What is phishing and how could it impact your business?
What is phishing?
Phishing is the act of obtaining private or sensitive information or data through fraudulent activity, such as impersonating a trustworthy source or entity. This information or data can range from usernames and passwords to banking information including credit card details, and can be obtained through the direct provision of information to the scammer, through the installation of malware after the user clicks a malicious link. Phishing scams may also be used to freeze an organisation or individual’s computer system as part of a ransomware attack.
A common example of obtaining personal information from an individual would be a person receiving a communication, like an email, from a source claiming to be a well-known and trusted entity, for example the Australian Tax Office. This email might tell the user that their Tax File Number had been suspended, and to provide personal information ‘verifying their identity’ in order to get the number reinstated. This personal information could then be used by the scammer in a number of ways, including accessing banking portals, to sell the information to other scammers, or for identity theft, to name a few.
Scamwatch Australia received 44,078 reports of phishing scams in 2020.
Phishing is usually a form of ‘social engineering’ attack, meaning that an attacker uses human interaction (social skills) as a way to gain or compromise the information from the victim. For example, native language skills, strong grammar, and respectful posturing of questions have all proven to be greatly effective for phishers when compared to communications with typos, poor English and a threatening tone.
How is phishing a threat to businesses?
Phishing attacks can be made to target businesses as well as individuals, resulting in the attackers gaining a ‘foothold’ into corporate or even governmental networks. Through compromising an organisation’s employee/s, the phishers can bypass security perimeters, gain access to secure or privileged data, and distribute malware into the network’s closed environment.
The consequences for businesses who have been the victim of such an attack can range from severe financial losses and a decline in market share to loss of consumer trust and brand reputation.
48% of malicious email attachments are Microsoft Office files, often disguised as an invoice or receipt.
Source: Internet Security Threat Report Vol 24 | February 2019 | Symantec
The three types of phishing attacks
There are three primary types of phishing that are generally applicable to organisations.
- Mass phishing
- Spear phishing
- Business email compromise
Mass phishing is the most common form of phishing, according to CSO Australia. This approach is when a scammer sends an email pretending to be a trusted entity, and tries to trick the recipient into taking a specific action like visiting a website or downloading a file. This type of attack generally relies on email ‘spoofing’, where the email header (also known as the ‘From’ field) is falsified to make the email appear as if it were sent by a trusted sender. For example, the header could read ‘Microsoft365’, but the actual email address might be ‘firstname.lastname@example.org’.
Mass phishing primarily relies on email as a delivery method, however it may also be delivered in the form of a phone call with a pre-recorded message telling the user what action to take.
Spear phishing is a much more tailored and targeted approach from scammers than mass phishing. Generally spear phishing requires much more research and planning to execute effectively, and also requires a different level of social engineering than other types of phishing.
An example of a spear phishing scam would be an attacker targeting only the HR department of a medium-large sized organisation with an email such as the example below.
Source: Trend Micro
By targeting a specific department or individual with relevant information to their function within the organisation, the phishers have a much higher likelihood of success in relation to harmful downloads or responsive action taken.
A subset of ‘spear phishing’ that only targets the ‘whales/big fish’ of a company is known as whaling. This is when the organisation’s executive or C-suite level is targeted, and common ruses for this subset include claims of legal action being taken against the company, or fraudulent activity threatening the company’s financials.
Business Email Compromise
Business email compromise is also a subset of spear phishing, but is applicable to organisations only, not individuals.
The phishers will research and plan their attack using business processes to scam organisations out of goods or money or information, by impersonating business representatives using similar names/logos/domains to legitimate businesses. They may also use compromised email accounts from within the organisation itself, pretending to be a trusted or known co-worker.
According to the Australian Cyber Security Centre, the most common business email compromise attacks are:
- Invoice fraud: when a vendor’s email account has been compromised, the scammer’s can use that account to access legitimate invoices. They then edit the contact and bank details on the invoice, and re-send them to customers from the compromised email account. The invoice is then paid by the customer, believing it to be legitimate, and both the vendor and customer experience financial loss.
