Retailers are not the only people looking forward to the holiday season. It will be a busy time for scammers and fraudsters too as they send out coupons, deals and offers to consumers, and even thank-you vouchers to employees, purporting to come from organizations and brands they trust.
In fact, CIO has reported that it takes only a few minutes for experienced hackers to set up a social engineering attack against enterprises (and their managed service providers) that consider themselves to be secure and protected.
Even though email phishing – deceptive messages designed to trick a person into sharing sensitive data (or even money) or inject malicious software into the recipient’s system – is one of the oldest tricks in the book, email cyberattacks account for 90% of all data breaches even today, according to research by Hoxhunt. Taken together, these attacks exact a toll of $6 trillion from the global economy.
While consumers and individuals have grown generally aware of these attacks over the years – even if they aren’t aware of the term “phishing” – they are still surprisingly common and effective.
So what are the different kinds of phishing attacks prevalent today? What methods are cybersecurity experts using to minimize the impact of these attacks? How do enterprises combat these threats at a broader scale and prevent persistent phishing attempts?
Let’s dig deeper.
1. Understand the different types of phishing attacks
Phishers use social engineering tactics via almost every communication format and connection to launch phishing attacks. Unsurprisingly, there’s more to phishing than email:
- Email phishing: Attackers send emails with attachments that inject malware in the system when opened or malicious links that take the victim to a site where they’re tricked into revealing sensitive data.
- Spear phishing: Attackers send emails to specific targets who they know have the information they need – such as everyone in the sales or IT department.
- Whaling: Emails sent to senior executives such as CEOs or CFOs as part of a high-profile targeting scam.
- Smishing: Phishing over text (SMS) messages.
- Vishing: Voice over IP (VoIP) and Plain Old Telephone Services (POTS) are also susceptible to phishing attacks – attackers use speech synthesis software and automated calls to solicit victims to share bank details and login credentials.
- Social media phishing: Attacks executed over social platforms such as Instagram, Twitter, Facebook, or LinkedIn – designed to take over your account or use it for posting messages as part of a larger campaign.
- Pharming: Attackers use DNS cache poisoning (replaces a legitimate cached IP address with a malicious one) to redirect victims to fake (but similar-looking) sites where their login credentials are captured.
2. Train employees to recognize phishing attempts
Along with being commonplace, phishing attacks have become so profitable (to the attackers) that the biggest cybercriminals have largely moved beyond individual customers. Rather, they target enterprise employees who can be duped into revealing information that’s much more sensitive, on a much larger scale.
“An example might be a bank – we don’t want to target its customers, we think that’s dumb and slow, we want to target the bank itself,” said Mike Connory, CEO at Security In Depth.
Since phishing attacks overwhelmingly target the human element, cybersecurity experts agree that the best defense against this is providing security awareness training to enterprise employees. This helps in early identification of attacks and increasing overall security hygiene. Some basic precautions staff in all departments need to take are:
- Keep email and website accounts (and even devices) separate for personal and work use wherever possible.
- Know that legitimate companies will never ask for passwords, personal, financial, or corporate information. Independently confirm with the institute or organization if you can.
- Never copy and paste links from emails; never click shortened URLs unless you trust the source.
- Check the sender’s email address. If you don’t recognize it, be wary of opening.
- Closely read all URLs for all sites where you log in and share, access or create sensitive data.
- Most messages and emails from phishers contain spelling and grammar mistakes. They aren’t professionally proofread.
- Coercive or threatening messages or calls are a red flag. Legitimate institutions won’t send such communication unless there is a legal dispute. Double check.
- Don’t log in to WiFi networks you don’t trust.
Done correctly, these simple steps can make your staff battle-hardened defenders of your network. “You often hear that people are security’s weak link. That’s very cynical and doesn’t consider the benefits of using a company’s workforce as a first line of defense,” said Riaan Naude, Global Head of Consulting and Performanta.
“Employees can catch a significant number of threats hitting their inbox if they can follow a painless reporting process that produces tangible results,” Naude added. This is important because the reporting rate of attempted phishing incidents currently languishes at a paltry 3%.
3. Use AI-enabled software to implement anti-phishing security measures
In-house cybersecurity training is no longer a time- and skill-intensive process, given the prevalence of AI-based phishing awareness platforms. Today, ML enables gamified, personalized security training programs for each individual based on their current level of awareness, position in the organization, and browsing behavior.
Further, AI is a potent tool in the arms of cybersecurity experts. It enhances the efficiency and effectiveness of security policies by improving and automating routine threat detection procedures. AI-enabled automation can help organizations put in place a variety of anti-phishing measures:
- Deploy anti-malware, antivirus, and anti-spam tools and keep key applications patched and updated.
- Deploy email authentication standards on enterprise email servers to check and verify inbound emails. Some protocols like the Domain-based Message Authentication Reporting and Conformance (DMARC) help admins and users block unsolicited emails effectively.
- Schedule regular security and phishing training for employees and remedial measures for those who fail tests.
- Model legitimate communication within the organization – based on predictable behavior of regular users, working out patterns of interaction between various entities, and analyzing the context of messages – and assigning dynamic security scores (with anomaly thresholds) to emails.
- Integrate with cloud email services to block malicious emails that filter past platform-native security.
- Give employees a one-click path to reporting suspicious emails and automating the categorization, analysis and management of these emails.
People-first phishing defense
While the effectiveness of any and all security measures depends on people, processes and technology, phishing can be defeated by the very tactic it thrives on: social engineering. Solutions that help people become smarter, sentient, resilient and responsive will win the day against the most advanced phishing attempts. Why not arm your team to be the winning one?