Phishing click

An email with an intriguing subject line shows up in your inbox. You click on it because you’re curious and the sender seems trustworthy.

This is how most cyberattacks begin.

More than 99 percent of cyberattacks require human interaction to succeed.1 That puts email security at the top of an organization’s cybersecurity concerns.

Cybercriminals are hitting their targets by deceit to make recipients act irresponsibly, and during COVID they’re doing it more consistently and effectively than before.

“They quickly adapt and keep the number of targeted users low. This makes [phishing] hard to detect,” said Elie Bursztein, Anti-Abuse Researcher at Google. 2

Criminals are constantly developing and deploying different social engineering tactics to fool recipients. Google found that sixty-eight percent of phishing emails were new variations that had never been seen before. Furthermore, many of the phishing campaigns target just a few dozen individuals. So in a business, employees just can’t warn each other about a specific phishing attempt.

Cybercrime is constantly evolving to match changes in technologies. Being overconfident about your defenses or defensively underprepared is not a workable posture to take. Instead consider a proactive approach. Following are some email-triggered ploys and an apporach to lessen your risk.

Phishing Using Spoofing and Identity Deception

In a phishing attack criminals deploy social engineering tactics to bait users into clicking malicious links and so unknowingly giving up confidential information, like user credentials. Hackers work at assuming the identity of a trusted source, to make sure that it is you who lets them into the system. Once they’re in, they typically install malware on your company’s network, steal sensitive data, or lock systems until a ransom is paid.

Although these practices are not new – criminals have been employing similar tactics for decades – they continue to work! And data shows the threat of phishing goes unabated.3

Business Email Compromise (BEC) and Spear Phishing

A BEC scam is when an attacker hacks into an organization’s email account to impersonate employees  – especially executives and board members – with the purpose of defrauding the organization, its employees and/or stakeholders into sending money or revealing sensitive data.

Spear phishing is similar: an attacker fools a user by sending a malicious email that appears to be from any trusted source.

BEC attacks grew by almost 100 percent in 2019.4 Imagine the financial and reputational loss your organization would suffer if an attacker were to impersonate you and give fraudulent instructions in your name.

Malware and Viruses

Malware refers to any type of malicious software, regardless how it works. A virus is a specific type of malware that self-replicates after entering other applications. Both pose a threat to your business’ network. Ninety-two percent of malware is delivered through email.5

Ransomware

Phishing emails are sometimes used to distribute ransomware through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files. Average ransom demands were $178,254 in Q2 2020, sixty percent higher than Q1 2020 and they continue to escalate.6

And of course even if you pay the ransom, you have no guarantees the attackers would decrypt and restore your data, nor can you be certain the data will not be sold, exposed or targeted for a direct attack at some later date.

Employee Training through Phishing Simulation

If your employees have been taught how to identify suspicious emails, both within the work environment and in personal settings, the company will be much less likely to fall victim to these types of attack.

Phishing simulation training can help save money by cutting the number of breaches that need to be dealt with, the amount of downtime and hours spent on recovery, even the number of ransoms paid to criminals.

Phishing simulation training can help you better ensure the security of your customers’ data, which, in turn, helps to protect your company’s reputation.

Bryley has the training expertise and tools to lessen the risk your organization will suffer an incident. Equip your team with the tools you need them to have to detect and prevent cyberattacks.

Bryley Systems has been a trusted adviser in securing technology since 1987. If you would like more information about Bryley’s approach to phishing simulation training, please call 978.562.6077 or email ITExperts@Bryley.com.

1 ProofPoint’s Human Factor

2 https://security.googleblog.com/2019/08/understanding-why-phishing-attacks-are.html

3 2020 Verizon Data Breach Report

4 GreatHorn, 2019

5 CSO Online

6 Kaseya