Phishing is the term given to cyberattacks that involve an attempt to trick users into transmitting sensitive data or to install malware. Phishing attacks generally occur through email and can appear to be from trusted senders, such as work colleagues. Once a vulnerability has been found, the attacker can install malware, steal intellectual property and sensitive personal information. This can endanger company security and make victims vulnerable to identity theft. Phishing is particularly topical as the risks posed are higher than ever, with 39% of businesses reporting cyberattacks to the Information Commissioner’s Office (ICO) in the last 12 months 1. The same risks are posed on mobile devices, a particularly lesser-known avenue for cybercriminals to exploit vulnerabilities. This is because mobiles have multiple attack vectors, i.e., the channels used, including SMS, social media, WhatsApp, and gaming apps. So, it is important to remain cautious and take care across all devices.
Phishing campaigns are made up of either a malicious attachment or an external link to a malicious website. The first uses seemingly unharmful attachment names, such as ‘invoice’, to encourage the user to open and at which point the malware is installed on the computer. Links to malicious sites are positioned in increasingly legitimate-appearing emails, directing the victim to a page that either downloads malware or runs scripts to harvest credentials.
The National Cyber Security Centre recommends a multi-layered approach against phishing, to improve resilience and minimise the impacts of the damage caused.
Layer 1 – Make it difficult for attackers to reach users.
The first layer of defence acts as a barrier, to make it difficult for attackers to reach end-users in the first place. It involves setting up precautionary measures and anti-spoofing controls to filter out suspected emails and reduce the probability of incidents. Such controls can be provided from your cloud-based email provider, or a tailored solution directly from your email server.
Layer 2 – Help users identify and report suspected phishing emails.
The second layer requires collaboration with end-users, in the form of training and staff awareness. Although phishing simulation training is often solely used at this layer, it negates other weaknesses elsewhere. Thorough training that details how to spot, report, and understand the nature of the threat posed are particularly effective. Encouraging users to report phishing attempts will allow a better view of what sort of phishing emails are slipping through the filters and the impact this has on your company.
Phishing emails often come with a tell, mainly subtle differences from a genuine email. Users should remain cautious and before clicking any external links, double-check that the URL/domain name is spelt correctly. Likewise, by hovering over a URL with your mouse, you can view a preview of where it will take you. Be careful in this instance not to click on the URL.
Attackers often use similar letters, replace numbers, or add extra letters to appear genuine. Other targeted phishing attacks may be less so recognisable and often use language that encourages action from the end-user. For example, a forwarded email could easily be manipulated to look like a genuine email chain. Other situations involve impersonating directors or managers to gain the attention and trust of junior employees.
Things to be careful about include:
A simple organisation-wide policy to implement would be one that requires two forms of confirmation before a financial transaction is to take place. For example, no financial action should be taken based on email communication alone. This simple method of verifying requests via verbal confirmation can work hugely to prevent attacks.
Layer 3 – Protect your organisation from the effects of undetected phishing emails.
As detailed earlier, phishing attempts can bypass filtering services and breach your organisation’s defences. In these instances, device-specific protection can prevent users from permitting access to attackers. It could be as simple as ensuring that your software is kept up-to-date and restricting access only to those who need it. To protect sensitive information further, Two Factor Authentication is always recommended so that attackers cannot breach systems using just a stolen password.
Layer 4 – Respond quickly to incidents.
Should you fall victim to a phishing attack, it is best to respond quickly to limit the potential for further damage. Therefore, it is essential to advocate for open communication as quickly as possible. Simple response plans such as forcing password changes when compromised and removing malware promptly can be greatly useful to mitigate potential losses.
Hopefully, this blog post has provided a more rounded understanding of the different types of phishing and how you can implement the best measures to safeguard your sensitive data. At Kick, we believe that you can never be too careful – so we would like to direct you to a couple of handy resources that you can use to test your phishing detection skills:
At Kick, our team of experts is at hand to discuss all your business’s cybersecurity needs. From protection against phishing attacks to securing Cyber Essentials accreditation, we can help mitigate the potential for harm that enterprises are increasingly vulnerable to. We would like to hear from you - call us on 01698 844 600 or send us an email at firstname.lastname@example.org to discuss your needs.
Click here for more information.