“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” This is a wise quote once said by a Global CISO, Stephane Nappo. This couldn’t be more true. On a basic level, brands are built on trust. A brand’s reputation is irreparably tarnished when a phishing attack results in public disclosure. It should also be mentioned that this is on top of the normal backlash associated with the attack.
In simple terms, phishing attacks are fraudulent attempts to obtain sensitive information or data. It is also used as a method to get a foothold in companies to have access to the systems. This attack model creates devastating results. For individuals, it might be unauthorised purchases, stealing cash or identity theft. But for organisations, this can lead to severe financial loss, declining market share and loss of reputation and trust.
No matter how famous or reputed a company is, one single headline about a phishing attack will damage the image for years to come. Despite the fact that a company’s identity is the backbone of its market capitalization, data loss can be one of the most damaging of all.
On top of reputation and data loss, loss of time/productivity is also a criterion to be taken into regard. A phishing attack involving malware will force companies to take down the systems for at least some time which will translate to loss of productivity.
Since the rise of phishing attacks poses a significant threat to all organizations, companies need to understand the most common phishing scams to protect their corporate information. To target users, penetrate organizations, and gain access to confidential data, attackers employ a variety of strategies and are actively developing new ones.
“Phishing attacks can take place on a multitude of channels and platforms including, emails, text messages, phone calls, and social media. One common technique used by attackers is email phishing. Bad actors approach users through email, masquerade as a legitimate entity, and prompt them to enter credentials. Attackers also re-direct users to phishing pages, asking users to enter sensitive information, such as login information,” said Emad Fahmy, Systems Engineering Manager, Middle East, NETSCOUT.
Malicious actors are also increasingly using spear-phishing, a more targeted type of phishing in which attackers obtain personal information about the victim by mining their email or social media accounts and contacting executives posing as familiar individuals to obtain information such as passwords and other sensitive information.
“Targeted phishing attacks, so-called spear-phishing, may even use personal details gleaned from social media, previous data breaches and other online sources. Such emails may contain your name and a reference to an existing context, making it very convincing. This is sometimes automated with the help of AI to be even more successful,” said Candid Wüest, VP of Cyber Protection Research, Acronis.
Though phishing scams are one of the most common types of cyber-attacks encountered and cybercriminals benefit handsomely from them, as thousands of people fall prey to them each year, it can be avoided if you know how to recognize and avoid them. This is mainly because of their prevalence.
Just like ethical hacking, it is advised to simulate phishing attacks to prepare for a malicious event in the future. This will allow organisations to test the effectiveness of security measures and employee capabilities to handle the situation in real life. “During the pandemic, new phishing attacks have started to use emails from entities pretending to be real charity institutions, soliciting donations and creating a sense of urgency and legitimacy. It’s recommended to test such messages to see how employees will respond to constantly make them more skilled in identifying suspicious emails and avoid clicking on dangerous links,” said Giuseppe Brizio, CISO EMEA, Qualys.
It is often recommended to have a habit of regularly rotating your passwords to prevent an attacker from gaining unlimited access. Accounts can be compromised without the knowledge of the holder, so adding that extra layer of protection through password rotation can prevent ongoing attacks and lockout potential attackers. Using a password manager is also highly recommended.
Mohamed Abdallah, Regional Director for Middle East, Turkey & Africa at SonicWall, says, “The best defence against most credential harvesting attacks is the use of a password manager. Most are free, and none can be fooled into entering a password into a malicious site, no matter how authentic it seems. You should never actually know your password.”
One of the most recommended ways to prevent an attack is training the employees. To protect your organization, cybersecurity training must get carried out from the highest executive to the lowest employee level. It is said that training should be given to anyone who uses a system in the entire work environment.
“Educating employees to not open email attachments from unknown sources and do not visit dubious websites will go a long way to reducing everyday risks,” said Yossi Naar, chief visionary officer and co-founder, Cybereason.