Technology is advancing at an unprecedented rate, with 5G and IoT enhancing the way business is now done. However, with each new advancement, the cyber security risk increases. Phishing is one such security threat that corporates, in particular, need to be protecting against.
Phishing ultimately takes advantage of human trust by luring the user into false sense of security and encouraging them to hand over valuable information. It is a social engineering attack that steals critical company information by directing the user to a malicious link, usually via an email, text message or social media communication.
How does phishing differ from malware?
A virus or malware is a manipulated programme that can be installed onto an electronic device. To counteract this destructive element, corporations across the globe have installed anti-virus software which, through updated security patches, will keep devices safe from malicious software. Phishing is a scam that requires an employee to hand over details, thereby allowing the cyber criminals access to company information.
The cyber threat of phishing has a number of forms, all aimed at getting vital user information. Here’s a look at the most common methods:
1. SMiShing (or SMS phishing)
SMiShing is a form of phishing where the user will receive an SMS or other instant message that suggests clicking on a link. This then downloads a virus onto the device, resulting in the theft of sensitive information.
Vishing – which is voice phishing – is where an individual is called and directed by an internet telephone service (VoIP) to a fake domain, where they reveal confidential information.
3. Email phishing
One of the most common forms of phishing – and often the most easily identifiable – is email phishing. A cyber criminal will send out hundreds or thousands of fraudulent emails to various recipients, often managing to catch a small percentage of unknowing victims. The criminals will design the email to mimic real-world emails from either an existing or spoofed organisation. Depending on the particular email, aspects such as phrasing, logo, font and signatures could appear to be completely legitimate.
4. Spear phishing
This is effectively a form of email phishing, but rather than targetting random individuals in bulk, spear phishing targets a specific organisation. This requires much more in-depth detail, as well as specific knowledge about the particular organisation and its structure.
A more refined version of spear phishing is whaling, whereby a specific employee within an organisation is targetted, rather than the entire organisation. The aim of whaling is to create a sense of urgency and panic, so that the employee will act quickly rather than thinking over the email and questioning its contents. This will generally be aimed at a lower-level employee, often pretending to be from the boss, or upper management.
6. Angler phishing
Social media is also a great risk for phishing, which is referred to as angler phishing. A cyber criminal will forward cloned websites to a company’s social media account and they will be tricked into divulging login details, thereby allowing the criminal access to further sensitive information.
Impact of phishing attack
The detrimental impact of a phishing attack on any organisation – no matter the size – cannot be overstated. Phishing often allows the cyber criminal to gain a foothold into a corporate network, thereby paving the way for a much more advanced attack. The fallout of this is severe financial losses – sometimes to the point of company ruin – declining market share; a massive dent to an organisation’s reputation for which significant PR recovery will be needed; and the loss of invaluable consumer trust. Recovery from a phishing attack, where possible, will take a significant period of time.
What is the best defence against phishing?
With more knowledge about the nature and danger of phishing to the corporate sector, it’s worth looking at some of the ways to prevent this from happening.
The best cyber security defence is, undoubtedly, educating employees on the dangers of phishing. When people are aware of the methods and key, tell-tale signs of a phishing scam, they are much more likely to avoid becoming victims.
Some of the signs of phishing are:
- Any message starting with a generic greeting, such as ‘dear customer’ could indicate an email phishing scam. However, spear phishing could incorporate personal information, making it harder to detect.
- Any requests for personal information or details that you wouldn’t feel comfortable sharing.
- Messages that create a sense of urgency where immediate action has to be taken. Cyber criminals are hoping you will overlook proper procedure and act without thinking.
- Website links that are suspiciously longer than normal or contain an @ symbol are generally indicative of a phishing threat.
- Often one of the most obvious indicators is simply errors in spelling and grammar.
- AI programmes
Artificial Intelligence (AI) programmes can be installed to alert employees to emails that are considered a threat. This form of cyber security can detect if an email is not from an original source.
- Machine learning
There are also email filters that use Machine Learning (ML) and natural language processing as a way to flag emails that are potential phishing threats.
An experienced IT security organisation will be able to identify any cyber security risks – such as phishing – by performing a vulnerability assessment on the company networks. Any risks can immediately be neutralised, although it’s important to perform ongoing risk assessments.
- Two-factor authentication
Companies are also adding extra verification – known as two-factor authentication (2FA), two-step verification or dual-factor authentication – when logging into highly-sensitive documents for a superior cyber-security option. Authentication processes are usually something you know (user name and password), something you have (smartphone or token), or something you are (fingerprint or eye scan). A 2FA will require two of these.
- Password management policies
Another way to ensure cyber security is by implementing strict password management policies. Employees should have to change passwords frequently and not be able to use passwords for more than one application.
Phishing is an ongoing and evolving cyber threat that can topple organisations, no matter the size. While educating employees is vital, it’s certainly worth consulting with IT professionals to determine the level of cyber security measures needed.