- Employee impersonation: when an employee’s email account has been compromised, the scammer’s can use that account to impersonate the employee and communicate with other employees within the organisation. For example, if the Chief Financial Officer’s email account is compromised, they could raise a false invoice with the accounts department with little to no issues.
- Company impersonation: when a scammer registers a domain with a very similar name to an organisation that is large and trusted (for example, Microsft 365 as opposed to Microsoft 365) and then uses this fraudulent domain to send vendors a quote request for a quantity of expensive goods (e.g. laptops). The scammer negotiates for these goods to be delivered prior to payment ‘on account’. The goods are delivered to a specific location, while the invoice is sent to the legitimate organisation. The vendor has then financially lost the value of the goods delivered.
How to protect your business from phishing attacks
There are two primary methods of defense when it comes to phishing attacks on businesses.
- Staff awareness and education
Staff awareness and education
Employees are an organisation’s biggest weakness when it comes to phishing attacks and security compromises. That’s why the primary defense an organisation can take is to educate their staff on what phishing attacks look like, and educate them on the appropriate steps to take when they receive email, text, or social media interactions – no matter who it appears they are from.
An effective way of doing this would be to run education and training simulations of mock phishing scenarios with your employees, such as the Phishing Simulation & Training Solution offered by Kloud IT. These types of simulations pose realistic and challenging phishing attacks in a safe and secure way to test employees on their responses. If the end user fails the challenge posed in the simulation, they can then be enrolled into further training by the organisation to ensure no breaches in future.
58% of company decision-makers view awareness training as superior to technology solutions when dealing with phishing.
Source: The State of Security Awareness Training | Osterman Research
It’s also important to keep in mind that such training is not able to be a ‘one and done’ approach. Phishers are continuously upskilling and learning new ways to defraud organisations, and so your company needs to also upskill and become aware through regular training, awareness programs and by always being on alert to potential threats.
A technology based solution will provide your organisation with a comprehensive set of tools to safeguard your organisation against malicious threats posed by email messages, corrupted links and also collaboration tools and platforms that might provide a gateway to your system. These solutions will integrate with your network to stop attacks using automated, cross-domain security, and built in AI. In addition, Multi-Factor Authentication (MFA) should be implemented as mandatory across all devices used to access the organisation’s network and systems.
It’s also essential that your organisation does a company-wide audit of which employees are using personal devices to access company systems, programs and documentation, as if their personal device is compromised then access to the company network is at risk. Having a strong BYOD policy that is enforced across all employees will help to mitigate this risk.
What to do if you suspect a phishing attack
If you suspect that an email, text, or other communication you have received is a phishing scam, follow the below steps:
- Do not open it
- If you have opened it, take a screenshot of the message and the sender information, and then delete the message to prevent from opening it in future.
a. Do not download any attachments
b. Do not click any links
- Report the message with the screenshot to your company’s IT department, and anyone else relevant within your organisation.
- If you aren’t sure if the message is fake because it is from an organisation or person known to you, contact that organisation or person through a trusted communication channel (for example, if it’s the Australian Tax Office then call their general line – available on their website – and speak with someone directly).
- If you are sure the message is fake, and are worried your information may have been compromised in some way, report it to the Australian Competition and Consumer Commission (ACCC) through their ScamWatch page here.
Kloud IT can help
We understand that the security of your information and data is of the highest priority to your organisation. That’s why we offer an Anti-Phishing Solution tailored to your organisation’s employees, giving you the best opportunity to defend your organisation from attacks.
A more effective training program does not mean more dollars or training time, but rather a training program that engages employees without taxing the security team.
Source: The State of Security Awareness Training | Osterman Research
Contact us to discuss our simulations and how they apply to your business, and take the first step towards ensuring your company’s data protection from phishing attacks.