Phishing attacks are on the rise and as one of our clients recently found out, a simple click of a link can be devastating to a company.
What is Phishing?
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, ransomware attacks or the revealing of sensitive information.
Impact of Phishing
Phishing attacks can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or in many cases identify theft.
For business, phishing is often used to gain a foothold in company networks as a part of a larger attack. Employees are typically targeted in order to bypass security perimeters, distribute malware inside a secured environment, or gain privileged access to secured data. Companies that are victims to such attacks typically sustain severe financial losses, declining market shares, a damaged reputation, and a loss of consumer trust.
Quantity Not Quality
Phishing attacks are simply about numbers! Attackers will typically sends out thousands of fraudulent messages in hopes that just one person will make “that click” and provide the needed access into their company or private network.
In a recent incident, an employee of our client received a phishing email from what they thought was their regular online music provider. The email, which looked identical to a typical transaction – grey logo, plain white background and traditional company font, stated that the employee’s credit card was declined and that if they did not provide a new credit card by clicking the supplied link the account would be sent to collections. Based on the resemblance to previous emails they had received and being fearful of potential credit issues, the employee clicked the link!
Had the employee taken a second to review the email they would have noticed that the sender’s email was not from the proper domain, there were several spelling errors and like most online services, the music provider had a policy against asking for a usernames and passwords. Spelling errors, similar but not exact domains and pushing users into action by creating a sense of urgency are all common tools used by attackers to apply pressure. This results in the user becoming less diligent and more prone to errors.
Network security alone cannot prevent 100% of the phishing attacks. As we’ve found over the years, employees are your first line of defense and having an awareness campaign is key to reducing your company’s exposure. At CAI, we partner with IT managers and CIOs to develop a customized awareness program that offers valuable IT security information over a 3-12 month period. Instead of sending out yet another boring policy reminder that is often times deleted without reading, our interactive awareness campaigns engage employees in a variety of ways and develop a strong culture of awareness.
Our awareness programs include:
- Physical security
- Travel safety
- IT security
- Safety in the workplace
- Company equipment security
- Safety during natural and man-made disasters
So, if you’re looking to build a new campaign or update your existing one, give us a call and we’d be happy to help!
In the meantime, we’ve developed an infographic listing 10 Ways to Detect a Phishing Email.