Surely you may have at one time or another received an email warning of an outstanding invoice, a parcel shipment that you did not expect or a warning from the bank about suspicious activity in your account. These messages usually adopt an alarming tone and provide you with a link to a website that you must visit right away to verify your personal information or to complete payment information. Caution! This is a “phishing” attempt, one of the most popular scam methods on the Internet!
What is phishing?
Phishing is a form of cyberattack that uses technology and social engineering to breach user security.
The term comes from the word “fishing”, since cybercriminals employ bait tactics waiting for users to “bite” or fall into the trap. They usually aim to get hold of financial information, payment service passwords (such as PayPal), or login credentials.
Actually, phishing is nothing new. The first cases of this type of fraud date back to the mid-1990s, when a group of fraudsters posed as employees of the AOL company to steal confidential customer data. Already in the 2000s, attacks began to specialize, focusing mainly on the banking sector.
Over the years, scams have become more sophisticated and, despite advances in cybersecurity, phenomena such as the rise of teleworking or the fraudulent use of AI have contributed to the rise of new ways of phishing.
Phishing as a source of concern
Anyone can become a victim of phishing. Even though cybersecurity systems are getting more powerful by the day, scammers have also honed their skills and organized themselves into small teams, specializing in social engineering tactics.
Companies often become the preferred target of these cybercriminals who try to steal your sensitive data or trick intermediary charges into making unauthorized transfers. A fairly common example of phishing is vendor invoice fraud, in which fraudsters impersonate trusted business partners to request payment for an outstanding invoice.
Even more disturbing are cases like the one we saw at the beginning of 2020 in the magazine Forbes in which a Japanese company was the victim of an elaborate scam in which the generative AI was used to clone the voice of a manager and authorize a transfer of 35 million dollars.
Audio cloning, audiovisual deep fakes and, in general, the use of the latest technology for criminal purposes pose a great threat and, at the same time, a challenge for cybersecurity companies.
Risks associated to phishing attacks
Financial losses have an immediate impact, but there are other long-term consequences that phishing victims can experience:
- Reputational damage: Data breaches can erode customer trust, causing permanent damage to the company’s reputation.
- Service outage: A cyberattack can cripple the company’s computer systems, especially if it involves ransomware. It all starts by downloading a malicious file included in the phishing messages. Once in the system, it encrypts critical files and blocks access to business-critical information.
- Fines and penalties: Violation of data protection regulations (such as GDPR) may result in sanctions by authorities.
It is important to be prepared to deal with these threats using robust cybersecurity solutions and internal employee awareness programs as the main weapons to prevent phishing attacks.
Relevant statistics and data
Email fraud already accounts for 27% of economic losses for cybersecurity breaches and is responsible for 90% of data breaches, according to the report Cybersecurity Threat Trends 2021 (CISCO). This is mainly because phishing campaigns have become massive and scammers use hundreds of emails to reach more people.
Key elements in a phishing attack
Luckily, phishing messages are usually quite clumsy and recipients quickly realize that they are facing a scam, but sometimes they are so customized that they cast doubt on whether they are legitimate or not.
To gain the trust of their victims, fraudsters impersonate institutions, banks or companies that offer their services over the Internet.
Most of these fraudulent emails consist of:
- An unknown sender, with generic email extensions (Gmail, Hotmail, etc.) or names that resemble those of official companies, but with strange words that we cannot identify.
- A generic greeting (“Dear customer”, “Dear friend”) since cybercriminals generally do not know the identity of the recipient.
- An urgent request for our personal information (ID, credit card number) under the pretext of solving an issue.
- An external link that leads to a fraudulent website with the same logo, design and colors of the brand they intend to impersonate. On this landing page you will be prompted to update your details to continue. Here is where information is stolen.
- There is also the possibility that the email contains an attachment infected with malicious software (malware, ransomware). If you download it, it will compromise the security of the system.
It is important to be cautious and learn to recognize these phishing signals to minimize risks.
Types of phishing
There are currently over 10,000 forms of phishing (as reported by Wikipedia). These are some of the best known embodiments.
Traditional phishing
It is the most common form of email fraud. It is based on the random issuance of emails impersonating the identity of a trusted company or institution. Messages include links to fraudulent websites or infected files.
Spear phishing
While traditional phishing is a random scam, spear phishing targets a specific person, usually an influential position within the company. To earn their trust, cybercriminals conduct extensive research on the Internet, collecting personal data from social networks such as LinkedIn, where they check information such as age, location or position within the company.
Whaling
In whaling, the target is important people within the company or executive positions (CEO, CFO, etc.). Scammers investigate their prey for weeks and send highly personalized emails, related to critical business issues.
Smishing
Fraudulent messages are sent via text messages (SMS) or WhatsApp. For example, we received a notice from our bank reporting an unauthorized purchase with our card with a link to change the PIN and login details. If YOU do, we will have fallen into the trap.
Vishing
It comes from the union of “voice” and “phishing”. In this case, the scam is done by phone call. A typical example is technical service fraud where scammers call to report a computer failure that doesn’t actually exist and convince us to install a Trojan that will steal your data.
Angler Phishing
It is a new tactic that consists of creating fake profiles on social networks with the name of prestigious institutions and companies. The goal is to steal sensitive data from other users.
