David Kelleher
Oct 24, 2024
David Kelleher
Oct 24, 2024
Phishing attacks show no sign of abating and continue to be one of the most pervasive and damaging.
Despite new technologies, training and awareness programmes, phishing persists, targeting the most vulnerable element in any security infrastructure: human judgment.
In the Email Security Risk Report 2024 by Egress, nine in 10 organisations said they were the victims of phishing attacks (94%), with nearly all of them (96%) saying they were ‘negatively impacted’.
Looking at the bigger cybersecurity picture, phishing accounted for 71% of cyber threats (ReliaQuest) with social engineering being the “most common route to achieve initial access” by cyber criminals to exploit legitimate users.
The same report said that AI’s generative technologies helped phishers to create more “realistic emails” and, for voice scammers, deep fake voice recordings of key colleagues.
Zscaler observed a nearly 60% year-on-year increase in phishing attacks in 2023 compared to the previous years.
It is safe to say that phishing is not going away any time soon. Even worse, it’s taking less time for a phishing attack to be successful. Palo Alto, in their incidence response report 2024, cite an example of how attackers gained access to an organisation, exfiltrated terabytes of data, and deployed ransomware to nearly 10,000 endpoints – in less than 14 hours. Initial entry started 30 minutes after the phishing email was sent.
As these malicious actors refine their techniques, it becomes increasingly crucial for both individuals and organisations to remain vigilant and well-informed about recognising and responding to phishing threats.
Two particularly dangerous variants of phishing have gained prominence in recent years: spear-phishing and business email compromise (BEC).
Spear-phishing represents a more targeted approach, where attackers craft messages tailored to specific individuals or organizations. These personalised attacks often leverage information gleaned from social media profiles or previous data breaches, significantly increasing their credibility and potential for success.
BEC attacks, on the other hand, involve the infiltration or spoofing of legitimate business email accounts. Cybercriminals use these compromised or imitated accounts to trick employees into making unauthorised financial transactions or transferring sensitive data. The consequences of these attacks can be severe, often resulting in substantial financial losses and irreparable damage to an organisation’s reputation.
Identifying phishing attempts requires a keen eye and a healthy dose of scepticism. While attackers continually refine their techniques, several common red flags can help individuals spot potential threats:
Language: Phishing emails often contain grammatical errors, awkward phrasing, or inconsistent formatting that can indicate a fraudulent source.
Unexpected Attachments or Links: Be wary of emails containing attachments or links you weren't expecting, especially if they come with vague or urgent messages encouraging you to open them.
Requests for Sensitive Information: Legitimate organisations rarely, if ever, ask for sensitive personal or financial information via email. Any such request should be treated with extreme caution.
Mismatched or Suspicious URLs: Hover over links without clicking to reveal their true destination. If the URL doesn't match the purported sender or seems off in any way, it's likely a phishing attempt.
Pressure Tactics: Phishing emails often create a false sense of urgency, threatening negative consequences if immediate action isn't taken. This pressure is designed to override rational decision-making.
When faced with a suspicious email, it's important to pause, assess the situation carefully, and verify the sender's identity through alternative means before taking any action, regardless of how urgent the message may seem.
Recognising phishing is only half the battle; reporting these attempts is equally important. Employees should follow their organisation's established procedures for reporting suspicious communications. Some companies may also have dedicated channels or teams responsible for handling potential security threats. Prompt reporting can prevent further damage and help protect colleagues from falling victim to the same attack.
Effectively preventing phishing attacks requires a multi-faceted approach that combines technological solutions with human vigilance. On the technical side, organisations should implement robust security measures such as advanced spam filters, next-generation firewalls, and email authentication protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance).
However, even the most sophisticated technical defences can be circumvented by a single moment of human error. This is why employee awareness and training are indispensable components of a comprehensive anti-phishing strategy. Regular phishing simulations expose employees to realistic but safe examples of phishing attempts, helping them develop the skills needed to identify and respond to real threats. Comprehensive security awareness training should cover not only how to recognise phishing but also the proper procedures for reporting suspicious communications.
Creating a security culture within an organisation is perhaps the most effective long-term strategy for mitigating the risk of phishing attacks. This involves fostering an environment where employees feel empowered to question suspicious communications, share potential threats with their colleagues, and actively participate in the organisation's security efforts.
The threat of phishing is unlikely to disappear entirely, so a combination of technological defences, human awareness, and proactive reporting can significantly mitigate the risks.
Not every organisation has the resources or skillset to develop and run regular awareness programmes. Partnering with a managed service provider like BMIT can make all the difference to your security efforts. Contact us today for more information about our training and awareness programmes.
