Phishing Attacks: The Biggest Cybersecurity Threat
As we discussed in several of our blog articles, your people can be the biggest threat to your security, but typically they aren’t even aware of what they’re doing—or not doing. In fact, companies like KnowBe4, an integrated security awareness training and simulated phishing platform, were formed to help organizations with the human element of security, which is typically the most neglected.
In their Phishing by Industry 2021 Benchmarking Report, KnowBe4 quoted Verizon’s 2021 Data Breach Investigations Report, which stated that “phishing continues to be the top threat action used in successful breaches. Cybercriminals stole login credentials in 85% of breaches linked to social engineering.” According to the FBI, phishing was the most common type of cybercrime in 2020, and more than 90% of successful hacks and data breaches start with phishing scams.
Phishing Defined
Phishing is a form of criminally fraudulent social engineering. With phishing attacks, cyber criminals attempt to acquire sensitive information such as usernames, passwords, and credit card details by pretending to be a trustworthy entity—such as social web sites, banks, auction sites, or IT administrators—using bulk email which attempts to evade spam filters. There are many types of phishing. Here are just a few:
Spear phishing, unlike traditional phishing campaigns that send mass emails to as many people as possible, is targeted on a specific individual or organization and is typically after more valuable information that just credit card data. By researching the target, phishers can personalize the attack and increase chances of success.
Session hijacking exploits a web session control mechanism to steal information from the user using a hacking procedure known as session sniffing to intercept relevant information to access the web server.
Email/Spam is the most common phishing attack, where the same email is sent to millions of users with an urgent message “requiring” personal information or a link. The phisher uses this for illegal activities.
Content injection is the technique where the phisher changes part of the content on the page of a reliable website to mislead the user to visit a page outside the legitimate website and then asked to provide personal information.
Phishing through search engines involves search engines that direct the user to product sites which offering low-cost products or services—especially fake bank websites offering low-rate credit cards or loans. When the user attempts to make a purchase, their credit card details are collected by the phishing site.
Link manipulation involves the phisher sending a link to a fake website disguised as a legitimate site.
Vishing, or voice phishing is where the phisher calls the user using a fake caller ID, asking them to dial a number to get personal information like a bank account through the phone.
Ways to Prevent Phishing Attacks
Here are some best practices to prevent phishing attacks. Use a combination because a layered approach is more effective:
- Understand the risks around phishing and stay informed about phishing techniques—there are new ones constantly being developed
- Develop adequate policies to prevent phishing or mitigate risk
- Keep all your systems up to date
- Stay up to date with backups (see above!)
- Check online accounts regularly
- Keep browsers up to date
- Use firewalls and keep them up to date
- Research and deploy appropriate anti-phishing solutions, like anti-phishing toolbars
- Implement best practices for user behavior
- Use robust threat intelligence
Share these important tips around phishing attacks with your users, making sure they understand the tip, what it does, and how it protects them and the company:
- Don’t click on anything that looks unfamiliar or suspicious, including pop ups—contact IT first.
- Verify a site’s security before entering—if you get a notice from your browser questioning a site’s authenticity, check with IT before visiting it
- NEVER give out personal information
Protect Your Company from Phishing Attacks and More
Protecting your company against phishing attacks and other threats begins with understanding what you can do, and it’s doesn’t always require expensive technology or services. Involving your users in your cybersecurity strategy with education and testing is key in mitigating your company’s risks from phishing attacks.
Take a few minutes to watch our recorded webinar, Demystifying Cybersecurity with ArcherPoint, which discusses endpoint management, password health, backups, end user education, and more. ArcherPoint has expanded IT Managed Services cybersecurity offerings around security, risk mitigation, and disaster recovery, so contact us to discuss your cybersecurity concerns and needs.