The know-how of Phishing

If you have ever opened or encountered an email or a link that suspiciously looks close but is not similar enough to what you’re used to getting, you’ve probably experienced a phishing attempt. Phishing is a type of cybersecurity attack wherein targets receive messages pretending to come from trusted entities intended to manipulate users into divulging sensitive information, like access credentials. Malicious actors commonly use phishing in coordination with other attacks, such as malware, code injection, and network attacks. 

Phishing attacks mainly come in five forms: email phishing, spear phishing, whaling, smishing & vishing, and angler phishing. Email phishing forms the majority of phishing attacks. Attackers register fake domain names mimicking trusted organizations and send thousands of common requests to potential victims. Spear phishing is a more targeted form where attackers commonly have crucial information about a potential victim, increasing the attempt’s effectiveness. Whaling is a form of spear phishing targeted at senior management and other highly privileged roles. Smishing uses fraudulent SMS messages, while vishing involves conversations on call. In comparison, angler phishing uses fake social media accounts that mimic legitimate organizations and take advantage of customer grievances to draw traffic from legitimate customer service channels.

Malicious actors, both in real life and in cyberspace, do not take holidays. As the adage goes: never let a crisis go to waste and cyber criminals have taken this to heart. According to the Federal Bureau of Investigation, phishing incidents nearly doubled from 2019 to 2020 and are the most common type of cybercrime. In June 2021, amid the deadly COVID-19 Delta variant surge, there was also a notable increase in pandemic-themed phishing attacks using timely COVID-related topics.

According to KnowBe4’s 2021 Phishing by Industry Report, the sectors most at risk of phishing attacks are Healthcare & Pharmaceuticals, Education, and Nonprofits. For medium-scale organizations, they are Hospitality, Energy & Utilities, and Healthcare & Pharmaceuticals. Lastly, those most at risk for large-scale organizations are Energy & Utilities, Insurance, and Banking. In the same report, large legal and government organizations are the least Phish-Prone. 

The KnowBe4 report notes that nearly one out of five (18%) of Asia Pacific organizations were hit with seven or more cyberattacks in 2020. The report finds that continuously evolving dynamic security capabilities and upskilling in security training for consumers and employees have dramatically reduced the risk of dangerous phishing attacks among regional organizations. 

The key to preventing phishing attacks on consumers and employees is knowing how to spot a phishing attempt and consistently reporting attempts to management. Employees and consumers must always be vigilant and be suspicious of password reset emails, note the language in emails and communications, and never share credentials. Consumers and employees must take note of the official channels through which organizations process their data and report any deviations to organizations. On the part of organizations, they must continuously educate their consumers and employees on where said channels are and how said channels sound, look and feel. 

On the macro level, organizations must adopt a comprehensive anti-phishing strategy and note critical strategies to reduce exposure to phishing attacks. Continuous education on current phishing threats, a policy to require and encourage reporting of phishing attempts, reminding employees of information security policies, adopting and continuously adapting to password security best practices, and deploying automated anti-phishing solutions capable of identifying and blocking phishing attempts across all devices within the network would greatly help in keeping organizations safe from phishing exposure.

Phishing might be one of the most robust tools in the malicious actor’s book, but organizations that take the time to educate everyone in their networks, keep themselves open to employees and consumers for feedback regarding phishing attempts, and continuously learn and adapt to ever more sophisticated attacks will have an edge. Policies that encourage best practices and investing will fill the gaps even further. While no solution is perfectly safe, synergy across the board goes a long way in ensuring an organization is not easy bait.