Phishing is an ever-prevalent cyber threat that can affect anyone who utilizes some form of digital communication – effectively everyone using mobile phones and/or computers in today’s world.
Furthermore, dealing with the threat of phishing is no longer the sole responsibility of IT Security teams but now also the responsibility of all end-users who need to prevent falling prey to these schemes.
In this regard, knowledge becomes power as organisations come under scrutiny regarding the policies implemented to prevent cyber security incidents that may expose private data. Phishing also affects non-corporate or home users, potentially opening access to allow threat-actors to compromise personal banking and social media accounts with the potential to also affect their linked corporate credentials.
Phishing continues to grow and evolve at an alarming rate worldwide and is a leading cyber threat. According to Mimecast, an email security provider, phishing remains one of the greatest threats to cybersecurity among organisations of all sizes. The average daily volume of emails equates to about 78 billion a day worldwide, of which approximately 84% of them are spam. The modus operandi of phishing attacks is deception with cyber criminals becoming more sophisticated and capable in conducting the necessary effective campaigns and techniques for their attacks.
The pivot to remote working during the COVID-19 pandemic has also seen a steep increase in phishing attacks around the world with a 64% increase in email threats occurring during 2020. According to Mimecast’s State of Email Security 2021 report, 40% of companies surveyed said their email security was falling short and 13% said that they had no email security system in place in their organisations. The following are the key phishing attack methods:
- Email phishing:
As the original phishing scam, email phishing involves spamming email accounts with messages designed to trick users into clicking malicious links, and exposing personal information and/or perform funds transfers. - Spear phishing:
This type of phishing is a targeted attack that incorporates personal information scraped in from public online sources such as social media accounts (e.g. Facebook or LinkedIn). The emails are then crafted to try and replicate legitimate communications to a certain degree from a colleague or client. It could also contain links to external malicious content. - Whaling:
The method of phishing is a type of spear phishing that is targeting CEOs, CFOs, CIOs or other “big fish” with emails from imposters asking for sensitive data, requesting payment of fake invoices or the reallocation of funds. - Smishing and vishing:
Smishing (sms phishing) and vishing (voice phishing, i.e. robocalls) are techniques used to target mobile devices using texts and SMS or voice messages. - Angler phishing:
These phishermen are threat actors who monitor chats or forums on legitimate websites and intercept victims by pretending to be support agents. People are usually likely to give out more personal information and permit access to devices in attempts to resolve a problem which is used in Angler phishing attacks.
Example of a dangerous Phishing email
Over the past few months, we’ve seen many phishing email campaigns but none as persistent and well done as this particular one. The campaign focuses on mimicking Standard Bank and targets a variety of people, account holders or not, promising unbelievable amounts of loyalty points, seemingly out of nowhere.
The emails were intended to look like they originated from the info@standardbank.co.za account, but under further investigation, were found to be distributed by a server and services from outside of South Africa.
The trick with this one is for the viewer (potential victim) to click the ‘Login Now’ link so that they can claim their supposed rewards. The viewer will, however, be redirected to a third-party website managed by the threat actor where their banking credentials are stolen. Without a second glance, people could easily mistake this for a legitimate email from Standard Bank and fall victim to identity theft of having their bank account/s drained. These campaigns and techniques are also appearing to be exceedingly effective as many people currently face financial instability caused by the COVID19 pandemic and are looking for opportunities to recover.
According to Mimecast’s phishing statistics and trends, January 2021 broke monthly records for phishing statistics worldwide, with 245,771 attacks reported to the Anti Phishing Working Group (APWG). Many organisations reportedly suffered multiple attacks last year with 70% of them expecting their business to be disrupted this year by an email-borne cybersecurity threat. Defenders are also still playing catchup with the bad guys. Only 45% of respondents felt confident that all employees in their organization could recognize phishing emails, but their confidence fell to 34% when asked about their ability to spot smishing, vishing, rogue apps and malicious pop-up ads online. Furthermore, only 16% of organisations managed to make it through the past year (2020) without experiencing at least one phishing or ransomware incident.
According to the Cost of a Data Breach Report 2020 by the Ponemon Institute, the global average total cost of a data breach to a business is in the region of about $3.86M. As breaches get larger, so do the costs. A loss of 1 million to 10 million records can cost an organisation $50M on average and one involving 50 million records or more can cost about $392M.
The key methods to Prevent Phishing attacks include the following:
- Security awareness training
Teach staff how to identify phishing emails and avoid clicking suspicious-looking links or attachments, especially when the emails make vague references to payments and invoices. - Random phishing defence drills
Occasionally perform authorised drills where phishing-like emails are shared to test staff awareness. This is necessary to help ensure that people are aware of new techniques and can correctly identify the difference between real and fake emails. - Install Email filters
Implement email filtering solutions on email servers (or in the cloud) and protection software that’s able to protect against unsafe websites and other online threats. - Update devices regularly
Ensure devices and installed software are always kept up-to-date on all devices on a network, including those that aren’t being used anymore but are still connected to the network. Outdated software is one of the major causes for data breaches and hacks that cyber criminals take advantage of.