September 10, 2019

Phishing emails are one of the most simple and common attack methods for cyber criminals. Though widely used to target individuals and their valuable personal and financial information, phishing emails can also contain dangerous files, trojans and viruses. Through individual recipients, these malicious files can embed themselves in company servers, steal information, and even shut down systems with their illicit creators demanding a ransom to release their cyber-hold.

Phishing attacks rely on individual victims

A new report by Proofpoint, the “Annual Human Factor Report,” and as reported by ZDNet puts 99% of phishing attacks relying on unsuspecting victims clicking URLs which lead to malicious sites and downloads.

Proofpoint Vice President Kevin Epstein says:

“More than 99 percent of cyberattacks rely on human interaction to work—making individual users the last line of defense. To significantly reduce risk, organizations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users.”

Increasing sophistication of phishing attack

Email-based cyber-attacks, known as phishing emails, are becoming “increasing sophisticated” writes ZDNet. Indeed, they are, many now contain snippets of personal information or appear to be from a colleague or reputable service provider.

The clue to a nefarious email is often in the sender’s email address domain, the slightly off wording, or the details of the URL, or link, included in the message. An email sender domain or link from PayPal for example, is as simple as “…paypal.com.” A suspect link or originating domain may have extra letters, numbers or symbols, subtly hidden.

Edward Whittingham, Managing Director of The Defence Works told SC Media back in March 2019:

“Hovering over the link to see the destination URL is always a good idea. By doing this, users can check out the true destination which will typically not reflect the actual brand that it pretends to be from, or it will be close, but misconfigured in some way.”

At the time SC Media was covering a report by CyberInt researchers where phishing emails sent to financial sector employees were disguised as an internal anti-fraud exercise. If the phishing emails were opened a malicious file was released on the corporate network in question, potentially without the employee’s knowledge. The file, a type of trojan and malware, has the ability to extract the hidden coding used to protect sensitive information within a financial institution, or bank.

Very targeted attacks are dubbed “spear phishing” and as they are more convincing the number of individuals who unsuspectingly click and open a doorway to their employer for a cybercriminal, is higher. Said cybercriminals are often chasing specific information.

Barracuda Networks reported another case of a phishing campaign targeting airline travellers. The malicious email’s subject line contained enough information about the airline, destination, and price of flight, that it was opened by over 90% of recipients.

Education and security awareness offer protection

The key to protecting individuals and thus their employers is in education, and of course we agree with Proofpoint, in security awareness. Training in how to identify and deal with phishing emails safely is vital. Hovering with your mouse over a URL in an email for example could reveal the real direction your click will take you, if it looks suspect, then it probably is – don’t click. If unsure it’s worth avoiding the email, deleting it, or contacting a system administrator for more advice.

There is also the dilemma of what to do if you do fall for a malicious email. A 2018 survey of 700,000 phishing emails revealed that half of the recipients opened the emails and about a third clicked a phishing link. That link could have asked for financial data or login credentials or released dangerous malware onto the user’s computer. Here at The Defence Works we have a quick guide on what to do if you click a phishing link.

Proofpoint’s recent report compiles 18 months of data from corporate customers. It’s also found that cybercriminals are more closely copying businesses in order to convince recipients an email is genuine, using tactics such as sending email during normal business hours. This evolution from an initial volume hit and hope approach by phishing operators means even the most savvy of individuals might just fall for a scam.

Corporate action to combat phishing is evolving

Companies are evolving to cope with such cyber attacks too. As well as performing security awareness training, increasingly common is simulated phishing or phishing tests to cement employee awareness. This is where a company or IT security provider tests its employers with fake phishing scams, helping them to spot real attacks in the future.

The Defence Works can help your company to keep up with the increasing sophistication of phishing attacks. Helping to protect from what can be a devastating impact by safeguarding individual employees through security awareness training. We too can help with simulated phishing campaigns, carried out in a way that supports individuals and reinforces employee knowledge.

Try our free demo to learn more. Individuals can be empowered by knowing they are the last line of defence and take an engaged role in the fight against cyber crime.

Share this: