Bad actors have taken advantage of unpatched systems, software vulnerabilities and increasingly devious forms of malware for years, but their preferred weapon is phishing. While their motives haven’t changed — luring target victims to click highly legitimate-looking emails so they can steal the keys to the castle – their attack methods have grown more sophisticated.
According to a recent FBI investigation, phishing scams cost American businesses half a billion dollars a year. More alarming evidence is seen in a public service announcement from the FBI issued earlier this year to spread awareness of the phishing threat, calling it a $12 billion scam.
Cyber security is only as strong as its weakest link – people
Even though businesses spend millions on cyber security, phishing scams continue to thrive. The reason is simple: Cyber criminals won’t hack firewalls when all they need is a vulnerable employee. The fundamental reason why enterprise security fails against advanced cyber-attacks is not lack of competency but lack of awareness training and policy-setting among employees.
Phishing is all about deception and the methods cyber baddies use are evolving. For example, moving away from the “infect them all” approach, many phishers are turning to regionalized email attacks and location-based targeting. In a bid to customize attacks and make email scams more believable, cyber-criminals are getting better at imitating local brands. Their spelling and grammar is improving, too.
While email is most strongly associated with phishing attacks, cyber criminals have been quick to seize on new potential routes into networks, such as social media and messaging apps. Moreover, with more businesses and people turning to cloud applications, attackers are launching more advanced cloud-phishing attacks. One highly sophisticated phishing campaign targeted Google’s roughly 1 billion Gmail users worldwide.
5 simple ways to avoid the phishing bait
Even as organizations implement advanced security measures and invest in cyber security awareness, both corporate and government environments need to do more to train employees. Phishing attacks are so appealing for criminals because of the promise of readily offered credentials or admin privileges stolen directly from staff, enabling attackers to move laterally in the targeted network.
Below are a few useful guidelines that will help safeguard your business from phishing attacks.
- Make them familiar with the phishing hook
Phishing is effective because attacks usually take the form of a well-crafted, apparently legitimate email from a trusted source like a friend or your CEO, service provider, bank or even a delivery company. Recent phishing attacks that targeted Gmail and Office 365 managed to fool even savvy users. Encourage employees to sniff out phishing scams. Inspect every email carefully, especially if it has any sense of urgency, or if it comes from an unknown sender. Scanning emails for links to non-standard web page addresses is also a useful practice.
2. Be careful when typing URLs
The Anti-Phishing Working Group (APWG) issued its Phishing Activity Trends Report for Q1 2018 revealing a significant rise in unique phishing webpages. Attackers frequently embed malicious links in emails that appear to come from familiar sources. The promise of a video or an attractive photo encourages unsuspecting recipients to click, only to unknowingly download malware. Sometimes the email may request login details with a link that appears to be your company website. Avoid such phishing traps by always typing URLs into the address bar of your browser. Never click unreadable links in emails.
3. Think twice before you open attachments
Email is a favorite attack vector as it makes distributing malware cheap and easy. If people can be persuaded to click on an executable, then it may install malware on their system. Unfortunately, these executables are often disguised as other, legitimate files attached to the email.The vast majority of spam and phishing emails carry such malicious attachments. Even if you do recognize the sender, it’s smart to flag emails with attachments for further scrutiny. According to industry reports, some of these attachments are able to slip through known cloud-based security systems. It is important to have deeper messaging security in place that automatically scans and discards suspicious attachments.
4. Flag suspicious emails to your security teams
If you are not sure about the content of an email, then you should report it. Seek further advice from your company’s IT security team. Many companies have email support specifically for suspected phishing emails and they help validate whether a reported email is legitimate or not. You may also consider filing complaints at the Federal Bureau of Investigation Internet Crime Complaint Center.
5. Don’t just patch your systems, patch your people
Awareness and education remain your best defense against phishing campaigns. As crafty phishing attacks manage to penetrate security defenses, it is necessary to train employees, making them more aware of various phishing tactics used by cyber fraudsters. These email-borne threats have become an endemic scourge that can seriously damage your company’s reputation. While it is vital to keep systems and applications up-to-date with the latest patches and security updates, it is equally important to keep employees informed by running regular security awareness training. That means assessing likely threats, making your staff aware of them, with clear examples, and updating them on new threats regularly – an annual training session is not enough. You also need to ensure that the training was effective, so consider investing in a phishing simulator that can test employees through automated attack scenarios and actionable reporting metrics.
Phishing certainly poses a significant risk to your organization. Knowing how to identify a phishing attack is obviously the best defense. If you manage to avoid the bait, the attacker will have no choice but to move on to the next target.