According to the Computer Security Resource Center definition, Phishing is “a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person”. This scam is increasingly common and has devastating consequences for companies.
According to IBM's Cost of a Data Breach Report 2021, Phishing was the second costliest average total cost of the 10 initial attack vectors in the study, at $4.65 million. Furthermore, phishing was the second most frequent initial attack vector, being the gateway to 17% of threats.
There are different types of phishing. Below, we list some of the most common:
Email Phishing: attacks carried out through messages via email, using fake domains, which imitate those of real companies. It can trick the victim into clicking on a malicious website, making a suspicious download, or tricking them into sending information.
Spear Phishing: While Email Phishing is sent in bulk, for many people, Spear Phishing is personalized, through an email with personal information from the person receiving the message. With this, the chances of the victim falling for the scam is much greater.
Whaling: This Phishing scam targets the “big fish”, meaning the company's top executives. These people usually have a lot of information available on the internet. With dedication and study, scammers manage to mount a very believable bait, which increases the chances of the victim falling for the scam. This type of attack is worrying, as CEOs and C-Levels have access to especially sensitive company information.
Voice Phishing: Voice simulation programs are getting more and more sophisticated. Through this type of resource, scammers are able to simulate voice messages and even phone calls, posing as banking institutions, for example, to collect information or practice scams.
Smishing: This scam involves fake SMS messages. Scammers usually use information from leaks, or information collected from research on social networks, to make the scam seem more real.
These Phishing messages typically follow patterns such as:
Given the importance of this threat, here are some strategies that can help your company protect itself from scams:
Keeping employees trained and on the lookout is critical to ensuring a functional end-to-end cybersecurity strategy. Attacks by criminals are increasingly sophisticated, ranging from viruses disguised as attachments to well-rehearsed phone calls.
According to Google's Transparency Report, 46,000 new phishing websites were created every week in 2020.
Employees need to know the dangers, the risks of attacks, and the correct procedures for acting in a phishing situation.
This training can be done by the internal cybersecurity and technology team or delivered automatically by a partner company through short 2-3 minute videos.
Sending controlled tests allows you to identify the extent to which your company is susceptible to attacks. In addition, fictitious attacks give clues to where the biggest vulnerabilities are and which aspects of cybersecurity the company should strengthen.
Passwords are a particularly sensitive topic when it comes to phishing. Without the correct management of passwords, with single access, the hacker can have control over several logins. Thus, in addition to training your employees to create strong passwords, it is important to raise awareness about the use of unique passwords for each access, reducing damage in the event of an attack.
The corporation can invest in efficient solutions to stop suspicious messages and requests through its inbound channels. These malicious emails are blocked and tested by the tools, preventing the scam from reaching the recipient.
CyVent proudly offers Haven, a managed protection, detection, and response solution as a service made for businesses of all sizes, providing enterprise-class security protection, along with controls, management, and monitoring options, with an excellent protection program for your endpoints, your network and your emails.
Restricting server access is also a good alternative to protect information. Employees should have access to basic servers, accessing servers with more important information only when necessary. That way, in case of phishing, the threats are found.
The problems your company faces are unique. So your answer should be too. With CyVent you have expert support, cutting-edge software, and access to rigorously selected solutions with 24/7 monitoring.
Book a call: www.cyvent.com/contact-us