Chances are we all know someone who has fallen, or almost fallen, for a phishing attack. Most of us click DELETE as soon as we see that suspicious attachment, that unfamiliar tone of voice, or we have an intuitive sense that something isn’t quite right. However, the problem with phishing isn’t our gullibility – that’s what cyber criminals want us to think. It’s the fact that phishing is almost too easy to execute, and here’s why.
The reason phishing is so prevalent is because of the following:
If a cyber criminal can endure less labour with greater return, they’re going to do it, right? Due to an increased digital footprint in today’s era of social media, hackers can more easily obtain email addresses and filter them into a list of targets, manipulating or even spoofing victims into giving over money or personal information. Where do we draw the line between what we can and can’t share online? We should be more cautious with our privacy settings.
Read more about our OSINTGlass services here.
Often cyber criminals host a website that mimics that of a well-known company. This inevitably comes with its costs, but it’s cheaper than you may think – it can be as low as £7/$10 a month. Add to that the factor of sending out emails which is absolutely free. Key information can therefore be sent directly to one of the places we, as humans, often look most – our inbox – and then they let us do the “work” from there (a typical social engineering approach).
Cofense’s 2021 Annual Phishing Report showed that more than half of phishing emails are designed to steal user credentials. With the above in mind, it’s no surprise that cyber criminals take this route; if phishing pages are inexpensive to host, with low upkeep cost, then hackers can easily change the infrastructure of malicious webpages in alignment with their current goals, whether that is taking advantage of a global crisis or targeting a specific vulnerable persona.
Organisations must be increasingly aware of giving over personal information online and ask themselves the following questions:
However, organisations must also be aware that educating employees to avoid clicking links isn’t enough and ultimately goes against our very instinct when using the internet. It is better to teach staff the tricks of the trade of how phishing tactics work in terms of timings, tone of voice, etc. As humans, we’re good at identifying robots and scams, but when social engineering tactics throw us off course, advanced anti-phishing solutions, such as MPDR, and threat analysis are needed above all else.
…and perhaps always will be. When responsibility/blame is pushed onto the individual for “falling for it”, rather than the threat actor themselves, the individual is more likely to remain silent for fear of punishment. As a result, it can create a distant divide within targeted organisations, increasing the time it takes to remediate the phish. This is when we need to come together and build our protections against cyber-attacks more than ever.
To avoid financial loss and keep your employees safe, make sure you’re taking the steps you need to understand what is at the root of phishing, how it is viewed amongst your employees, and what you can do to prevent it going forward.
Have a read of The Ultimate Phishing Guide to get started.
Or learn more about our MPDR service.
Any questions?
Call us directly and we’ll put you in touch with the most relevant cyber expert.
Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.