Phishing has truly gone from a simple hacking tool to a highly sophisticated method where cybercriminals target people to access private data.
Let’s take a trip down memory lane to the 1990s, when we would have first added a new word to our vocabulary: phishing. In fact, in the days before we were inundated with an overflowing inbox, I’m sure many will remember receiving random emails promising us brighter days ahead through an inheritance from an unknown person or a lottery. I’m also sure that many unsuspecting victims, amid the joy and delight, clicked on the link with that belief, and the next minute, the dreaded blue screen emerged. The antivirus software was not too sophisticated to handle such issues back then.
Phishing has truly gone from a simple hacking tool to a highly sophisticated method with a clear line of action where cybercriminals target people to access private information and data. Spear phishing, smishing, vishing, angler phishing, whaling attacks…the world has seen it all. In fact, it has become the infamous doorway to ransomware and other major breaches.
Anti-Phishing Working Group (APWG) defines phishing as a crime that uses a combination of both social engineering and technical deception to target unsuspecting individuals to steal personal identity data and financial account credentials. The commonly used technique is a phishing email where the victim has decided to click on a link that resembles a legitimate site, whereas it is a malicious site in disguise. Entering in sensitive data like a username or password or unintentionally opening an attached file immediately downloads malware that infects their systems.
That’s what a sophisticated phishing attack looks like: it’s impersonation at its best.Impact on cost
When we reflect on the cost of a typical phishing incident that companies must bear, it is a massive figure to comprehend. According to the Ponemon 2021 Cost of Phishing Study, the average annual loss due to phishing attacks is $14.8m, indicating a near quadrupling since 2015. In general, business email compromise (BEC) and ransomware attacks are the most common phishing threats, often with disastrous consequences: loss of employee productivity, financial disruption, considerable downtime, and not to forget the costs of resolving the malware infection.
Read: Phishing attacks cost US businesses $14.8m annually: Ponemon Institute
Moreover, according to Proofpoint’s 2022 State of the Phish Report, 83 per cent of global survey respondents said their organisation experienced at least one successful email-based phishing attack in 2021, a 46 per cent increase over 2020. Around 78 per cent of global organisations witnessed a stream of email-based ransomware attacks in 2021, while 77 per cent faced BEC attacks.
Proofpoint’s report shows that email remains the number one threat vector. It is evident that cybercriminals know the medium for manipulation: the people. Gaining access to systems through technical vulnerabilities is no longer their focus.
Creating awareness
So, the way to fight back is by training employees to be aware and recognise a phishing attack when they encounter one. It could be as simple as incorporating a real-time simulation of phishing threats to demonstrate to employees how sophisticated phishing attacks work. Investing in a strong security awareness programme for the benefit of employees will equip them to make better decisions about surfing the web, clicking links in their emails, or accessing social media platforms responsibly.
Once employees understand how cybercriminals use phishing to their advantage, then it motivates them to improve their cyber hygiene and reduce security risks associated with their actions. At the end of the day, it’s all about encouraging behavioural changes in the organisation when it comes to responding to cyber threats so that employees are empowered to become a critical part of the organisation’s security roadmap and its first line of defence.
Offering cybersecurity training to employees also eliminates silos that are rampant in organisations, and so IT and HR functions must work together to drive such education programmes, create awareness and communicate to the employees efficiently. After all, if employees are aware of the social engineering tactics that cybercriminals utilise (from malware to spam and zero-day attacks), then they will learn and know how to take all precautionary measures to prevent falling victim to impersonated domains, senders and websites. The organisation will then avoid the several pitfalls associated with these attacks.
The writing is on the wall: phishing attacks, ransomware and other cyber threats will continue. Service-centric business evolution combined with a people-centric approach to combat increasingly sophisticated phishing and ransomware tactics is our course to remediation. Instead of allowing complacency to set in, let us be vigilant in striking the right balance between people, technology and processes. Therein lies our weapon against phishing.
The writer is the CTO at Help AG, the cybersecurity arm of e& enterprise (part of e&)
This article was initially published here.