“Phishing” is a term dating back to 1995, but the practice did not become widespread in the online environment until years later. Today it has become a big problem for both individuals and businesses.Every organization should understand this cyberthreat and put preventative solutions in place to protect themselves from inadvertently handing their valuable data over to cybercriminals.
What is ‘phishing’?
“Phishing” is a scheme likened to “fishing” because the practice essentially means “to fish” for information with intentions of exploiting for financial gain or committing identity theft. “Phishermen,” the cybercriminals looking to exploit information, create scams heavily relying on social engineering tricks to fool people and convince them of legitimacy.These scammers pretend to be representing organizations such as banks, government agencies, internet providers (or other utilities), retailers, and online networks or services.
How phishermen operate
Phishermen typically play on sympathies or use other convincing tactics to get people to voluntarily divulge information. Targets can be specific (“spear fishing”) or not, casting a “blanket net” to see who gets snared. Unlike phishing, social engineering tricks have been around forever. However, phishing expeditions rely heavily on classic social engineering ruses. Scammers often use spoofed websites and email addresses to bait people into sharing information or downloading malicious software to capture data. Common details sought include:
- Secret question answers
- Social Security Numbers
- Bank or credit card information
- Customer names, emails, addresses, and phone numbers
Businesses are often intentionally targeted because of the vast amount of data flowing through their network. Early phishing attempts were pretty easy to spot in digital environments, but modern scams are much more sophisticated and difficult to detect.
Why companies need to safeguard themselves from phishing
It is bad enough worrying about employees clicking on links in business-related (or personal) emails that lead them to spoofed websites; however, phishermen have kicked things up a notch. The biggest threats for 2019 include attacks through SaaS credentials, messaging apps, and shared files. Companies cannot afford to ignore phishing threats because of the serious consequences associated with these attacks. These consequences include:
- Financial loss. Phishermen often target financial accounts or use ransomware tactics to siphon money from businesses.
- Data breaches. Breaches are costly on many levels, including regulatory fines, actual costs (i.e. damaged equipment or networks), and other residual effects.
- Damage to brand reputation. Once a company has been exploited, its brand is tarnished. This can have a negative effect on their ability to maintain a loyal client base or attract new customers.
The effects of a phishing attack can be devastating. By putting preventative measures in place, businesses can better position themselves and avoid becoming victimized.
How to protect against phishing attacks
Implementing effective organizational practices and initiating employee education regarding best security practices, along with protective software and professional monitoring, can go a long way towards safeguarding a business. Recognizing what to look and for helps reduce the risk of falling victim.
- Beware of spoofs. Organization members should learn how to recognize scams, such as phony forms, falsified emails, and fake websites. Always check URLs, do not click on links in email, and be suspicious of unexpected login prompts. Keep in mind, some of these spoofs look very authentic.
- Be wary of direct contact. Some scammers go old school and simply pick up the phone to try to extract details to help them obtain the credentials needed to commit their crime. Others use instant messaging. Still, others walk in a busy facility and try to exploit the hectic environment by getting people to divulge information when they are distracted. All approaches usually involve friendly interactions with the intention to gain trust.
- Use good password practices. Optimize passwords with specified criteria (i.e. avoid ABCD123 types of passwords, or worse, default passwords), never replicate or share the same passwords, and use password managers.
- Employ secondary authentication. SMS, authentication apps, or hardware tokens will all help prevent phishing.
Additionally, companies should employ real-time analysis to inspect web traffic. If you do not have the internal resources available, hiring an expert third-party vendor can help you better secure your digital assets. To learn more about protecting your company from cyberthreats, such as phishing, contact the cybersecurity experts at Verticomm today.