As part of Cyber Awareness Month 2021, we are dedicating a week of October to the topic of Phishing Attacks. This week we are sharing key stats and facts regarding phishing attacks and how you can protect yourself and your organisation from the damage they cause. Here we answer frequently asked questions regarding phishing attacks:
What are phishing attacks?
Phishing attacks occur when cyber criminals posing as an individual or organisation send fake messages that appear to come from a trusted source. They are designed to encourage victims ‘to act’ without realising they are being duped eg. click on a malicious link, visit a ‘fake’ website, open a dodgy document, download software onto a device. Verizon’s data breach report stated that 43% of security breaches involve phishing.
What are vishing and smishing attacks?
Vishing is a form of phishing, short for voice phishing, it is when cyber criminals use telephony to conduct phishing attacks. During a vishing phone call, a scammer aims to get you to share personal information and financial details, such as account numbers and passwords. Smishing is another form of phishing whereby cyber criminals send text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.
What is the difference between spam and phishing?
Spam is junk/unsolicited emails or texts, they don’t tend to request sensitive or confidential information; rather they will attempt to sell you an item, service, or subscription.
Who is at risk of phishing attacks?
Every day, 3.4 billion phishing emails are sent out worldwide (source: Valimail). So put simply, everyone is at risk. No individual or organisation is immune. The ProofPoint state of phish report stated that 75% of organisations around the world experienced some kind of phishing attack in 2020.
Are certain industries more at risk?
KnowBe4’s Phishing By Industry Report outlined that industry risk varies by organisation size:
Do phishing attacks just come via email?
No. Whilst email is the top attack vector for criminals with 96% of phishing attacks arriving by email (source: Verizon’s 2021 Data Breach Investigations Report (DBIR)), phone, texts, instant messaging, social media profiles all provide an opportunity for cyber criminals too. According to Wandera’s 2020 Mobile Threat Landscape Report, 57% of organisations reported mobile phishing attacks, and 87% of phishing attacks on mobile devices use messaging, gaming, and social media apps as avenues of attack.
What is the purpose of phishing attacks?
The prime objectives of phishing attacks are to steal sensitive personal information such as login information and credit card details. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), ‘credential’ data is the top type of data compromised in a phishing attack, followed by personal data such as name, address, email, and then medical data such as treatment information, insurance claims. Furthermore, cofense report that over 50% of phish reported by end users are credential phish. Once attackers have your credentials they can go on to steal money from bank accounts, purchase gift items, open new accounts, run up spend on credit cards, sign up for payment plans etc One recent scam is that the purchase of mobile phones and then using your login details the criminals can divert the delivery address and tracking data. Attackers are also looking to steal corporate assets such as intellectual property, research data, customer data and HR information plus infect devices with malicious software that will damage your device or network.
What are the main dangers of phishing attacks?
Phishing attacks are just the tip of the cyber security iceberg. The vast majority of cyber security breaches start with a simple phishing attack. Once an attacker knows that you are ‘vulnerable’ i.e. not adequately aware or protected, then they will attack multiple times, and even pass your details onto other cyber criminals. Many advanced cyber security attacks, such as ransomware demands, start with a phishing attack.
Are phishing attacks getting more sophisticated?
Definitely. CEO fraud and impersonation tactics are extremely sophisticated. Business email compromise (or BEC) is a form of phishing attack where a criminal attempts to trick a senior executive (or budget holder) into transferring funds, or revealing sensitive information. Unlike standard phishing emails that are sent out indiscriminately to millions of people, BEC attacks are crafted to appeal to specific individuals, and can be even harder to detect. Typically, the attacker pretends to be your CEO. They send convincing-looking emails that might request unusual payments, or contain links to ‘dodgy’ websites, known as phishing websites, of which the number of these increased 27% over 2020 according to google safe browsing stats. The fake message usually describes a very urgent situation to minimize scrutiny and skepticism.
Symantec’s 2019 Internet Security Threat Report (ISTR) shared that the top five subject lines for business email compromise (BEC) attacks are:
Why are phishing attacks successful?
Phishing is usually successful due to two factors: low awareness and a lack of technology to detect and block phishing attempts. Terranova Security’s 2020 Gone Phishing Tournament report states that almost 20% of all employees are likely to click on phishing email links and 67.5% go on to enter their credentials on a phishing website.
Will antivirus and firewall software provide protection?
Yes. As the first line of defence. Filtering software such as anti-virus, email gateways, and firewalls can reduce, but not fully eliminate the risk of phishing and are a critical component of a larger cyber security strategy. As cyber criminals become more sophisticated and network traffic becomes more complex as a result of advances in operational technology, connected devices, applications, and multi-location users, the risks of modern cyber attacks are increasing, and your company will require more advanced protection from the most recent threats.
What does advanced email security do?
As 96% of cyber attacks start with an email, managing your email protection is critical, however it can be complex and costly. Our email solutions offer comprehensive filtering; anti-spam, anti-phishing, and anti-malware protection, to detect, identify and remove threats circulating via email software. Delivered in a flexible way, hybrid solutions are tailored to meet the needs of your business and the ever changing attack landscape.