How to detect Phishing attacks?
Recognizing a phishing message is not always easy, but there are some indications that may make us suspect that the request is unusual.
- Alarmist tone: They often convey urgency and urge the user to act immediately. Cybercriminals use emotions such as fear or curiosity and use intimidation tactics to make us act irrationally.
- Grammatical errors: Many phishing messages contain spelling and grammatical errors as they were written by non-native speakers. Anyway, nowadays many scammers use tools like Chat GPT to correct their texts, so we must be wary even of messages without spelling mistakes.
- Suspicious links or unsolicited attachments: Does the sender ask you to click on a link? Does it include alleged unpaid bills or fines that you can’t identify? This is most likely a cyberattack.
How to prevent a Phishing attack?
- Do not open messages from unknown senders.
- Do not provide your personal information through a link in an email.
- Don’t download suspicious attachments.
- Hover over the link and check if the url starts with https. This indicates that the site has a safe certificate.
If despite these precautions you fell into the trap and provided your data, change the passwords of the affected accounts as soon as possible and report the scam to the local police. You may also contact the Internet User Security Office of INCIBE (National Institute of Security) to investigate the fraud.
Protecting your organization from phishing
IBM assures in its report Cost of a Data Breach Report 2021 that it can take an average of 213 days for a company to warn that it was the victim of a phishing attack. During this time, cybercriminals will access all kinds of confidential information: database passwords, trade secrets, access credentials to the corporate network… That is why it is important to be prepared and work proactively to stop the threat of phishing.
Some preventive measures:
Employee Awareness
Make cybersecurity part of your company’s organizational culture and create campaigns to warn your employees of the risks of Internet scams. A good measure is to implement a phishing simulation software to train them and teach them to differentiate an authentic email from a fraudulent one.
Implementing email security solutions
The first line of defense against a phishing attack is the anti-spam filter built into email. Make sure it’s up to date with the latest versions and security patches. You may also configure email authentication policies as Domain-based Message Authentication, Reporting, and Conformance (DMARC) to reduce the risk of phishing.
Endpoint monitoring and protection
Endpoints are the end devices (computers, tablets, smartphones) connected to the network. EDR solutions have been designed to monitor and detect the presence of malware on these endpoints.
Unlike antiviruses that work with previously identified patterns, EDR solutions are more advanced since they give automated and real-time responses to contain the attack. They use technologies such as AI and machine learning capable of detecting anomalous behaviors, such as the execution of malicious scripts.
Endpoint protection is a basic cybersecurity measure, but should be combined with other solutions such as network traffic monitoring or safe remote access solutions such as Pandora RC.
How does Pandora RC help improve remote access security?
More and more companies are adopting policies of teleworking or hybrid work. It is a reality that poses new challenges in terms of cybersecurity. Remote workers operate in less secure environments than those under the supervision of IT teams.
Tools like Pandora RC help monitor your systems by offering remote support and quick assistance if a phishing attack is suspected.
Other ways Pandora RC can help prevent cyberattacks:
- It generates 100% local passwords avoiding vulnerabilities in centralized systems.
- Remote connections must be pre-approved.
- It uses dual authentication access policies. This reduces the risk of unauthorized access, as users have to validate their identity in two steps.
- It is a flexible and scalable solution. In addition, it is available as a SaaS or On-Premise solution for companies that want to have more control over their infrastructures.
Other tips to prevent phishing attacks in the business environment
As phishing techniques become more sophisticated, the need for protection is increasing. Therefore, it is not a bad idea to keep in mind some basic tips:
- Try to stay up to date on new scams, follow the news in the media, and read tech blogs like Pandora FMS blog.
- Use strong passwords on your accounts that include a combination of numbers, letters, and special characters. Never choose personal data such as date of birth, cities or pet names for your passwords; phishers could guess this information by checking your social media.
- Use a multi-factor authentication (MFA) system to add an extra layer of security to your connections. That way, if a hacker gets your login credentials, they would still need to know the code sent to your mobile to access your accounts.
- Installing a firewall is critical to blocking unauthorized access to sensitive information. Make sure it’s properly configured and only allows safe transactions.
- Keep your browser and operating system up to date as cybercriminals often take advantage of vulnerabilities in outdated systems.
- Prevents access to sensitive information over public Wi-Fi networks. Many of these networks lack encryption protocols and transmitted data could be intercepted. Turn off the option to automatically connect to open Wi-Fi networks on your mobile.
- Make automatic backups of company data to be able to recover information in the event of an attack. We recommend them to be immutable backups (they cannot be deleted or modified). This ensures that copies are protected and can be restored even if a ransomware attack takes place.
Conclusion
As we mentioned at the beginning, phishing has existed since the beginning of the Internet and will probably evolve and we will learn about new forms of this form of cyberattack. Although we must be vigilant in the face of these threats, slowing technological development is not the solution. The key is to adopt cybersecurity measures and educate users to minimize risks and create a safe working environment.
I studied Philology, but life circumstances led me to work in the Marketing sector as a content writer. I am passionate about the world of blogging and the opportunity to learn that comes with each new project. I invite you to follow my posts on the Pandora FMS blog to discover the technological trends that are transforming the business world.
