PHISHING IS A REAL THREAT
Cyberattacks come in all shapes and sizes but one of the most menacing is an attack induced by phishing. As an example of social engineering of the worst kind, it is where bad actors deceive people into disclosing confidential information or trick them into installing malware such as ransomware. As a headline statistic, phishing is the most common form of cybercrime on the planet and an estimated 3 billion spam emails are sent every day. In 2021, half of all cybercrime incidents were phishing-related, each with an average cost of $136. This means that attackers stole about $44 million through this kind of fraud. Closer to home, the Cyber Security Breaches Survey reports that of all UK businesses that suffered a cyberattack in 2022, 83% say the attack was phishing. Some say that in 2023 phishing will account for the extortion of over 33 million records.
STANDARD VERSUS SPEAR
Phishing attacks typically exploit the naivety and gullibility of innocent users. Just like its homophone ‘fishing’, they use bait to entice someone to click on a link, enter sensitive data or download something catastrophic. There are two primary types of phishing:
- Standard attacks in which a large population of users are randomly targeted. While this method is haphazard, it only takes one victim to take the bait for the mission to be accomplished. Millennials and Gen-Zs are most likely to fall victim to these attacks.
- Spear phishing is a tactic that targets specific individuals or groups within an organisation using an email and an attachment. The email contains target-specific information and its level of familiarity is designed so that the victim or victims carry out the necessary actions needed to infect a network. Between 2013 and 2015 Google and Facebook were duped out of $100 million by Lithuanian fraudsters. The crooks created fake emails and invoices, pretending to be Quanta Computer, a Taiwanese hardware supplier to both tech companies. Both tech giants paid the bill.
KEEP YOUR EYE ON THE BALL
Most phishing scams aren’t as sophisticated as the ones that Google and Facebook fell for. So, if you are vigilant, you can usually spot a spam email quite easily. Here are five tips to help you.
- Legitimate companies will never send emails from a public domain. For example, an email from Amazon will have the domain name after the @ sign. So, the sender could be support@amazon.co.uk but never amazon.support@gmail.com.
- The domain name is misspelt such as support@ammazon.co.uk.
- The email is badly constructed with poor spelling and grammar.
- The email includes suspicious links or attachments.
- The message has a sense of urgency. Scammers hate procrastinators and want you to panic. Phishing emails prey on emotions such as fear and curiosity and hope to catch you off guard. Take your time, don’t react and re-read the email with a fresh set of eyes.
If an email looks suspicious, don’t open it. If you do it by mistake, then never ever click on a URL contained in it. 50% of phishing websites make use of SSL certificates.
TARGETED BRANDS
Currently, Yahoo is globally the most impersonated brand used in phishing attempts, accounting for 20% of all scams and often offering large sums of prize money to the recipient. Next is DHL (18%), then Microsoft (11%), and Google (5.8%) in fourth place. Facebook, Adobe, Amazon and Netflix are also high up on the list.
THE LIES THEY USE
According to research from security awareness company KnowBe4, some of the most common subject lines to real-life phishing emails in Q3 of 2022 were:
- Mail Notification: You have 5 Encrypted Messages
- Amazon: Amazon – delayed shipping
- Google: Password Expiration Notice
- Action required: Your payment was declined
- DocuSign: Please review and sign your document
- IT: IT Satisfaction Survey
- Microsoft: Microsoft account security code
As an aside, the three top types of data that are compromised in a phishing attack are login credentials, personal information such as your name and email, and medical information.
WHICH SECTORS ARE POPULAR?
Companies from all sectors, both enterprise and SMEs, are at risk of phishing attacks. industries most at risk along with the company size and number of employees.
| Small (1-249) | Medium (250-999) | Large (1,000+) |
| Education 32.7% | Hospitality 39.4% | Insurance 52.3% |
| Healthcare and Pharmaceuticals 32.5% | Healthcare and Pharmaceuticals 36.6% | Consulting 52.2% |
| Retail and Wholesale 31.5% | Energy and Utilities 34% | Energy and Utilities 50.9% |
The industry least prone to phishing scams is finance and banking.
THERE ISN’T A SILVER BULLET
There isn’t a silver bullet to protect you against a phishing attack. On the technical side, you can implement Secure Email Gateways (SEGs) to monitor your employees’ inbound and outbound emails, scanning them for malicious content. To help curtail spear phishing attacks, you could deploy a cloud email security solution that uses AI and machine learning to analyse each individual employee’s communication patterns and emails and establish patterns. However, remember that your team forms the heart of your business, so you should start with them. Implement ongoing security awareness training and phishing awareness programmes which will have a massive impact on how your guys respond to phishing attempts.
Some words from Stu Sjouwerman, the CEO of KnowBe4:
“Phishing emails that disguise themselves as internal communications are especially concerning since they are sure to grab the attention of users and typically incite action. New-school security awareness training for employees helps combat phishing and malicious emails by educating users on what to look out for— it is the key to creating a healthy level of scepticism to better protect an organization and build a stronger security culture.”
New-school security awareness involves phishing simulation whereby realistic phishing emails are sent to your employees in order to gauge their awareness of attacks and what to do with phishing emails when they receive them. Phishing simulation platforms are offered by Mimecast, SoSafe, KnowBe4, and many others.
LET’S CATCH THE PHISH TOGETHER
Installing state-of-the-art firewalls, changing passwords and using MFA, applying updates, and training your team are all integral to preventing a phishing attack. And this is where I can help. I have over 20 years of experience in professional business IT support for SMEs, specialising in cybersecurity and risk mitigation. I can also offer world-class cybersecurity education to your team and provide phishing simulation training. Get in touch today and let’s catch the phish together.