Phishing attacks are one of the most common and effective cyberattacks. At least 83% of all companies experience an attack each year. 2020 saw a 345% increase in phishing attacks. The average cost of one attack is $4.91 million. On top of that, these kinds of attacks can be hard to prevent because they exploit human error.
“Phishers” send fraudulent emails, text messages, or website links that when opened expose individuals or organizations to malware, ransomware, or other cybercrime. These attacks are particularly deceiving because attackers go to great lengths to disguise themselves as a trusted source, for example by sending an email or a message from a work boss or a hacked Facebook account. As the victim opens the malware-infested email or weblink, attackers may gain access to sensitive information such as sensitive emails and credit card information, or they may implement ransomware to hold the organization hostage in exchange for money.
But with consistent employee training and awareness, phishing attacks can be prevented. In this blog post, we take you through how you can mitigate the frequency and damage of phishing attacks through education initiatives like phish testing.
Types of phishing attacks
It can be hard to stay ahead of these kinds of attacks as attack techniques and types can vary widely. Here are some common types of attacks your employees should be on the lookout for:
-
Email phishing
Email phishing, also known as bulk phishing emails, is the most common type of attack. Attackers send malware-infested and fraudulent emails disguised as regular emails. The emails appear to come from legitimate sources such as a recognized bank, healthcare insurance provider, or a large online retailer. The perceived legitimacy of the emails incentivize recipients to open the emails or to open a web link included in the email. When clicked on, the fraudulent web link takes the user to what looks like a legitimate website but is in reality a scam website. The website may ask the user to enter credit card information or passwords. Consequences can be severe, like stolen funds or exposure to sensitive information.
Because the attack is conducted via email, this type of phishing attack has the potential to hit a large number of targets at once, such as a large customer base or company employees.
-
Spear phishing
Unlike email phishing, where emails are sent in bulk to many targets at once, spear phishing hits a specific target. A spear-phishing attack can be hard to identify because often extensive research is done on the victim beforehand in order to make the attack more convincing. Attackers may extract information from the victim’s social media accounts to create personalized messages. The message may include the victim’s name, a recent event that they have participated in, or maybe a recent purchase the victim made. Based on the information, the fraudulent email may flag a problem with the purchase and direct the victim to a virus-infested link.
With a personalized and seemingly legitimate email, the victim is more likely to follow the directions of the email and unintentionally share sensitive information like credit card numbers or bank statements.
-
Business email compromise (BEC)
Rather than targeting individuals, business email compromise is an attempt to steal money or highly sensitive information from corporations or other organizations. These attacks are conducted, for example, by hijacking the email account of a CEO which then instructs lower-level employees to transfer company funds to a fraudulent bank account. Attackers may also target external vendors by hacking an employee’s account and then asking the vendors to transfer money to a fraudulent bank account.
-
Whale phishing
Whale phishing attacks are similar to both BEC and spear phishing attacks. In whale phishing, attackers target one individual rather than multiple victims at once (as in email phishing). But different from spear phishing, whaling does not just target any individual, but specifically high-level employees.
In involving high-level executives, whaling is similar to BEC attacks. But whaling and BEC attacks differ in that BEC attackers masquerade as a high-level employee to get, for example, lower level employees to take action on a fraudulent e-mail. Whaling, on the other hand, directly targets high-level executives to get them to wire money or whatever else is the objective of the attack. To achieve their aims, they may pose as a customer, a bank, or a legal subpoena that tricks the high-level executive into transferring money, providing bank details, or sharing company information. In other words, whaling attackers do not disguise themselves as high-level employees like BEC attacks do, but simply try to get the high-level employee to take action that exposes them to cybercrime.
A common theme of all the mentioned types of phishing attacks is the potential to target employees or cybersecurity-unaware individuals. Because phishing attacks exploit insider vulnerabilities, the best way to prevent phishing attacks is through education and increasing employee awareness. The most effective way to educate your employees about phishing attacks is through what’s called “phish testing”.
Increase phishing attack awareness with phish testing
Phish testing simulates phishing attacks so that employees can get more exposure to these kinds of attacks in a safe setting. For example, during a phishing simulation, an organization might send out suspicious-looking emails to gauge how aware employees are of phishing attacks. They may pay attention to how the employees handle the fraudulent email and what mistakes they make. The aim is to help employees gain knowledge about phishing attacks so that the next time they encounter a real phishing attack, they can spot it before damage is done.
Some common signs to look for in a phishing email include:
- Spelling mistakes and poor grammar
- Impersonalized, vague, and generic messages and greetings
- Unusual requests, such as requests for money or other sensitive information
- Suspicious looking links
- Misspellings in the email address
These are only some of the signs of phishing attempts. There are many others, and some can be particularly hard to identify as phishers regularly change techniques to make phishing attempts harder to identify.
By taking a human-centered security approach, with emphasis on training employees about the signs of a phishing attack, the security risks posed by phishing attacks can be greatly reduced.
Creating effective phishing tests
Here are some ways that you can get the most from phish testing.
Implement variation. You want to change the nature of the tests often to expose your employees to varied situations and differing attack techniques. The simulations should also resemble real attacks as much as possible.
Train employees frequently and consistently. You should conduct tests on a frequent and regular basis to keep employees up-to-date and aware of changes in the attack landscape.
Measure the outcome of the simulation. Create indicators such as click rates and compliance rates to indicate how often employees click on the fraudulent email and how often they comply with the action the email asks of its victims.
Adopt software that specializes in phish testing. This kind of software can help you identify user behavior in real-time to tailor your training program to fit your needs. They may also provide helpful tools like phishing alerts that integrate into existing email applications.
Using SIEMs to prevent phishing attacks
Besides training through the use of phishing tests, another great way to prevent phishing attacks is by leveraging cybersecurity solutions like SIEM.
SIEMs combat phishing attacks by providing data on existing phishing scams as well as by using machine learning to identify phishing emails. SIEM software, like Seculyze, automates incident response so that security teams can quickly react to any phishing attacks.
SIEMs are the first line of defense against phishing attacks, serving to prevent attacks before they even reach the user. Should phishing attacks get past the efforts of your security team, it is imperative that users are aware of the signs of phishing attacks and are educated on what to do should they encounter one. Phish testing is the most effective way to educate your employees on how to fight phishing attacks. By following the steps mentioned in this blog post, you can educate your employees for a stronger response to phishing attacks.