Phishing - recognize and avoid the traps
Phishing is lucrative for fraudsters: if an employee falls for a seemingly legitimate email, they gain access to sensitive data or accounts. No wonder phishing attacks are on the rise. Companies need a strategy to avoid falling into the trap.
One wrong click by a single employee can open the floodgates to cybercriminals: If they fall for a phishing email, they could, in the worst case, reveal sensitive credentials or enable the installation of ransomware. A recent example: When an employee at video game publisher Activision leaked the code for two-factor authentication, the perpetrators gained access to sensitive employee data.
Phishing is a major problem for businesses. If they fall for it, they risk data loss, identity theft, or ransomware infection. According to Cisco’s 2021 Cybersecurity Threat Trends Report, 90 percent of successful data breaches begin with a phishing email. And attacks are on the rise. The Anti-Phishing Working Group (APWG) registered a new record for the number of attacks.
The problem is compounded by the fact that many employees do not recognize phishing attempts because the message appears to come from a legitimate source. This is not always easy, however, as criminals use social engineering, incorporate current events, and make their messages look deceptively real to appear more credible. Some even use artificial intelligence – and have ChatGPT write even more convincing messages. According to the Federal Office for Information Security. The creativity of phishing scammers is “almost limitless”.
Phishing, Spear Phishing & Co: These types of attacks exist
In phishing, criminals use a variety of methods to trick victims, such as sending emails with links to spoofed Web sites that ask users to enter sensitive information. Or they may ask you to open attachments containing malware, such as ransomware.
Spear phishing is particularly difficult to detect, even for experienced users. In a standard phishing campaign, criminals send a large number of emails, hoping that a few recipients will fall for it. With spear phishing, they put much more effort into researching the attack to ensure greater credibility, and then target specific employees or teams within the organization.
A successful and sophisticated scam, warned of by the Austrian national security agency CERT and the consulting firm Certitude shows what this can look like. In recent months, employees at several companies in Germany and Austria have fallen for it:
The criminals tricked unsuspecting employees into transferring money to fake accounts, in some cases, hundreds of thousands of Euros. They targeted two companies at once. First, they requested outstanding invoices from customers in the name of a genuine supplier. Once they received them, they changed the bank details on the PDFs and sent them to the supplier. The scammers previously researched the correct contacts and the form and style of typical emails.
How can companies protect themselves from phishing?
Companies need several lines of defense to fend off phishing attacks. These include technical measures and employee awareness. The following points must be observed:
- Create and train security awareness: Training employees to recognize phishing is a critical component of defense. Ongoing training is necessary to raise awareness and identify red flags. Phishing simulations are particularly effective because they simulate a typical attack.
- Optimize technical defenses: Minimise phishing emails reaching inboxes in the first place. In addition to antivirus programs and firewalls, protection technologies include a secure email gateway, authentication protocols such as DMARC, DKIM, or SPF, and anti-phishing or advanced threat protection and prevention solutions. Spam filters use artificial intelligence to scan all incoming messages for suspicious patterns and links.
- Install updates and patches immediately: Keep your security software, operating system, applications, and browsers up to date. This will help prevent fraudsters from exploiting vulnerabilities and gaining access to systems.
- Set guidelines for strong passwords: Passwords should be different for each application to prevent data thieves from gaining unrestricted access. In general, passwords should be difficult to crack and meet minimum requirements.
- Implement multi-factor authentication: Requiring the entry of additional codes or the use of tokens makes it more difficult for criminals to access systems.
- Perform regular backups: Only by regularly backing up their data can companies recover from a phishing attack with ransomware.
- Secure Home Office Devices: When employees use their own laptops and smartphones to work remotely, they need secure access to the corporate network, such as VPN. Bring-your-own-device policies are essential.
Recognizing Phishing in Eleven Steps - These are the Typical Warning Signs
Phishing scammers are creative and constantly changing their tactics. However, the German Federal Office for Information Security (BSI) advises that there are some basic signals that employees should look for and be suspicious of:
- The email appears to be from a known person or organization, but the request is unusual or surprising.
- The message indicates an urgent need for action or even a threat.
- Employees are to enter, share or change confidential data.
- The e-mail contains links or forms.
Employees should also check email carefully. The following signs should set off alarm bells:
- The greeting and signature are generic, the sender is missing.
- Blurry or outdated images and logos.
- The URL or link contains extra characters or appears illogical.
- Incorrect spelling and grammar.
- Offer sounds too good.
- The data does not match the information stored in the system, such as bank details.
- A phone call reveals that the actual customer or supplier did not send the email.
