Shanna Utgard, award-winning cybersecurity trainer and success manager at Defendify discusses current phishing trends, their impact on organizations of all sizes, and ways you and your team can detect them in the webinar, How to Spot a Phish: Tips to Spoil Advanced Phishing Attempts.
Give a man a fish and you feed him for a day; teach him how to spot a phishing attack and you protect the whole company. Phishing emails remain the number one threat vehicle that result in a cyber breach, and as they grow in sophistication, the best approach to prevent a costly attack is to train employees how to spot them.
When it comes to organizational risk, there is a variety of information that could prove valuable to cyber attackers. All organizations have sensitive data that can be leveraged or sold on the dark web, including company intellectual property and trade secrets, tax documents for the company and employees, bank information and wire transfer details, and so much more.
Current Phishing Trends
While the old-school Nigerian prince emails continue to circulate, phishing attacks have evolved alongside the risk mitigation measures meant to stop them. In fact, attackers continuously assess new and updated spam filters to ensure their emails will get through so that they can achieve their goals, whether it is business email compromise, malware in attachments, ransomware delivery, and credential harvesting. By bypassing spam filters and getting employees to fill out a form, click on a link, open a file or take some other type of action (i.e. sending money or sharing more information), successful phishing attacks can open organizations up to significant risk.
Many of today’s hacking tactics center on social engineering: the use of deception to manipulate individuals into divulging confidential information or sensitive data that bad actors may use for fraudulent purposes. Often, phishing attempts begin with a research phase, during which bad actors investigate company web pages and employee social media profiles, taking note of information that could be used to personalize emails (or even crack logins). Hackers can also use a fabricated scenario as an initial touchpoint called “pretexting” to confirm information about a target, gathering additional information to be used in a secondary attack. This method of “people hacking” provides bad actors with the information they need to personalize phishing emails for greater success, known as spear phishing. Purporting to be a respected sender, attackers can send emails to specific and well-researched targets to gain access to personal or company information.
Stay vigilant with a culture of cybersecurity awareness
Ultimately, phishing relies on a connection to the receiver’s humanity - whether that is done by using personal information to appear legitimate or eliciting an emotional response that encourages the reader to act. For example, suppose an unexpected email asks you to fill out a form, click on a link, open an attachment, or do an action (such as paying an invoice or replying with confidential information). In that case, the best thing to do is to verify its authenticity through a different method. When in doubt, check it out! Reach out to the purported sender through a phone call, instant message, or text message – and not by responding to the original email – to ensure you do not fall prey to a phishing attack.
And phishing is just one type of cyber attack that could open an organization to risk. Organizational cybersecurity is not a one-time project, it’s an ongoing posture. To consolidate and streamline cybersecurity, organizations should layer up on their methods, leveraging technology that goes beyond traditional antivirus and firewalls, creating a culture of employee awareness and institutional knowledge, and building a foundation of policies, procedures, and plans to address risk.
While it may not be possible to stop every single phishing attack, there are steps that organizations – and individual employees – can take to build a strong cyber posture and limit the opportunity for bad actors to get ahold of sensitive information. Defendify’s all-in-one cybersecurity solution means more protection, less to manage, and an easier road to compliance.