote working settings has created a very lucrative playing field for attackers. The rise of social media platforms also provides additional opportunities to gain more information about individuals by collecting adequate information in order to impersonate someone.
The two main motives behind why attackers conduct phishing attacks are:
- Data: Stealing credentials can provide attackers with access to various information sets that can compromise businesses (e.g. business trade secrets, customer information). Malicious buyers pay good money (e.g. on the dark web) for such data thus increasing the motivation to steal.
- Access: Malware downloaded via malicious links can enable attackers to gain entry to networks and allow them to disrupt or lockdown services such as websites, support channels, etc.
Some of the most common types of phishing attacks are:
- Phishing – typically done by email
- Spearphishing – finely-targeted emails
- Whaling – very targeted email, usually towards executives
- Vishing – by phone calls
- Smishing – by text messages
- Social media phishing – Facebook, LinkedIn and other social media posts
- Pharming – compromising a DNS cache
A recent report on phishing statistics (2020-2022) stated :
- Carriers of phishing/ social engineering attacks are email (96%), malicious websites (3%) and phone (1%)
- Common subject lines of phishing emails are - Urgent, Request and Important
- Countries with the highest attacks are US (74%), UK (66%) and Australia (60%)
- Most impersonated brands are Microsoft, ADP and Amazon. LinkedIn and Google aren’t far behind ;
- Most targeted industries are retail, manufacturing and food and beverage;
- Data types that are compromised in a phishing attack are user credentials (passwords, pin numbers), personal data (name, address) and medical data (insurance claims, health conditions)
And according to a Verizon report, phishing ranks #2 in the most expensive causes of data breaches. Organisations that had been attacked saw a 5% drop in their stock prices in the 6 months following a breach. And this number continues to rise. Therefore, it is imperative for startups and scaleups to ensure they have implemented adequate measures to manage phishing attacks.
How to protect your organisation?
Phishing attacks are unique in the sense they target humans within an organisation rather than technological weaknesses. Therefore, awareness and education are the two most effective ways to prevent a phishing attack. However, merely conducting periodic ‘email phishing campaigns’ isn’t sufficient.
Think about the following scenarios:
- A malicious USB labelled “family pics” is dropped in a company parking lot. There is a high probability that someone will pick it up and plug it into their laptop to try to find out who the USB belongs to. This can lead to the attacker gaining instant access to the company’s network; and
- An attacker socially disguised as a recruiter on LinkedIn sends your employees malicious links claiming to be details of job opportunities. If clicked on, there is a high chance that malware can get downloaded onto the employee’s computer;
Therefore, training programs should also cover simulations of attacks other than just email.
The other key tactical ways to further protect your business are:
- Authenticating email senders using DMARC (Domain-Based Message Authentication, Reporting, and Conformance);
- Enabling multi-factor authentication in order to prevent unauthorised access;
- Using anti-malware programs and firewalls for extra layers of protection. Thought leaders such as Gartner periodically report on the best in class tools; and
- Conducting a periodic ‘social media audit’ (e.g. LinkedIn) to ensure the legitimacy of all the employees claiming to work for your organisation.
If you’d like to learn more about how to set up foundational controls to protect your organisation against phishing attacks, we are offering free twenty-minute Ask Me Anything sessions with our security experts.
If you have any security questions you’d like answered, contact us here.