What Is Phishing?
In an attempt to capture sensitive data such as personally identifiable information, passwords, and more worryingly, your bank and credit card details, Phishing is becoming an increasingly popular form of cybercrime - one we all need to be aware of. We reveal everything you need to know about the much-talked-about and increasing form of cyber attack, and more importantly, how to protect you and your business online.
What Is Phishing?
Phishing is an increasingly common form of cyber attack that uses deceptive emails as its weapon of choice.
The purpose of these emails is to mislead and trick the recipient into believing that the message is something they need to take action on - a request from their bank, for instance, or an email from their colleagues or manager, asking them to click on a link or download an attachment.
Phishing is popular amongst hackers, quite simply because it works, and that's down to the ever-changing techniques and convincing emails that nurture and build trust with a recipient.
By coming from what appears to be a real person or a trusted entity, the recipient is more likely to click or download an attachment - and that's when the clever but nasty stuff happens.
Whilst very common, Phishing isn't new, in fact, it's one of the oldest forms of cybercrime - with the first ever lawsuit for Phishing being filed back in 2004, highlighting how hard it can be to deter due to the ever-changing techniques and type of attacks.
Types of Phishing?
Spear Phishing is when a hacker creates a bespoke email targeting a specific individual - like a fisherman aiming for one specific fish, as to just casting a hook with bait on and see who bites.
Hackers do their research, identifying targets on social media, most commonly LinkedIn so they can impersonate their co-workers. As an example, a Spear Phisher might impersonate a manager and target the finance department requesting the payment or bank transfer.
Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email.
The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original.
Whale Phishing, or Whaling, is like Spear Phishing, instead, they target the very big fish - CEOs, Directors and other high-value targets.
Company board members are thought to be an extremely high-risk target, due to the fact they have a great deal of authority within a company, but since they aren't full-time employees, they often use personal email addresses for business-related communication, which usually, doesn't have the security factors and added protection offered by a business email.
The Top 10 Most Impersonated Brands
As mentioned above, Phishing is most effective when impersonating your favourite and most popular services, some of which you'll probably already have an account with, or at least be familiar with - making the emails a lot more plausible.
Taken from a recent survey by Vade, the top 10 most impersonated brands are:
This doesn't say that these are the only brands out there being targeted, it's just more likely that a victim will actually have one or more of these accounts, making a victim more susceptible to trusting and clicking on the email.
Top 5 Most Commonly Used Email Subject Lines
A hackers biggest challenge is getting a victim to even open an email, let alone clicking on it, that's why they use scare tactics when choosing subject lines.
Taken from a recent survey by KNOWBE4, the top 10 most commonly used subject lines are:
- 'Password Check Required Immediately'
- 'Security Alert'
- 'Change of Password Required Immediately'
- 'A Delivery Attempt was made'
- 'Urgent press release to all employees'
As you can see, all of the above use scare tactics on which require immediate attention or action, putting a victim into a state of panic, affecting judgement when clicking on a link.
So the next time you get an email from Netflix asking you to change your password in order to feed your box set fix, think twice and check that the email is actually real.
How Can I Check If an Email Is Real?
Whilst hackers are getting smarter in their phishing techniques, they're still human, and its the human errors that are easiest to spot. Here are a few obvious things to look out for:
Often URLs will appear like the real thing, but by simply hovering your mouse over the top of the URL or checking the info on it, you should can the actual address. If the address differs from display email - something isn't quite right. You can also do the same the 'from' address, check if the domain name is associated with the company it claims to be. For example, if you receive an email from what you think is your bank but the email domain is Gmail, or the name is misspelt in any way, it's most definitely a scam.
Spelling & Grammar
Brands are pretty serious about their image, so it's very rare for an official brands email to have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.
Phishing emails are usually sent in mass, generally to thousands if not millions of email addresses at any one time, so the chances are, it won't be personalised. You'll most likely get an email saying "Dear Member" or "Valued Customer", as to real first name personalisation.
The Dangers of Phishing
Not only can phishing have an immediate financial impact on your business, but it can also cause permanent damage to your brand.
Whilst most would agree that Phishing attacks and data breaches impact a company's bottom line, they can also cause so much more damage than just the initial financial loss.
In 2016 alone, attackers used phishing and other strategies to steal 4.2 billion records from organisations. In addition to the financial and data losses, 81% of the organisations attacked lost loyal customers and suffered reputation damage as a result. The average cost of such repercussions was $1.6 million per organisation.
Like most forms of cybercrime, attacks are usually spotted too late, In fact, its quite common for hacks to be discovered by customers and not the company itself.
So as we trust a business with our personal and financial details, we also expect to be able to shop securely online as standard, knowing our credentials are in safe hands - but with so many outlets and choices online nowadays, it doesn't take much for a customer to take their custom elsewhere, especially in light of a cyber attack or some form of breach.
In addition to losing existing customers, the news of a hack is one the press and social media will take a shine to, instantly damaging a brands overall image. Readers will judge instantly, casting doubt over the business, and whether your a small time business or one of the world's biggest and best-known brands, people need to have confidence in how you store and manage their personal details online.
However, It doesn't stop there, in addition to being left red-faced and dealing with financial losses, customers can then also file lawsuits where a business can be fined for non-compliance with data protection regulations - highlighting the seriousness of phishing and cybercrime.
How Do I Protect Against Phishing Attacks?
One way to protect your business from phishing is user education, and this should involve all employees at every level.
Whilst all employees are at risk, CEO's, Executives and Board members are most commonly the dream target for hackers, so education is needed at the top as well as the bottom of an organisation chart.
Educate and teach your employees how to recognise a phishing email using some of the tips highlighted above, and equally, if not, more importantly, know what to do when they receive one. Put a procedure in place where they can quarantine and report the emails safely - ensuring they don't click or download any attachments.
However, whilst user education is essential to protecting a business, the emails are becoming more convincing, and worryingly, tactics are becoming far more advanced than we imagined, so technology is the only sure-fire way to get the upper hand on phishing.
No single cybersecurity strategy can prevent phishing attacks. Instead, businesses must take a layered approach to reduce the number of attacks and lessen their impact if and when they do occur.
Network security technologies that should be implemented include email and web security, malware protection, user behaviour monitoring, and access control.
So whilst one solution won't give you 100% protection from phishing, an obvious place to would be something like Cisco's Umbrella.
As the industry's first Secure Internet Gateway in the cloud, Cisco Umbrella provides the first line of defence against threats on the internet. Because Umbrella is delivered from the cloud, it is the easiest way to protect all of your users in minutes.
As a Cisco Premier Partner, not only are we able to offer discounted rates to our customers, we can offer you a FREE 14 day trial of Umbrella to demonstrate how effective it would be - making your business more secure to the ever-growing and imminent threat of cybercrime.
Here's what you'll get:
- Threat protection like no other — block malware, C2 callbacks, and phishing.
- Predictive intelligence — automates threat protection by uncovering attacks before they launch.
- Worldwide coverage in minutes — no hardware to install or software to maintain.
- Weekly security report — get a personalized summary of malicious requests & more, directly to your inbox.
- 1,000+ users? — You're eligible for the Umbrella Security Report, a detailed post-trial analysis.
Get started in 30 seconds. No credit card details required, no lengthy form-filling, simply click the link below and we'll get you set up right away - no catch, it's as simple as that.
See the full article here: https://www.advantex.uk.com/what-is-phishing/