The Dangers of Phishing – Help Employees avoid the Cybercrime trapAlliance Business Technologies
To help you be more informed and proactively educate your employees on phishing attacks, we have curated this blog and e-book. In this blog and e-book you will learn the most common types of phishing attacks, how to spot them, tips to protect your company and educate your employees.
What is Phishing?
Phishing is an email that impersonates a legitimate, trusted sender with the goal of collecting sensitive data such as financial data or login passwords. Phishing emails typically contain a malicious link or attachment that install malware or link to a malicious website that lures users into providing information that can later be used for identity or data theft.
Phishing emails are sent to very large numbers of recipients, usually at random, with the expectation that only a small percentage will respond.
Why Phishing is Important
Phishing is an extremely common form of email attack. It is particularly dangerous because it relies on human behaviour. For example, a phishing email might claim that the user’s bank account is overdrawn and require the user to create a login account to access the fake bank website. Since people often use the same password for multiple accounts, the attacker can use the password supplied by the user to try to get into other real accounts owned by that user.
The most commonly reported scams to the ACCC (Australia Competition and Consumer Commission) in 2017 were phishing, reports to the ACCC indicated these scam types all increased in reported losses which surpassed $4.6 million in 2017.
However, the true cost of these kinds of scams are often not felt right away as the scammer’s primary aim is to obtain personal and banking information for future use.
Types of Phishing Scams
1. Deceptive Phishing
What it is: The most common type of phishing scam, deceptive phishing refers to any attack by which the attacker impersonates a legitimate company in an attempt to steal your personal information or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing the attackers’ bidding.
For Example: Scammers claiming to be from a Bank might send out an attack email instructing you that your account has been frozen unless you click on the link provided and enter your account information.
2. Spear Phishing
What it is: Spear Phishing attacks are a personalised way for hackers to target you. Unlike phishing, which are sent in mass to target any user, spear phishing emails target a single person. Criminals select an individual target within an organisation, customize an email inclusive of your name, position, company, and work phone number, gathering this information through social media platforms and other public information. Their goal is to make you think they have a connection, which will lure you into clicking on a malicious URL or open an email attachment.
For Example: A spear phishing email may appear to come from organization’s HR department asking you to verify your benefits policy information.
3. CEO Fraud
What it is: CEO Fraud is when the attacker has successfully spear phished a CEO or other top executive of the company, and they have managed to steal his or her login credentials.
For Example: The attacker then sends an email from the CEO’s account, or creates a new domain name that is off by one letter or number and duplicates the CEO’s credentials, and requests that employee performs a wire transfer of funds to a financial institution of their choice.
These types of attacks rarely set off typical spam traps because they’re not mass emailed – the victims are carefully targeted by the attacker.
What it is: While phishing attempts to capture personal information by getting users to visit a fake website, pharming redirects users to a fake version of a legitimate website you are trying to visit. This is done by infecting your computer with malware which causes you to be redirected to the fake site, even if you type the real address or click on your bookmarked link.
For Example: Office 365 Phishing
Emails can contain links that open a phishing page hosted on a compromised WordPress site. The scammers behind this attack have set up their phishing page to look like an Office 365 sign in portal.
The objective of the scam is to harvest victim’s login credentials when they sign into the fake portal.
How to spot a Phishing Attack
Tips to Protect your Business & Educate your Employees
- Educate all employees and raise awareness of the dangers of Spear Phishing through training.
- Keep your system and programs updated. Install (and use all the features of) a reliable security solution, including vulnerability scanning, patch management, and advanced malware detection.
- Users need to be cautious and aware of all websites they are accessing, ensuring they are mindful of what files they are opening on corporate computers and devices.
- Companies need to avoid listing employee names on their company website.
- All employees need to be aware that Company data and information is an extremely valuable commodity on the cybercriminal market.
- Users should inspect all URLs carefully to see if they redirect to an unknown website. They should also look out for generic salutations, grammar mistakes, and spelling errors scattered throughout the email.
- Companies should consider amending their financial policies so that no one can authorise a financial transaction via email.
Take Action to Defend Your Business
Real-Time Spear Phishing and Cyber Fraud Defense — Barracuda Sentinel is the only solution in the market that can automatically prevent email account takeover. It utilizes AI to learn an organization’s communications history and prevent future spear phishing attacks. It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time, including emails that originate from within the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals.
Traditional Email Security Solutions are not Enough
Spear phishing emails are highly personalized. They also happen in a much smaller volume than traditional spam or phishing, and typically they do not contain malicious attachments or links. Because of this, they very difficult to detect using existing email security solutions that rely on volume, rules, or heuristic-based detections. Instead, spear phishers engage in real human conversation with the victim. The messages are very compelling social engineering attacks that ultimately give instructions within the body of an otherwise clean email, making them virtually undetectable with traditional solutions.
Phishing attacks can be enormously costly and destructive, and new scams are appearing every day. Don’t wait until it happens to your business; take action to protect your company from financial and reputational damage, now. Effective cybersecurity requires a multi-layered strategy.
You will significantly reduce the risk of malicious email entering your network. Please contact one of our team members today about your company’s cybersecurity needs.
p: 1300 705 062