Phishing is a type of social engineering attack that is often used to steal sensitive information from users. It happens when a hacker poses as a trustworthy person and convinces a victim to open an email, instant message, or text message. Phishing scams are spreading at an alarming pace and becoming increasingly difficult to detect. Reports show that 97% of users are unable to detect sophisticated phishing emails. Users are duped into clicking a malicious connection, which can result in malware installation, device freezing as part of a ransomware attack, or the disclosure of sensitive information.
The attackers spoof their email address to make it seem as if it came from someone else, create fake websites that look like ones the victim trusts, and disguise URLs with different character sets. Phishing scams prey on human error, driven by lack of attention and innocent mistakes. “They masquerade as familiar and reliable sources to convince victims that their messages are legitimate, deceive them into providing confidential and financial information, or persuade them into clicking on a link that downloads malicious software to infect their systems. Once the attempt succeeds, the attackers have an entry point into the network” says Ray Kafity, Vice President – Middle East Turkey and Africa (META) at Attivo Networks. The attackers simply need a single point of entry to get started on demolishing the entire IT infrastructure of a company.
Phishing is often used as part of a broader assault, such as an advanced persistent threat (APT) case, to gain a foothold in corporate or governmental networks. Employees are compromised in this situation to circumvent security perimeters, spread malware within a closed environment, or obtain unauthorized access to protected data. A company that falls victim to such an attack usually suffers significant financial losses as well as a loss of market share, prestige, and customer confidence. Depending on the scope, a phishing attempt could turn into a security incident from which a company would struggle to recover. A single spear-phishing attack is said to result in an average loss of $1.6 million.
With these losses in mind, companies need to understand the current pulse on phishing strategies and keep their solutions updated to overcome those. Though it is common to think that the attack statistics would not vary whether employees are working in the office or remotely, it is said not to be the case. There is a significant increase in this attack mode since more and more people choose to work remotely. This is mainly attributed to an increased number of emails being received by the employees on a daily basis.
“The key factor being manipulated and exploited in phishing campaigns are the organization’s employees and this is therefore where the vulnerability lies. Of course, cybercriminals are expertly skilled in creating compelling reasons for individuals to fall victim to their campaigns,” said Toni El Inati – RVP Sales, META & CEE, Barracuda Networks. “In an analysis conducted between October 2020 and January 2021, Barracuda researchers found that hackers are increasingly using vaccine-related emails in their targeted spear-phishing attacks. After pharmaceutical companies like Pfizer and Moderna announced the availability of vaccines in November 2020, the number of vaccine-related spear-phishing attacks increased by 12%. By the end of January, the average number of vaccine-related spear-phishing attacks was up 26% since October,” added El Inati.
The availability of phishing kits makes it simpler for cybercriminals to conduct phishing campaigns, even though they have only rudimentary technological skills. A phishing kit is a set of phishing website resources and tools that only include server installation. All the attacker has to do is send emails to potential victims after the malware has been installed. On the dark web, you can even find mailing lists. Those attackers who are technologically skilled use other methods also for phishing attacks.
“Phishing techniques are diverse, as cyberattackers have become more sophisticated and creative with their techniques. What unites these attacks is their common purpose: identity theft or transferring malware,” said Alain Penel, Regional Vice President – Middle East Fortinet. He further said that the most popular techniques are Spear Phishing, Whaling, Business Email Compromise or BEC attacks, Clone Phishing, Vishing and snowshoeing scheme. These are some of the most popular ones but cybercriminals use a variety of distribution methods to defraud company workers to accomplish their objectives. These include targeted and generic business emails requesting payment of invoices, inviting workers to sign in to cloud-based services to view or update an online document, or threatening to cancel an account or service unless immediate action is taken.
It is important to educate all the employees of any company about the dangers of phishing attacks and also how to avoid them. “Organizations should train their workforce to be wary of suspicious emails, learn to spot and report phishing attempts and make efforts to get employees up to speed with the evolving threats and new phishing techniques used by attackers,” said Tamer Odeh, Regional Director at SentinelOne in the Middle East.
In addition to preparation, there should be a protection solution in place that can automatically prevent code execution from phishing attacks – whether it’s a malicious attachment or fileless malware running in memory – as well as inspect encrypted traffic and implement firewall control to block known phishing domains. The only way to reduce risk within an organization is with a comprehensive security strategy that includes people, process, and technology.