by Eyal Aharoni
Whether you are a Cyber security professional or any other employee within an organization, you have probably heard the term “phishing” on and off over the past few years. You might have had face-to-face presentations, watched videos, seen slide decks, taken quizzes, or even had a few phishing drills to raise awareness to phishing attacks and prevent you from making the mistake of letting the Phishermen in.
In a recently published survey checking the phishing awareness practices in organizations, the majority reported doing an annual training to raise employees’ awareness, but less than 25% reported training on a quarterly or monthly basis. But just as we have come a long way and improved our awareness to phishing attacks and cyber security threats altogether, so did the cybercriminals. They have adjusted and improved their techniques and methods of bypassing people and technology to penetrate the organization and cause their damages.
We see on a daily basis, numerous phishing attempts being executed all over the world. Although it is hard to pinpoint the numbers and statistics, it’s common belief amongst security professionals that this is the most widely used attack vector today since it is so effortless and inexpensive. Threat actors are mimicking our most trusted brands and organizations such as technology solutions and services (Microsoft, Apple), Banks (Bank of America), payment services (PayPal), shipping and delivery companies (DHL), media services (Netflix) and social media platforms (Facebook). These attempts are not just relying on trusted brands alone to approach as a wolf in sheep’s clothing, they also try to play with our minds and emotions by using text which will trigger us to reply quickly and automatically, so the user won’t second guess whether this request is legitimate or malicious. The US CERT and FBI have recognized the importance of this matter and are trying to update whenever possible regarding new phishing attempts and send reminders prior to specific times of year like major holidays, tax season and even charity and natural disasters like Hurricane Florence.
Keep in mind that these phishing attempts are just the starting point of an attack used to “open the door” directly to the designated target or indirectly through a secondary target. From then on, the threat actor will try to scrape all information that can assist in his/her attack no matter the motives and outcome. The information collected could be related to identity authentication, technical information, business operations and strategy, etc. which all would assist the threat actor to continue its work on the target. This is than followed by a number of additional steps in the attack lifecycle. You can read more regarding the cyber-attack kill chain on our whitepaper regarding APT (link).
At the end of the day, threat actors have multiple motives driving them to perform such attacks with huge number of potential targets. They can perform these attacks very easily without major resource consumption (money and time) and that is what makes them so efficient and still the most used.
Below are some helpful tips to help prevent phishing attacks in your organization:
To test how well an organization holds up against phishing attacks and the rest of the cyber-attack kill chain, Cymulate’s Breach & Attack Simulation (BAS) platform offers several modules that are a great help for cybersecurity staff and IT teams. The phishing module tests if employees are vulnerable to (spear) phishing attempts and will click on malicious links or open suspicious attachments. The secure email module assesses the email security framework, while the secure web browsing module checks if the security solutions are working properly by preventing employees to reach phishing and other infected websites.
To learn more, why not ask for a free trial? Find out if your security products are working properly to defend you from known and unknown cyber threats.Keep cybersafe!