thinkCSC Phishing Guide
Phishing attacks are on the rise globally.
Consider these statistics:
- 69% of all organizations have experienced a successful phishing attack in the last year.
- There has been a 400% increase in phishing attacks since 2021 in the retail and wholesale sectors.
- In July 2021, there were a quarter of a million attacks in that month alone – double that of early 2020.
- Between Q1 and Q3 in 2021, the number of brands experiencing a phishing attack increased by 75%.
- In 2022, the number of phishing attacks worldwide have jumped 29%.
Phishing attacks are more common than ever, while also becoming so sophisticated that they are much more difficult to detect. It’s no longer enough to simply watch for discrepancies in grammar and syntax to recognize a scam. And email is no longer the only target – SMS phishing attacks are also on the rise – some of which cannot be blocked.
Our thinkCSC Phishing Guide can help you protect your organization.
What is Phishing?
Phishing is a form of cyberattack that takes advantage of emotions to cause a sense of urgency that induces action. Hackers are after your data, but even your credentials are valuable.
Targeted Phishing Attacks
Old-school phishing attacks were broad sweeps sent to hundreds or thousands of recipients, in the hopes that a few would take the bait and click the link or download the file. Today’s phishing attacks are far more targeted. Because phishing attacks utilize social engineering – a method of stealing sensitive data to make it appear more authentic – these phishing attempts are often successful.
Social Engineering at a Glance – the Many Faces of Phishing
Phishing itself is a social engineering attack, designed to manipulate the recipient into taking action without thinking. Other forms of social engineering include:
Baiting – This quite common phishing practice attempts to lure someone into clicking a link by promising something. During the height of the pandemic, there were many scams promising cures and treatments for COVID-19 that were nothing more than hoax websites designed to steal personal information.
Scareware – This form of phishing is one in which messages “scare” the victims into believing they’ve already been infected with malware and that they must click a link to install software to fix the problem.
Pretexting – The scammer using this nefarious form of phishing patiently builds a false relationship with the victim, pretending to be a third-party vendor, co-worker, or government official. After building trust, the cybercriminal will begin to extract information from the victim.
Smishing – Smishing is essentially phishing via SMS, and it’s becoming more prevalent. Cybercriminals who employ smishing use the same tactics associated with phishing – fear, a sense of urgency, emotional manipulation – but they do it through a text message.
Vishing – Vishing is also a form of phishing that does not rely on email. Instead, it operates through voicemails. Because the phone number from which the call comes can be spoofed so that the caller ID shows a legitimate company, these attacks are often successful.
Pharming – The victim, in this spin on phishing, is re-routed from a legitimate website by either targeting the victim’s DNS or the company website’s DNS.
Whaling – Whaling, also known as Business Email Compromise (BEC), targets executives and their subordinates, using publicly available information to exploit victims. For example, an employee will receive an email that appears for all intents and purposes to be from the CEO. This message will likely request an immediate response (clicking a link, wiring money, providing information) that causes the employee to act. Read more on whaling.
Spear phishing – Spear phishing is a highly targeted form of phishing in which the cybercriminals have researched specific information about the business and the business associates, to make the messages they send look more authentic. The spear phisher might impersonate the CFO and send a message to the accounting department requesting banking information. Most phishing attacks are designed to steal information. A link in the email message will take the person to a spoofed website page that looks identical to the page it is intended to mimic. From there, when the user enters information, that data becomes compromised. Personal data, company data, banking information, and passwords are often stolen.
Phishing often begins with a spoofed website. A spoofed website is a website designed to look exactly like the page it is emulating, completely down to the URL. Commonly spoofed websites include banks, PayPal, LinkedIn – any website that can be used to extract personal data or account data for the purpose of stealing money and information.
Preventing Phishing Attacks
The best defense against a phishing attack is having a well-trained offense. Your staff must not only be aware of the different forms of phishing to which they might be exposed, but they must also feel empowered to a degree that they can refuse to act on an email directive alone. There should be no penalty to an employee who refuses to wire money based on receiving an email from an executive prior to checking with them in person.
Employee Awareness Training
Most successful data breaches start with a phishing attack. And all it takes is one employee, one time, missing the signs of such an attack and your organization can be exposed to costly devastation. Repeat offenders, incidentally, account for thirty percent of breaches within your company.
You can transform your employees from your greatest risk to your strongest line of defense with simple, ongoing training and phish testing. Employee awareness training should be mandatory, and required as a condition of employment, for every person on your payroll – including the CEO and other top-level leaders. In addition to this phishing guide, ongoing live phish testing should be implemented.
Policies and Procedures
The policies and procedures you implement to help protect your business should address the common risks that occur due to human error. This includes establishing policies that permit no exceptions for email communications that present a potential risk to your business, such as making payments based on email requests for money, clicking links and downloading attachments from unknown sources, or providing sensitive information via email. Establish policies that:
- Prohibit sending money or sensitive information through email or in response to an email request.
- Encourage employees to report suspicious emails; reward these employees, rather than punish them, for reporting any phishing attempt they may have accidentally been tricked into acting upon.
- Require training for every person in the organization to undergo ongoing phishing training and testing.
- Embrace the zero-trust mentality.
- Insist on multi-factor authentication to access your network.
Enterprise Threat Detection
Enterprise threat detection is the digital version of having armed security at every point of entry. It works using predictive analytics on a powerful and global scale to recognize and block threats before they happen. Rather than wait for threats to take advantage of any vulnerabilities in your security, enterprise threat detection screens potential threats before they become a risk to your business by:
- Blocking malicious internet connections
- Blocking threats by malicious domains and URLs
- Detecting and blocking threats from any compromised device
We here at thinkCSC feel so strongly that this is the right solution for every business that we are provide enterprise threat detection to all our managed services clients at no additional cost.
Incident Response Planning
We can do everything possible to prevent a cybersecurity incident, but no security plan is 100% foolproof. As fast as the cybersecurity industry works to roll out innovative solutions to protect businesses from ransomware and other malware attacks, cybercriminals work to roll out new schemes to penetrate your security, trick your employees, and find a way into your network.
To be cybersecure, not only should you do everything you can to avoid a breach, but you should also plan for the worst, so that you can mitigate risk if something does happen. An incident response plan is a dynamic plan that identifies who is responsible for specific action steps, the type of communication strategy that needs to be implemented, and how incidents will be handled and reported.
Take Action Now
Cybersecurity is growing in complexity. Hackers are continuously learning innovative methods to gain access to personal data. Your organization must remain proactive. At thinkCSC, we believe that in order to achieve maximum success, regardless of the size or type of your organization, you must make employees an integral part of your overall security strategy. We can help you assess your existing security and policies, provide training and testing for your employees, provide the additional layers of security required to reduce and eliminate risk, and be there to get you back up to speed should something go wrong. Contact us today for more information.
Sources used in this phishing guide: