Phishing refers to gaining fraudulent access to computer systems, personal or sensitive information, or organizational funds by tricking victims into clicking deceptive links that will download malware or directing them to untrustworthy websites. And while phishing can be done via social media or text messages, it is most commonly conducted via email. The modern technology makes it easy to send multitude of messages to millions of people daily, making it a favorite tool for many cyber criminals. The vulnerability is obvious – with a significant volume of daily electronic communication it is easy to sneak in a fraudulent bite.
Phishing emails target organizations of any size and type. You may be hit by a mass campaign (with attacker looking to collect new passwords or make some easy money), or it could be the first step in a targeted attack against your company, aiming for something more specific (like the theft of sensitive data).
In a targeted campaign, the cyber attacker may use information about your employees or company to make their messages even more persuasive and realistic. This is usually referred to as spear phishing. Cyber criminals may use social media or data from your website to learn about organization, the format of your email addresses, particular tasks carried out by a particular department or individual they target. They will use this information to create communication that appears typical and credible, for example posing as your HR or IT representative, or organization’s supplier.
Particular vulnerability is usually associated with new hires, still lacking confidence and knowledge on their role & organization, and client-facing teams: public relationship, customer service, sales, and administrators. Clicking on a fraudulent link or downloading an attachment in an email can result in corporate networks becoming infected with malware. This can further result in data breaches, loss of customer data, intellectual property theft and reputational damages.
To avoid spear phishing do not click on links or download attachments in the emails from sender you don’t recognize. And if in doubt calling the alleged sender to make sure the communication is true is the best practice to avoid fraud.
A sub category of spear phishing is whaling – as the name suggests, this is targeted phishing attacks aimed at senior executives. Whaling is designed to encourage victims to perform a secondary action, such as initiating a transfer of funds. This technique employs social engineering and does not require extensive technical knowledge. However, if successful, whaling can deliver large gains and is therefore one of the biggest risks facing businesses. Financial institutions and payment services are the most targeted organizations, however every organization should be ready for this cyber threat.
Email communication used in whaling is much more sophisticated and tailored for that particular executive team member; often crafted with a good understanding of business tone, includes personalized information, and is accompanied with the sense of urgency. The message may request to transfer funds to the attacker's bank account, clicking on a link to a site which delivers malware, or submitting particular details about the business or another employee for further staged attack.
Another type of attack on organization may take form of watering hole attack – name deriving from wild nature, where predators often hunt their prey by water sources. In this cyber scenario the attackers use information about your organizations to learn who you often interact with (such as suppliers or partners), and infect their websites with malware. This is then used as a staging point to attack their actual target. When affected website is visited, the target becomes infected.
Websites are mostly infected using vulnerabilities, and the best defense to this is to ensure that all of your software is up-to-date running the latest version, or downloading the latest software patches. An additional defense for organizations is to monitor their websites and networks and to block traffic if malicious content is detected.
To keep your organization safe there are few steps to follow:
Make it difficult for attackers to reach your users. Implement anti-spoofing controls to avoid abuse of your email addresses, examine your organization website and social media and contemplate on the information made available online.
Make sure cyber security is meaningful to all your employees – understand the potential harms involved, as well as the benefits of cyber awareness to both their organization, and personal and family lives.
Help users identify and report suspected phishing emails. Fencecycle offers advanced for preventing targeted phishing attacks, including training, mock-phishing response practice and easy monitoring via comprehensive dashboard. Start your free trial today, and do not hesitate to reach out for additional support and information on range of available tools.
Avoid cyber attacks on the organization by raising employee awareness to phishing attacks.