In today’s progressively digital world, most of what we do, whether it is for business or pleasure, is carried out online. This expansion in online activity has resulted in a mammoth-sized explosion in cyber-crime. Cyber-crime has become a hefty instrument for criminals looking forward to stealing our personal information and extort money. Due to its high speed, anonymity and convenience the internet has enabled criminals to launch high-value targeted attacks with very little effort. The most successful and detrimental of all the cyber-attacks is phishing. Phishing is continued to be the most common form of cyber-attack due to its simplicity, effectiveness and high-return on investment. The phishing attacks happening nowadays, are sophisticated, targeted and increasingly difficult to spot.
A phishing is an email-borne attack that comes into sight from a legitimate source like a credit card company, a shipping company, a bank or a social website. The email is planned to lure the recipient into entering quite confidential data like account numbers, passwords, pin, birthday into a fake website by clicking on a link. Once you click on a link, the attackers will gain access to your sensitive systems or valuable information. Radicati Group have estimated that 3.7 billion people send around 269 billion emails every day. Researchers suggest that almost one in every 2,000 of these emails is a phishing email, which means around 135 million phishing attacks are attempted every day.
Phishing works, and it works because it targets and exploits weaknesses in human psychology and organizational culture. For example, a tired employee looking through email at the end of a long working day may mistake a fake IT request or phony retail offer as legitimate, and unintentionally compromise an entire company with one click. Phishing, owing to its simplicity and relative ease of deployment, has become a cornerstone attack method for hackers, and one that can have significant unintended consequences for affected companies.
Phishing is such a formidable threat for organizations for several reasons:
- It is common. RSM US’s Middle Market Business Index Cybersecurity Special Report research finds a mention that 43 percent of executives pointed out that hackers tried to manipulate their employees into providing access to systems or information by pretending to be trusted persons or high-ranking company executives.
- It is effective. On average, 1 in 14 users is successfully misled to follow a link or open an attachment in a phishing email. It has been found that phishing continues to be one of the top attack vectors, accounting for 59 percent of external attacks and 30 percent of all compromises in 2016.
- It is costly and ruinous. Organizations come up with an end of losing lot of money responding to an incident, considering recovering lost data, paying regulatory fines and suffering reputation damage. One report mentioned that a successful phishing attack could cost the average company $1.6 million.
Being aware of this menace, many companies are taking prudent measures to combat phishing attacks by conducting awareness training for employees or performing internal phishing campaigns to test their defences. The foremost element of a strong phishing awareness training program is education. You need to know both how to detect a phish and how to report it. The awareness training programs provide you with constructive methods for protecting and defending yourself and your organization against the pervasive and persistent risk stemming from phishing email.
The first and foremost step in phishing awareness is recognizing the signs of possible phishing. These signs include:
Mismatched URL or misspelled sender address
Attackers often use fake URL and false sender addresses, especially if controls (such as an SPF record) are in place to prevent spoofing from internal addresses. Keep an eye on addresses ending .corn instead of .com. Also keep an eye on addresses ending in .net, as well as unusual elements added to the domain such as @example.suspicious.com instead of @example.com.
Tip: if you doubt, Google a suspicious domain name to determine whether it is tied to any known phishing schemes.
Unexpected or questionable requests
Any emails asking you to perform a certain action for which you have not received prior notice (for example for upgrading to a new system) should ring alarm bells. Though hackers are designing phishes to particular lines of business and using scenarios that people in your organization may have experienced before, it is still better to verify and confirm with a supervisor before clicking (especially if the request is completely unexpected).
Dubious or suspicious attachments
Many phishing emails are often planned to trick you into downloading a malicious document and enabling macros. Hackers fix macro-based malware in Microsoft Word documents and Excel spreadsheets and design a convincing pretext to pursue users to launch the file. You need to always double-check the origin and source of the file and be extremely careful about enabling macros.
The use of threatening or urgent language
A common phishing strategy is to spread a sense of fear or urgency to rush someone into clicking on a link. Hackers will often use threats that your security and confidentiality has been compromised and that immediate action is required to resolve the situation. Be careful of subject lines that claim your account has had an unauthorised login attempt or your account has been suspended. If you doubt if the request is legitimate, contact the company directly via their official website or official telephone number.
Most of targeted phishing emails hinge on your workplace obligations. These emails may appear to come from a supervisor or executive of your company asking you to download an attached document. They may be like a message from your organization’s IT or security department, asking you to login to a new site or reset your password. In each case, these phishing attempts are tailored to make you feel as you must follow the instructions as part of your job. Without proper training or caution, your sense of obligation may supersede any suspicions you have.
Many phishing emails are offering in nature. They offer an attractive opportunity in hopes of luring you into performing a particular action. For instant, an email may be engineered to look like coupon, contest or company appreciation effort with various potential rewards. Hackers will use almost anything as bait: a gift card to a grocery store or restaurant, tickets to a local sports event, or just plain old cash. If the right opportunity comes along and you are not cautious, you might get periled.
Responding incident timely with a strong reporting procedure, can mitigate or eliminate the damage of even a successful phish. Take following steps when spotting phishing email:
- Promptly inform your manager or supervisor;
- Record the incident via a help-desk ticket or email to security or IT personnel (depending on your organization). This will create a paper trail, which can be pertinent to the incident response or damage recovery plan. It sets the wheels in motion for a full security response;
- Avoid forwarding the email to anyone, even when reporting the incident. This only acts to expand the risk, increasing the chances that another user may unintentionally click on a malicious link or attachment;
- If possible, take the screenshot of the email to capture the relevant information;
At this juncture, your organization’s security or IT team can respond to the incident by:
- Alerting users of the phish
- Recalling the email from user inboxes to avoid further damage
- Blocking the IP address of the attacker
- Examining potentially compromised devices or systems
- Investigating what further access the hackers may have gained
- Changing passwords as necessary