In the past year, when work was mainly done from home, crime also shifted from offline to online. More and more organisations became victims of ransomware and hacks. This is also reflected in the increase in the number of reported data breaches because of social engineering and mainly due to phishing.
What is Phishing
Phishing is a form of scam in which a malicious person pretends to be a person or organisation with the aim of looting (sensitive) data of individuals or organisations to gain access to a system. Year after year, an increase in the number of phishing emails is observed. In addition, phishing emails are becoming more and more realistic so that they are sometimes almost indistinguishable from the real thing. In short, it is becoming more and more professional.
Phishing has two types:
Spear phishing is a type in which a malicious person carefully chooses his target and collects information about the target before the phishing attack is carried out. With this, the malicious person focuses on one person or department of an organisation and creates a scenario for the phishing email that is specifically aimed at the organisation or person. Think, for example, of CEO fraud, in which a malicious person pretends to be the director of the company and submits a request to transfer money as quickly as possible.
The second type is the general phishing email in which the target is not directly looked at, but the same email is sent to a large group of recipients. Everyone knows these types of emails from, for example, banks, the government and webshops.
Among these two types of phishing, there are still several forms of phishing, namely:
– Phishing via email: the most well-known form of phishing, an email with a link or attachment in which login details are retrieved, or ransomware is downloaded on the computer.
– Smishing: Phishing via SMS. The malicious person mainly focuses on finding out login details or receiving money.
– Vhishing: vhishing stands for voice phishing or fishing for data over the phone. In this case, a malicious person pretends to be someone else over the phone and tries to find out (sensitive) information about the target.
– WhatsApp phishing: This form is increasingly on the rise. It is mainly used to phish individuals and steal money by pretending to be a family member. However, there are already known cases– where the malicious person tries to get into app groups of organisations to loot information through these groups.
The reason phishing is so popular is because it is successful and profitable. People make mistakes and are manipulable. Malicious people are only too happy to take advantage of this. In addition, it is scalable. Phishing emails can be sent in large numbers at once to people around the world. And there’s another important point that comes up there. You can send phishing emails to anyone around the world, but it can also be sent from anywhere in the world. Malicious people, therefore, do everything remotely because the risk of being caught is much smaller. With various technical gadgets, mails can be sent from America, while the malicious person is actually in Australia.
Consequences of Phishing
The consequences of a phishing attack can be different. Malicious parties can focus on looting data and then reselling it. The buyers further misuse the data, for example, for identity fraud or new phishing attacks. Or the focus is on gaining access to the target’s system and then looking in the organisation’s network for the most valuable information (crown jewels) and then “taking it hostage” through hostage software. As a result, the organisation no longer has access to this information unless payment is made. Whatever the malicious person chooses for type or form, the consequences for an organisation can be enormous and therefore unpredictable. In addition to image damage and possibly significant financial consequences, it often concerns information from, for example, customers of the organisation. As a result, an attack can not only cause damage to the organisation but may translate to the affected customers.
How to prevent Phishing
Preventing an organisation from becoming a victim of phishing is a 100 percent occurrence of phishing is a pipe dream. What is possible is to reduce the chance of the occurrence and the degree of consequences? Think of taking organisational measures (procedures, guidelines processes) and technical measures (multifactor authentication, authorisations, separation of networks, spam filters). This reduces the risk and consequences that the organisation will fall victim to a phishing attack. In addition, awareness is an important part. Once employees are aware of phishing and can recognise phishing and report it, the organisation can act on it. Creating awareness can be done in different ways, and it is essential that this is done constantly. This combination of the things mentioned above (awareness, technical and organisational measures) makes you as an organisation resistant to phishing attacks.
Audittrail is an audit and advisory organisation in the field of security, privacy and GRC. Audittrail supports organisations with setting up awareness programs and offers organisations insight into the awareness level of its employee. Are you interested in how your organisation responds to a phishing email, or do you have questions about this article? Let us know via firstname.lastname@example.org or through + 31 71 747 17 17