What firewall solution provides the best protection against phishing attacks?
A firewall prevents untrusted and unauthorised programs from gaining access to your network. They work by monitoring and filtering your systems, acting as a barrier to incoming threats. You will need a firewall solution that meets the demands of today’s dynamic network environments and emerging threat landscape. Check out our blog post about next generation firewalls which provide superior protection using advanced techniques and technology to address evolving and complex threats. Security policies, maintenance and updates are critical. Many organisations outsource their firewall protection to an MSSP (Managed Security Services Provider) who then takes care of the operational side of firewall management.
If an attack does get past a firewall, how can you identify a phishing attack?
- Poor spelling and grammar
- The sender details are not genuine
- The message contains links that aren’t genuine
- The content is too good to be true
- Unsolicited contact, where you receive a message out of the blue
- Unnecessary urgency is another warning signal
For more detailed information take a look at a recent blog post about how to identify phishing attacks.
Does the subject line give it away?
Attackers use emotive subject lines to instil a sense of urgency and importance. According to KnowBe4, the most common subject lines to phishing emails in Q4 of 2020 were:
- Changes to your health benefits
- Twitter: Security alert: new or unusual Twitter login
- Amazon: Action Required | Your Amazon Prime Membership has been declined
- Zoom: Scheduled Meeting Error
- Google Pay: Payment sent
- Stimulus Cancellation Request Approved
- Microsoft 365: Action needed: update the address for your Xbox Game Pass for
- Console subscription
- RingCentral is coming!
- Workday: Reminder: Important Security Upgrade Required
Sophisticated attacks can often imitate a trusted brand, which brands are the most impersonated?
Checkpoints brand phishing report found the brands below to be the most impersonated brands used in phishing attacks throughout Q4, 2020:
- Microsoft (related to 43% of all brand phishing attempts globally)
- DHL (18%)
- LinkedIn (6%)
- Amazon (5%)
- Rakuten (4%)
- IKEA (3%)
- Google (2%)
- Paypal (2%)
- Chase (2%)
- Yahoo (1%)
What other cyber security strategies further protect against phishing attacks?
Considering the huge quantity of phishing attacks in circulation at any one time, the percentage of phishing emails that do get through to inboxes is significant. And it only takes one person to click on one link or download one attachment to cause financial havoc or to compromise your entire organisation.
A multifaceted approach to cyber security is required to protect your organisation. In addition to managed email security and managed firewall services we recommend that your organisation also considers these 5 cyber strategies:
- Phishing exposure assessment: With the rise in phishing and cyber fraud, as well as the high costs of ransomware and business email compromise, there is a growing need to assess your company’s vulnerability to social engineering attacks. A Phishing Exposure Assessment safely simulates phishing attacks to test your employees’ security awareness and evaluate the ability of your network security infrastructure to protect from cyber attacks.
- Training: Our cyber security training partner Cyber Risk Aware reports that over 90% of security incidents are caused by lack of staff awareness, so cyber training is an essential tool in spotting and stopping phishing attacks. Being more aware in spotting phishing attacks by way of suspicious emails, texts and calls, can make the difference to keeping you secure. Recent research claims that nearly 38% of users who do not receive cyber awareness training fail phishing tests (source: 2020 Phishing By Industry Benchmarking Report by KnowBe4). So with attacks becoming ever more sophisticated, it’s important that you keep training up to date to include emerging threats.
- Data Loss Prevention: Is your business protecting its crown jewels, its mission critical and high value assets? Do you know what they are? A Crown Jewels assessment can help to identify them, and our Managed Data Loss Prevention service is a proven way to protect them.
- Endpoint Protection: Endpoints are any internet connected device – such as personal computers, servers, smartphones, and tablets – and are vulnerable to a wide range of constantly evolving threats. With the rise in IoT, connected environments and smart technology, endpoint devices will be attacked if they are not adequately protected. Our Managed Endpoint Detection and Response (EDR) service extends visibility into endpoints to provide advanced threat hunting and detection across your entire network.
- Incident Response Planning: No network, system, or software is ever 100% secure. Cyber criminals are typically one step ahead. Zero-day attacks happen, these are attacks that exploit software weaknesses that the vendor or developer are unaware of, hackers exploit the flaw before developers have a chance to address it. A quick and efficient response to an attack on your network can save an untold amount of time, money and staff hours. Infosec Partners offers a Cyber Incident Response Planning Service to help you optimise your incident response plan, coordinate an incident response team and determine the source, cause and extent of a computer security breach quickly as well as a fully managed incident response service.
Cyber security is very complex and time consuming, can we outsource it?
Yes. A Managed Security Services Provider (MSSP) collaborates with your company to protect, detect, and respond to security incidents affecting your systems, employees, data, and critical assets. A good MSSP will offer a full range of services, including cyber-consultancy and managed cyber-security. They will assess your risks and advise you on what your company requires, as well as work with you to implement and, if needed, manage cyber security solutions. Read here for more information on what an MSSP does and why you need one.
What are the benefits to outsourcing to a MSSP?
Can you afford not to work with an MSSP? When you look at how much they can save your organisation in the event of a cyber security breach, it’s definitely money well spent.