Whether you are a small enterprise, a large corporation, or something in between, phishing is one of the most damaging and vicious threats that you have to prepare for. It is so serious that security analysts predict it will be their topmost concern.
As per Verizon 2019 DBIR, phishing has emerged as the leading cause of data breaches across companies, and there is a worrying rise in the number of phishing attacks. This is all the more reason for companies to step up their security to identify how to prevent phishing.
So what exactly is phishing, and why should you be afraid of it?
Phishing, a sophisticated cyberattack, is a means of gathering personal information through the use of deceptive websites and email. Employing disguised emails sent to unwitting users, the perpetrators of the attack to convince the user that they are someone the user wants or knows. It can be cloaked as anything, ranging from a bank request to a message from a coworker.
Scarily, phishing, which is considered one of the oldest types of cyberattacks, is increasingly becoming more sophisticated, indicating that the perpetrators are evolving with the latest countermeasures.
Phishing trends across the board
- Given how dangerous phishing is, companies keep close track of this phenomenon, and this has given rise to some interesting data that will make even the most hardened security executive nervous.
- As per Proofpoint’s latest State of the Phish report, which examined phishing attacks globally and from multiple sources, including a seven-country-wide survey of 600 Infosec professionals, 90 percent of companies had fallen victim to targeted phishing in 2019.
- While 88 percent of these were spear-phishing attacks, 86 percent of the attacks were perpetrated by compromising business emails (BEC attacks). It is worth noting that the Proofpoint threat intelligence found data that confirmed the rise in the move towards more targeted and personalized attacks via bulk email campaigns.
- 2019 also has the distinction of being the year that saw 90 percent of all companies surveyed by ProofPoint being the victim of spear-phishing attacks, which has placed all the more pressure on security executives to mitigate phishing attacks.
- In another worrying trend, brazen cybercriminals have, in some instances, taken the phishing game out of the realm of the inboxes. Professionals at Infosec have reported a huge spike in the deployment of social engineering attempts in the year 2019.
- Notably, the social media of around eighty-six percent of organizations have been targeted, while eighty-one percent of companies found malicious USB drops taking place.
- At eighty-three percent, instances of vishing or faced voice phishing gave no reason for security professionals to cheer. Moreover, a staggering eighty-four percent reported that they had been the victims of smishing, a creative expression used for SMS/text phishing.
Methods of phishing
There are myriad ways by which a cybercriminal can carry out a successful phishing attack on an unsuspecting victim.
- Spoofed Login Pages: One common way that people or corporations are defrauded is through the use of spoofed login pages. The attacker employs an innocent-looking prompt for a login-id and password that is a malicious program to steal information.
- Impersonation: Impersonators trick users by pretending to be someone the user would most certainly reply to, such as their bank or a client. Let us look at a phishing attack example. For instance, a cybercriminal might send an email to the victim pretending to be their bank, requesting sensitive financial information.
- Malicious Attachments: An email with as inconspicuous a title as ‘family photos’ might come with attachments containing dangerous malware that might compromise your valuable private data if you click on it.
- Messenger Apps: Another insidious manner in which criminals gain access to private information is by pretending to be acquaintances on messenger apps.
- Phishing with Shared Files: As a counter to the security measures enacted by email companies, attackers have further shown the capacity to infiltrate shared files with their malware.
Purging our inboxes—a guide to the proactive action you can take, and how to detect successful phishing attacks
- Creating awareness can go a long way; advise employees to be wary of suspicious attachments, popups and messages supposedly from their coworkers.
- Spending, or rather investing, money on powerful anti-phishing technology can reap rich dividends. Blacklist-based solutions utilized by Google has been shown to bring down the number of malicious URLs by a remarkable 90 percent.
- Besides training employees in the use of anti-phishing tools, security executives must also test their training’s effectiveness by conducting mock phishing campaigns.
- Another way to go would be the enhanced security implementation of identity management through passwordless login or multifactor authentication.
- Employing powerful domain name spoofing protection for your company and ensuring the verification of the target site’s SSL credentials will provide you with another layer of security to protect your valuable data.
Some closing thoughts
If there is one thing that you can take away from this article, it is the significance of being proactive, to protect people, brands, and their data from being phished. Such protective measures, albeit small, can go a long way in protecting organizations from the dangerous attacks of threat actors, whose modus operandi for phishing is constantly evolving.
Originally published at SecurityMagazine