Are Phishing Attacks still a threat?

With a third of all data breaches last year down to phishing – yes. This oddly named form of cyber-attack remains a big threat to users everywhere. For those who don’t know, phishing is where a user is duped into handing over personal and private data via a fake email or malicious link. It’s called phishing for a good reason.

Hackers, who have historically exchanged f for ph, are actually ‘fishing’ for data. And just like fishing, they may have to wait a while for someone to catch the bait but eventually, someone will.

It’s been around for ages and due to the seemingly low-tech nature of it, some may think it’s a thing of the past. After all, surely people aren’t so easily duped…

Thing is, as time goes on it’s the more high-tech threats that we are able to defend against due to advancements in software. Once we’ve worked out what a certain virus looks and acts like, we can immunise against it.

On the other hand, it’s a lot harder to defend against basic human mistakes. Because of this, Phishing, which relies on this exact thing to succeed, remains one of the highest causes of data breaches. According to the Verizon data breach survey 32% of all recorded breaches involved phishing.

Whether through emails, mobiles or dodgy links any user is theoretically at risk, no matter how safe they think they are. Here’s the low down.

Data is money

As we mentioned in a previous blog post, the goal for most hackers is not to cause havoc but rather to take your money. 71% of all data breaches were financially motivated last year. 

And today, data is money. Many are saying that personal data is now a more valuable commodity than oil. Therefore, no matter how big or small your company, your data is an attractive prospect to cybercriminals.

Phishing remains the most common form of cyber-attack partly because it is one of the easiest ways for hackers to access your data. Some phishing attacks even aim to get Malware onto your computer so that your data can be farmed.

How they get in.

There are a few different ways in which phishing attacks happen.

1. Email phishing

The most common form of phishing and theoretically the least dangerous. These emails will attempt to mimic actual emails from a real organisation, to varying degrees of success.

If the hackers are serious, they will go to great lengths mimicking the language, typefaces, logos and more of a company, all to convince you it’s the real deal.

There will always be some form of call to action and a reason why you should click a suspicious link urgently. It may try to convince you that a subscription is about to expire, a password has been compromised or your details need updating.

Hackers will spread a pretty wide net on the basis that although most won’t fall for it, some will be caught. Even if 1000’s of emails are sent out and 1% of those click on the link that’s still some valuable data they’ve been able to snatch.

2. Spear attacks

Spear attacks may arrive in your inbox as well but these are more targeted, as the name suggests.

These will be more direct, maybe including names and other personal details in the body of the email. Research will have been done on the company and maybe even on the user so that the email comes across as more convincing.

A spear attack may involve the sender posing as someone within the company asking the user to provide login details. Once the hacker has these, they can find their own way into the company.

3. Mobile

Not necessarily a specific method but rather a means through which phishing attacks can be successful. Indeed, mobile attacks were up in the last year. 

Users are more vulnerable when accessing a phishing email or link on their mobile for a number of reasons. For one the screen size is smaller so less information is visible to the user. A lot of web pages are less clear on mobile so spoofs can appear a lot more convincing.

As well as this mobile phones are often used whilst doing something else; walking to work, looking at another screen, on the toilet…

As a result, users are more distracted and more susceptible to clicking on a malicious link or mistaking the legitimacy of a source of information.

How to avoid

The individual user at a company is the weak link when it comes to this form of attack. It is through direct communication with them that hackers can get access to your company’s data. So it’s mainly through them that you can protect your company.

Smaller businesses may think they’ll be alright, that no one would target their small team. The reality is that you are just as at risk as any other business, partly as a result of this assumption.

1. Training

Training your staff to look out for phishing emails should be a priority. The reality is most of them should be pretty easy to spot. Most phishing emails are laughably bad at mimicking what they’re trying to fake. They will often have bad grammar, poor design and lack many of the design elements that you would expect to see in a usual email. The address of both the sender and the link will also be wrong, so paying attention to details like this is important.

At the end of the day, you have to ask questions about why you are receiving this email. Are the claims made, true? Is it really as urgent as they’re making it out to be? How likely is it that you would normally even receive an email like this?

2. Spam filters

Ensure that your company has sufficient anti-virus software, firewalls and web filters that would at least be able to detect and redirect you from malicious links.

We thoroughly recommend Mimecast, a market-leading cybersecurity software that offers email security. This would act as a filter for any malicious emails entering into your network ensuring that the majority of spam never enters your inbox.

Make sure that your computer is completely secure from everything other than human error.

And even in the event of that happening…

3. Multi-factor Authentication

Last time we spoke about the importance of multi-factor authentication. One reason to have this is so that if some of your data was stolen through a phishing attack, it would be a whole lot less useful to a hacker.

If they only have one factor in the chain then they will be unable to authenticate without all factors, whether that’s another piece of knowledge or an inherent factor to the user, like a fingerprint.

You can add an extra layer of protection to your organisation by not leaving all the cards on the table.

So, stay vigilant – there’s danger out there but data breaches are avoidable.

If you want more information about the solutions we offer including the Mimecast software then get in touch today.