This post is the first one in the series “Phishing Simulation: Learn The Basics”, which will support you to plan and execute an important piece of your next rocking cybersecurity awareness program.
According to a report from Deloitte
Close to 91% of all cyber attacks start off with a phishing email.
Gone are the days when a phishing email was only a dodgy email from scammers claiming to be a Nigerian Prince offering you mountains of cash. The cyber threat landscape has evolved, and today’s cybercriminals are smart enough to make their phishing attacks appear sophisticated and less easy to flag as a potential attack.
In this first blog post of our series, we will take you back to the basics of phishing attacks.
What is Phishing?
Phishing emails are a delivery mechanism for cybercriminals to coerce you into performing an action to their advantage. Such actions can range from clicking on a link to filling up a form with your username and password. In most scenarios, cybercriminals are able to prey on people’s anxieties and insecurities to make them willingly hand over their data. For example, some phishing emails will try to put you in a state of panic by posing as your superior or a loved one.
Phishing emails typically include a URL link or attachment. Once you click on them, your computer will either redirect itself to an unsafe website that’ll steal sensitive information from your browser, or infect your device with malware. The latter is also known as a drive-by-download. Cybercriminals will then use your stolen data information to either commit identity fraud, sell it to other hackers, or threaten you with it by asking for a ransom.
Cybercriminals are constantly plotting for new ways to make you give them what they want. Social engineering is the art of manipulating people to give up information or perform certain actions. Cybercriminals use social engineering tactics on phishing attacks because it’s just easier to exploit human insecurity to access valuable information, as opposed to doing all that ‘super coder hacking’ we see in movies.
The top 3 types of phishing attacks:
- Business Email Compromise (BEC): BEC phishing attacks are when cybercriminals pose as someone of authority within the company and use this fake persona to phish lower-level employees. Cybercriminals typically attempt to impersonate an organization’s CEO or any executive authorized to do wire transfers. In addition, cybercriminals also do their homework by closely monitoring their potential victims and their organization’s internal structures.
- Spear Phishing: Spear phishing attacks are similar to BEC phishing attacks, in that they’re targeted at a specific audience. Unlike generic phishing emails that go out to thousands of people in wide-scale email phishing campaigns, spear-phishing attacks hone in on key individuals within an organization. Cybercriminals use social engineering tactics to personalize the phishing emails, so as to catch their victims off-guard with instructions to reveal information or perform certain actions.
- Whaling: Instead of targeting employees on the lower end of the organizational chain, Whaling is when cybercriminals target C-level executives. This type of phishing attack is often premeditated, and cybercriminals will dedicate a lot of time and planning for whaling attacks. The aim is to trick C-suite executives into revealing sensitive corporate data that they will then threaten to release if a ransom is not paid.
Main Targets of Phishing Attacks
Previous attacks show that anyone can fall to phishing. Between 2013 and 2015, Facebook and Google collectively lost over $100 million as a result of a phishing email posing as an invoice, as reported by CNBC in 2019. What could have been a routinely marked phishing attack fell through their defenses when a Lithuanian cybercriminal sent them several fraudulent invoices by posing as a credible 3rd-party vendor.
In another real-life crisis, reported by Reuters, the Austrian aerospace firm FACC incurred $61 million in losses due to Business Email Compromise. By impersonating their CEO, a cybercriminal was able to send fake invoices to the company’s accounting team who then transferred funds to his account.
Does company size matter for phishing attacks?
Although enterprises are an important target for cybercriminals, these companies are often in a better position to prevent attacks than small and medium-sized enterprises (SMEs). SMEs don’t always have a Chief Information Security Officer (CISO), or responsible personnel for cyber awareness programs, and therefore are less prepared and seen by cybercriminals as an easier target.
As reported by InfoSecurity Magazine, a research from Gallagher estimated that
Nearly 60,000 small and medium enterprises could be at risk to collapse in 2019 if hit by a cyber attack.
This article from IT World Canada points that Canada’s massive SME and start-up markets might explain the significant increase in fraud phishing attacks directed at the country.
The belief that only enterprises and large corporations are targets for phishing attacks couldn’t be more inaccurate.
It’s also impossible to point to the most important target in terms of industry. Cases of successful phishing attacks happen in healthcare, manufacturing, technology, education, and public sector industries.
Check out the second post of our series to understand why phishing is still the most common and successful type of cyber attack.
Fight Off Phishing With the Right Help
Right-Hand’s Phishing Readiness product can help you condition employees to become less susceptible to malicious phishing emails, by creating and launching custom phishing simulations. Schedule a personalized demo and see our product in action.