Phishing has been around almost as long as email itself. Remember those African princes looking for you to wire them money over 20 years back? Those initial emails may not have been much to worry about, but have they changed into believable and life-devastation today.
Phishing remains the largest attack vector onto business and enterprise networks and the most effective tool cybercriminals use to get what they want—identities, information and money.
The reason why phishing is so widely used? It’s cheap, easy, and hits a large target group. All the criminal needs to do is send out thousands upon thousands of emails (mailed to long lists of contacts) and wait for the bites.
On top of the fact that phishing is so easy nowadays, it’s getting more and more sophisticated. Talk tracks in emails are terribly convincing (from those Nubian Prince emails of the ‘90’s). Spoofing email addresses, getting digital information from social media and the web, all make for more believable emails and get the recipients of those emails to do something very simple—click on a link or attachment.
One key area that will certainly help limit the amount of phished employees you have in your ranks is with user awareness and training. A critical component to avoiding to get phished today is by having a team with experience recognizing phishing scams. By having users that see convincing emails, get phished, and see why they were phished, they’re able to learn from their mistakes and be more skeptical when it comes to email security. [If you’re a Dynamic Edge client, ask about our practice phishing campaigns and security training.]
BUT, even with phishing training and security seminars, there’s no avoiding the possibility that someone mistakenly clicks on a bad link (either in an email or goes to a malicious website on accident). The more sophisticated phishing and cyberattacks get, the harder they will be to distinguish by simply looking at them. The easier it will be to interpret them as legitimate. They play on our trusting human nature plain and simple.
Added security to help keep your teams safe? More and more, IT teams need to consist partially of security experts, whose primary focus is finding strategies to keep users safe from their innate human nature to click on believable emails and seemingly trusted websites. They need to understand present postures and practices—both on the good and bad sides of the coin—and have solutions to implement additional security measures, either technical, policies and procedures to ensure your organization remains secure in light of growing and very focused threats.
The first step to defending against phishing or other cyberattacks? Your IT team needs to understand the full extent of each attack and its implications. Phishing currently makes up nearly 80 percent of successful cyberattacks. By distributing malware directly onto a user’s system, deploying ransomware, cryptojackers and keyloggers, cybercriminals are getting easy access to your network and direct pathways to accessing or exploiting sensitive or valuable data.
But criminals are doing more than just stealing data. After stealing a user’s credentials, they may go farther to inject code into other processes (looking relatively normal if simply investigated at the surface with standard IT tools). They set up backdoors to your network with persistent footholds on your network, conduct reconnaissance of weeks to months and even forego compromising endpoints that have access to sensitive data AND access to cloud-based systems. [Note: simply having your data in the cloud does not make your organization safer from phishing attacks. In fact, if the right user is compromised—with access onto those cloud-based systems—a hacker will easily be able to jump from the infected workstation to the cloud in no time.]
Your best defense? To stop these attacks before they reach your user’s computer. Know where your vulnerabilities lie. Close the open backdoors that could potentially give them footholds on your network. Lower the risks of individual machines compromising your sensitive data and network security.
Not sure where to begin? Consider a free network security assessment to help identify your vulnerabilities.
