Phishing attacks are responsible for the majority of data breaches. Cyber criminals target us through any communication means they can - by email, text messages and phone calls.
Cyber criminals use phishing emails to steal credentials, passwords, our personal and financial details. Phishing attacks can appear like messages from someone familiar to us, such as a boss, colleague or friend.
In more sophisticated scenarios, cyber criminals will study their targets before launching an attack so they can include specific details to appear authentic in their messaging. These messages include links and/or attachments infected with malware that can enable bad actors to enter your computer networks, leading to serious system compromise and potential ransomware attacks.
Enterprises looking to mitigate risk can no longer ignore cyber threats. Training staff on how to recognize and report phishing attempts is a must, not a luxury.
In this blog post, we will outline phishing types and training best practices. This blog is part of our Foresight 2020 series.
Phishing types
Email phishing. Check your spam folder in your email, and there you'll find a ton of these in which the bad actors use domain names of legitimate companies to try and trick you into providing information and/or clicking on an infected link or document.
Reportedly, Apple is the most frequently impersonated company by cyber thieves. So getting an email, from say, Apple's customer service asking to change your password is an example of email phishing.
An older trick you may know of is the prince overseas scam who is eager to give away his wealth, but all you need to do is provide your bank account information. Don't do this. Ever.
Spear phishing. More sophisticated than a general and mass email sent with a nefarious link, spear phishing is way more crafty and deceptive.
In order to target specific people or a person, the bad actor sending the message typically provides enough details so that the message appears authentic.
In spear phishing, the threat actors do research of their targets and impersonate authoritative entities such as the Centers For Disease Control, an internet service provider, or a particular colleague or senior manager connected to the recipient.
Smishing. Scams sent via text messages are called smishing. These sorts of messages might come across as friendly and ask the recipient to click on a link.
It might say the recipient has won a contest or is up for a special offer for a service. In more targeted smishing attempts, the bad actor will use your name claiming they've met you before.
Vishing. Voice calls placed by bad actors are on the rise more than ever. With the advent of increased cellular phone usage, cyber criminals try tricking their targets by placing phone calls urgently asking for personal information and money.
For instance, a bad actor impersonates the IRS and demands that a fine is paid immediately or else you will go to jail. Another common ploy is a call from a well known credit card company that appears to be a service call. "We can lower your APR today. What's your credit card number?"
Domain spoofing. Now this form of attack involves forging the domain of the company where the recipient works. It's also done by using similar domain names, but perhaps a letter or two is different.
Emails also forged as bad actors impersonate someone from the company. Popular television host Barbara Corcoran, of Shark Tank, fame lost $400,000 in an elaborate email scam in which the bad actors tricked her staff by impersonating Barbara's assistant.
To the untrained eye, these sorts of messages are highly dangerous and can make an organization vulnerable to a cyber attack.
Train users to recognize phishing messages
The State of the Phish 2019 report reveals that 83% of businesses experienced a phishing attack in 2018 (up from 76% in 2017). Vishing (voice phishing) and/or smishing (SMS/text phishing) were reported by 49% of survey respondents. Everyone with an email address or a phone number is at risk.
To combat phishing attacks, conduct phishing tests to evaluate the effectiveness of your training
Here are a few tips to train staff on:
- Think beyond email - phone, text, and social channels are also used to phish.
- Look for simple grammar mistakes and misspellings as a phishing email “tell”.
- If you receive a request to transfer funds, open an attachment, or provide sensitive information from an unexpected email address, don’t do so immediately.
- Check the URL for spelling before clicking -- nextflix.com instead of netflix.com, for example.
- If you’re not 100% sure and think it might be a legitimate request, look up the number on the company website or from recent statements, NOT from the email, to double check.
- Be wary of any links in a message.
Verify the source before clicking any link as the link could potentially install malware on your computer. Even though some phishing emails still have spelling and grammatical errors, some of them are quite sophisticated and difficult to differentiate from the original source.
In a previous article, we covered eight tips for an effecting phishing test for organizations to implement.
For more tips, read our Foresight 2020 white paper.
Enterprise risk management involves cybersecurity strategy. To ensure that you're doing everything possible to protect your organization from a data breach, be sure to routinely train your team about phishing attacks.
Training is a proactive step in the right direction to ensure cyber hygiene. However, it's best to consider training as an ongoing effort as new types of threats and scams emerge. Is your staff ready?
In our white paper Foresight 2020, we’ve compiled 11 of the most effective information security strategies and tactics that will minimize the risks of a data breach of your organization. Layering these tactics over your information security strategy will create a layered defense in depth that will help keep your information secure.