The concept of phishing is simple, pretend to be someone you're not to get money/personal details out of someone through an element of trust. What is worrying is that nearly 100,000 people reported receiving phishing emails in 2015, and with this style of attack being successful (for the hackers) 50% of the time, too many people are falling victim to phishing through an avoidable case of human error.
Attackers pose as a legitimate source such as well-known high-street names in order to gain the trust of a victim. From there, they can distribute malicious links and attachments in the form of malware, all in the hope that the unsuspecting user will click on the link, open the attachment, or even hand over sensitive information voluntarily such as bank details or login information, all because they think the sender is legitimate.
How Phishing Works
Phishing works through careful preparation in order to create a convincing email that has a strong chance of being delivered successfully. This is why social networking is a prominent technique in phishing through any kind of electronic communication methods such as email or direct messages on social media.
The hackers work by gathering information on their target to make the message as tailored as possible, resulting in something that seems more legitimate. By knowing details like your name, address and work history, they can personalise their attack so that you are less likely to see it as a con, and as a result, you will innocently follow the instructions they send you, causing you to fall into their trap.
The prime time for phishing is around major current events such as the coronavirus pandemic to keep the scam current and therefore seem more 'real' for the recipient. For example, during the coronavirus pandemic, security experts have reported a substantial rise in phishing email scams related to the coronavirus – the worst they have seen in years. The BBC followed up on reports of individuals and businesses being targeted with phishing emails and came across a variety of campaigns including tax refunds from the HMRC, email attachments from the World Health Organisation (WHO), bitcoin donations to help fight the coronavirus and scare tactics aimed at giving up work or personal email details.
Whatever the subject, the objective is to gain an entry point for malware to infect the device.
The Ever-Growing Field of Cybercrime
The sophistication of hacking groups is growing due to the increased research and skill they have in their techniques of attack. So whilst phishing emails used to frequently be poorly written with fuzzy graphics that gave the game away, they are now using the same techniques as professional marketers to compose the most effective messages.
The first waves of cybercrime came when emails and social media became popular because it was an accessible way for hackers to target a large audience with minimal effort and skill needed. Criminals are able to target users directly by sending infected emails straight to someone's inbox, all ready for the unsuspecting recipients to open and consequently spread malware into the network.
The cost of phishing scams can be catastrophic for companies, no matter what size or industry you're in, you can become a target for hackers if there is a profit to be made. Waltar Stephan is a perfect example of how anyone can be caught out and how having the 'I wouldn't fall for it' attitude isn't something you should try relying on.
Stephan was the CEO of a plane company called FACC for 17 years, so he was far from being a newbie in the industry. After receiving an email from what he thought was someone superior within the company, he fell for the lie around a secret transaction needing to be carried out. The result was that a whopping $56.79 million (around £39m) was taken, and he lost his job immediately.
This example not only highlights how any business can be targeted with phishing emails, but also the creativity that hackers use to achieve their desired result – a profit. As well as the direct effect on the company, the knock-on reputation cannot be ignored either. Only 17% of customers said they trust companies now, compared to a decade ago, highlighting how the growing number of online crimes is something customers are more than aware of. If customers cannot trust you to look after their sensitive data, there is little chance of prosperity in the future. An increasingly digitally-aware public means that reputation is everything.
Combating Phishing Threats:
Defending your organisation from phishing comes from knowing what to look out for, this can only come from a strong email gateway and having the human understanding around the topic achieved through training so they know what to look out for.
Training and Education in the Workplace
By downloading infected programs, links, or documents through what seems like a harmless email, the hacker can get into your whole system to do whatever they want with the data they find.
Remaining vigilant over cybersecurity is exactly how you can protect your organisation because breaches are often caused by employees inadvertently creating an entry-point into the systems and networks, a factor that email awareness training can prevent from happening. Computer literacy can sometimes be snubbed off as 'common sense', but the increased sophistication of the phishing emails being produced means that anyone can be a target, meaning that everyone should be able to understand the threats and reduce the success rate of the criminals. Regular training should never be neglected, as the damage it could prevent could make or break for the future of a business.
As a backup for the human training that comes in reducing the risks of phishing, having a strong email gateway is something that all organisations should also look at as a priority.
Acting as the controller of what gets in and out of a network by using different filters and checks, an email gateway can prevent the majority of harmful messages getting to you in the first place. Finding the right gateway for your organisation is very important. By having one with advanced features that challenge the basic antivirus/antiphishing/antispam settings and include the newest technologies to keep up with the threats out there. Also, look out for something that is customisable to you and maintains a reliable reputation through a low level of false-positive/negative cases.
Remember that no solution provides 100% protection, which is why the training as well as having a gateway is so important.