What are Phishing Threats?
You know how patiently a fisherman waits while luring unsuspecting fish with bait? That’s how cyber criminals patiently set traps online for unsuspecting people and organizations.
It happens when an attacker poses as an insider or trusted entity, and dupes a victim into clicking a malicious link sent via email, instant message or text message. This malicious link can lead to installation of malware, freezing of system by ransomware or access to sensitive information.
Unfortunately, a devastating 30% of phishing emails are clicked, and it’s such a huge business, it’s no surprise that cyber criminals are getting increasingly better at crafting messages that can deceive even the smartest and most aware people that know better than to open certain emails. An attacker does this by creating fake company logos, using legitimate links to bypass email spam filter, or even addressing you with your personal information.
The effects of phishing attacks on individuals and organisations can be really devastating, it can lead to stolen funds, identity theft, unauthorised purchases and privileged access to secured company data.
Types of Phishing
Most times attackers disguise themselves to look legitimate and trustworthy using foreign characters to disguise URLs. Their common goal is one of the following:
- To get victims to hand over sensitive information like usernames, passwords with links and messages that resemble their banks.
- To get victims to download malware/ransomware. These ones are usually ‘soft-targeted’ at specific employees, like HR Managers, and can come in the form of a job application with a CV attached containing ransomware. Sources reveal that 93% of phishing emails contain ransomware attachments.
This happens when an attacker crafts a message to a specific individual. Imagine a fisherman aiming for one particular fish, as opposed to luring all kinds of fish with bait. Sometimes these targets are selected on LinkedIn and fake emails are created to look like emails coming from co-workers. For example, a phisher can target a staff in the finance department and pretend to be the manager requesting a large sum of money on short notice.
This type of phishing is usually aimed at CEOs, company board members and high-value targets who are vulnerable and often use their personal email addresses without encryption or protection. Though it might take time to gather enough information to trick a high-value target, such attacks can have surprisingly high pay-offs.
However, no matter how sophisticated these cyber criminals get at psychological manipulation, there are still a few tips and pointers on how you can avoid falling victim to such tricks!
- Trust your gut: If the email doesn’t sit right with you, or the message seems too good to be true then it probably is, listen to your instincts and delete the email.
- Check for spelling errors: Though cybercriminals are getting better with grammar, poorly written messages or poorly spelt URLs are usually an indicator of something illegal.
- Be careful how you post your personal information, like personal data, birthdays, holiday plans, phone number, email address etc on social media.
- Make use of 2FA (two-factor authentication): Make sure your passwords are very strong and make use of two-factor authentication to protect your information. Employees should change their passwords regularly and not use the same passwords for all applications.
- Organisations should also educate employees because they are the most vulnerable and targeted.
- Make use of Sophos Phish Threat: Sophos Phish Threat will turn all your employees into an active line of defence against email phishing attacks. Your organization will gain greater visibility by reporting real behaviour at the inbox, and employees will receive Instant feedback when reporting phishing simulations. You will also gain comprehensive reports on your company’s security health and good return on investment.
- Find out what they’re asking for: Most times, phishing emails put you under pressure and lie to you about an account breach or payment failure etc which requires you to give up information like bank login details. Don’t blindly click on a link that asks you to “verify your account, instead pause and think. First verify that the URL is legitimate, and if it came from said source.
- Research for Cybersquatting: Cybersquatting is when criminals mirror fake websites to look like originals, asides minor misspellings here and there. Always confirm and do some research online to make sure you’re responding to the right company on the right website page.
If you’ve made it this far, well done! Click here for your free access to a 30-day trial of Sophos Phish Threat:
You can also send an email to firstname.lastname@example.org to book an employee training session with us on Phish Threat or if you’d like to learn more on how to protect your company with Sophos Phish Threat protection!