Hi my friends! First and foremost, let's jump in for the official definition of Phishing: Definition:
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Phishing emails are not something new. Despite broad coverage in the press, numerous corporate training programs, and many anti-phishing solutions, why are a huge 93% of data breaches still caused by phishing?
With the average phishing attack costing a mid-sized company $1.6 million, this is not a matter to take easily. How can you be sure that your company is adequately protected? Let’s start by seeing how good you are at detecting phishing emails. Think you can outsmart these devious scammers? To find out how you measure up, take the Google phishing quiz by classifying 8 emails as either phishing or legitimate. Go ahead…do it now…we’ll wait.
How did you do? How do you think your employees will do? Fact is, many employees are still being tricked by these phishing scams. Why are phishing emails still so successful and how can you protect your company against these harmful attacks?
Types of Phishing:
Spear Phishing: These are phishing attempts that are highly targeted and only to specific individuals, often using information gleaned from the Internet to make the emails look personal and legitimate.
Clone Phishing: This is a type of attack where a legitimate email is cloned and then resent from a lookalike address with altered links or email attachments with a malicious payload.
Whaling Phishing, Pretexting and BEC: In these attacks, Cybercriminals target high-profile employees, such as CFOs and CEOs, and try to trick them into sending a wire transfer to the cyber criminal’s account or to provide W2s or other sensitive information that can be used to commit fraud. According to the FBI, between 2013 and 2018 BEC fraud amounted to $12.5 billion.
Le's read this brief story together:
The first recorded phishing attempts date back to the 1990s, but it was in the early 2000s when phishing really took off. The first phishing attacks were crude hit and miss attempts that involved sending mass email blasts that appeared to be from well-known banks in order to trick unsuspecting recipients into obtaining their personal information or bank account login credentials.In 2010 a new phishing phenomenon was proving to be far more effective: spear phishing.
Infamous data breaches at Anthem, Sony, and even the White House, all started with a spear phishing attack in which a socially engineered email was sent to a small number of high-ranking individuals, tricking them into providing their credentials or opening a malware-laced attachment to get access to their systems.
By 2015, a new and highly dangerous phishing technique surfaced: Business Email Compromise (BEC).
This is currently the most artful use of successful phishing attacks because BEC attacks do not use URLs, attachments, or malware to scam their victims, making these attacks much harder to detect and prevent.
It’s an exciting and challenging time to be working in the cyber security industry. Generally, research indicates that Cybercrime is still on the rise.
Even sacrosanct governmental election processes the world over are not excluded from falling prey to Cybercriminals and are a part of the increasing statistics about cyber security and cyber attacks.
A glimpse to some numbers:
$1.5 trillion cybercrime economy The cybercrime economy has grown to enjoy at least $1.5 trillion in profits each year.
300 billion cybersecurity Market The value of the cyber security market is anticipated to reach $300 billion by 2024, according to a 2019 press release by Global Market Insights, Inc.
$15 billion in cyber security funding According to the 2019 President’s Budget released by the White House, the U.S. government plans to spend on cybersecurity-related activities this year — a 4.1% increase ($583.4 million) over the 2018 budget. However, according to the budget document, the caveat is that “Due to the sensitive nature of some activities, this amount does not represent the entire cyber budget.”
How can I actually prevent myself from such attacks?
One of the solutions which comes to my mind is utilizing a sophisticated email security solution paired with advanced malware protection (AMP) and ransomware defense measures can protect them. For individuals looking for security at home, they probably cannot go buy commercial grade solutions.
Educating themselves on phishing, however, can go a long way in protecting their devices from theft.
Here are a few tips for individuals that are concerned:
Prior to clicking any link in your email, verify the domain name. Make sure it comes from the source it claims to be. In the 2018 Cisco Annual Cybersecurity report, there were 101,934 total phishing URLs and 8,445 total phishing domains in March 2017. Rather than Cisco[dot]com, it may actually be Cisc0[dot]com or something similar to what actually you really want.
Call to confirm. Some phishing emails will disguise themselves as your bank or insurance companies requiring information or a call-to-action. Some might claim there was a breach, and they need information from you to act. Before providing any information, dial your bank or insurance representative and ask them. If there is an emergency, they will know.
Adjust email filters. If you do recognize a phishing attempt, be sure to filter the email out. Do not respond. This simply confirms your email. Rather, just flag as spam so that you do not see any more emails from that domain.
If you already clicked the link, contact a security professional. If you did fall for a phishing attempt, consider calling a security professional. The cost of some help is negligible compared to the damage of someone stealing bank information.
Ask “Does this make complete sense?” Attackers try to prompt attacks by claiming a victim won a sweepstakes or some other competition. They require immediate action with a click to claim your prize. Before acting, ask if it makes sense. If you never entered a competition, it is most probably fake.
TRADEMARK LEGAL NOTICE
All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used on this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed on pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.