In today’s digital world, we all live our lives online.
It’s convenient to whip out our smartphone to check the football scores and order a takeaway through an app. It’s just as easy to subscribe to a product or apply for a mortgage. Convenience is what the internet has given us, but this isn’t without its risks.
On an organisational level, cyber-attacks are a consistent threat to the ongoing health and success of a business. However, not all attacks are created equal.
So, what is the most successful cyber-attack method?
According to analysis from Verizon, phishing is by far the most successful attack method, occurring in 90% of all successful attacks. But what is phishing?
Phishing is an online scam where criminals send out bogus emails. These emails appear to be from legitimate sources and can be very convincing if you don't know what you're looking for. This is where the problem lies.
Phishing aims to trick you into giving up sensitive information or infect your computer with malware - the most common is a type of ransomware which will lock your computer and demand payment to restore access. The second most common is a Trojan horse which can spy on you and gain backdoor access to your system.
Organisations of all sizes are at a very high risk of phishing, simply because virtually every employee now has access to email. All it takes is one click of a dodgy link in an email to infect a computer or give access to confidential information.
Phishing is the most successful type of cyber-attack because it prays on proven psychological principles.
Cybercriminals use numerous methods to encourage clicks. Typically, however, you'll notice two common methods in use; benefits and threats. Our independent analysis has found that phishing success rates can hit 94% when the right psychological elements are in play.
When a business falls victim to phishing, it’s often because of a lack of phishing training. If your employees don’t know how to identify phishing emails, then it's only a matter of time before they fall victim to one.
Another form of phishing is spear phishing. This is when criminals send you a highly targeted scam email using information they hold about you. They could refer to you by name and job title to make the email appear even more convincing.
Spear phishing emails are usually targeted at high-profile people. CEOs, managing directors, chief engineers and so on. No one is immune to a phishing scam. The emails sent out can be very convincing and fool the most internet-savvy people.
Email providers do protect you to some extent, but they cannot block and filter out all phishing emails. There are public spam and open relay blacklists, but these don’t cover everything. IP addresses and domain names can be blocked but new ones pop up. Fighting against this change is impossible because it happens so fast.
In fact, research has found that 75% of phishing emails make it through email filters, highlighting the issues that providers face.
It’s better to take matters into your own hands. The most effective way to protect your inbox from phishing emails is with a Secure Email Gateway. We’ll touch on this more below.
Phishing is a simple scam that requires three layers of response:
Phishing training should form the core of your protection against attacks. More than just courses and articles, however, training should include simulated phishing training exercises to give employees hands-on experience of avoiding scams.
By educating employees on how to spot phishing emails, you enable them to protect your organisation from scams, ransomware, hackers and other nasties caused by phishing.
The easiest way to limit the number of phishing emails reaching employees is with a Secure Email Gateway - software that monitors emails with advanced spam filtering. SEGs quarantine or block suspect emails automatically.
If you want to stop your domain from becoming a resource for attackers, it’s important to remember that phishing emails are only really convincing when the email address attached to them is near identical to your own. The anti-spoofing controls DMARC, SPF and DKIM will help secure your organisation’s domains against spoofing.
Alongside comprehensive phishing training, technological solutions are an important layer to consider to prevent malware injections.
Typically, the most dangerous form of malware from phishing is worms. Worms can not only infect local computers, but also the servers and networks connected to them.
Ransomware and trojan horses, however, are the most common malware from phishing. In any case, these forms of malware can be captured by a good anti-malware program even if an employee accidentally clicks install. A little research into reputable anti-malware programs can prove invaluable in the event an employee does click.
Ready to discuss your phishing training needs? Get in touch with a member of our team today and learn how we can help.