April 25, 2023
Phishing – how to deal with it?


Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware.
Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI’s Internet Crime Complaint Centre reporting more incidents of phishing than any other type of computer crime.
The term “phishing” was first recorded in 1995 in the cracking toolkit AOHell, but may have been used earlier in the hacker magazine 2600. It is a variation of fishing and refers to the use of lures to “fish” for sensitive information.
Measures to prevent or reduce the impact of phishing attacks include legislation, user education, public awareness, and technical security measures. The importance of phishing awareness has increased in both personal and professional settings, with phishing attacks among businesses rising.
Phishing attacks, often delivered via email spam, attempt to trick individuals into giving away sensitive information or login credentials. Most attacks are “bulk attacks” that are not targeted and are instead sent in bulk to a wide audience. The goal of the attacker can vary, with common targets including financial institutions, email and cloud productivity providers, and streaming services. The stolen information or access may be used to steal money, install malware, or spear phish others within the target organization. Compromised streaming service accounts may also be sold on darknet markets.
This method of social engineering attack involve sending fraud email or messages that appear to be from a trusted source, such as bank, amazon, or government agency. These messages will typically contain a link or attachment that, when you click, will install malware automatically on the targeted device or redirect them to fake login page of any trusted website where they will be promoted to enter their login credential.
- Did you know that one of the main vectors of attacks on IT systems is fake e-mails?
- Check if your employee clicks on a fake link
- Check if your employee gives the fraudster login details to your systems
- Check if your company is resistant to social engineering attacks
Facts:
- In 2022, cybersecurity researchers reported a 48% increase in mailbox attacks. And 70% of these attacks involved phishing of credentials.
- Over 90% of successful attacks on IT systems started with an e-mail with a fake link.
- Almost 1.2% of all e-mails sent are malicious messages
- Even IT staff click on fake links. Awareness and resilience of companies are still grossly low.
- Even the best e-mail security systems cannot block 100% of fake messages.
What can clicking on a fake link result in?
- Stealing money from your account
- Phishing of username and password
- Encryption of company computers
- Blocking the operation of all or part of IT systems
- Interruption of business and service continuity.
- Identity theft
- Breaking into IT systems, a complete takeover of systems
- Spying on all employees’ operations on the computer, phone
- Theft of confidential information
- Theft of credit card details
- Taking over access to an account on a social networking site
- Stealing customer data and making it public
- Penalties related to liability for breaching the security of personal data and company secrets.
- Loss of confidence in the market
- Reputation drop
What can a fake e-mail contain?
- Information that a colleague shared a file
- Information about blocking access to electronic banking
- Shipment notification from the courier company
- Information about the need to pay tax
- A false invoice from the utility company
- Information about the need to reset the password to the account on the social networking site
- And many others…
- There may also be fake, drop-off USB drives that infect computers
What can we do to protect you and your assets?
- As part of our service, we prepare an awareness campaign, which sends several (1-4) e-mails that look like real phishing e-mails to all employees. The content of the e-mail is prepared so that it is targeted at the company’s employees. After clicking on the link, the employee sees a fake login page, which allows them to check whether they are willing to provide their data to cybercriminals.
- We can attach a fake attachment to an e-mail and then verify that the employee has opened it
- All of the above actions are the same as in a real attack. Except that it takes place under controlled conditions, and no data on usernames and passwords are collected or transferred to anyone. We only collect information on which employees can be deceived during an attack.
- At the end of the collection period, we generate a report of who clicked on the fake link and who entered their credentials on the fake, affected page.
- When an employee clicks on a fake link, the relevant information page can be displayed, resulting in immediate and highly effective training.
- It is also possible to prepare a prepared file, which can then be placed on a portable disk and delivered, for example, to the office. Each time an employee opens a file, it is immediately reported
- Repeated, cyclical and well-thought-out, properly planned campaigns allow you to consolidate correct habits even in the most resistant employees
- Cyclic activities show the progress of increasing awareness and, thus, the company’s resistance to phishing attacks
Additional info:
Experience shows that awareness campaigns result in a significantly reduced click-through rate after each subsequent campaign. An employee who has made a mistake becomes more vigilant and more resistant to social engineering attacks.
Phishing training for employees is one of the most effective ways to strengthen your company’s defences against malware, ransomware, data loss and Business E-mail Compromise (BEC) attacks.
Feel free to contact us to prepare an offer that will be ideally suited to your company. What’s more, on the occasion of the upcoming picnic and springtime, we have prepared special offers containing as many as four awareness campaigns that we will carry out for your company over the next quarters.
Contact us: info@wearenavirisk.com
Read more:
May 30, 2023
Asked why he’d robbed banks, a notorious American gangster from the Great Depression era famously replied: ‘If they kept money in candy stores, I would rob candy stores.’ Is there any connection between old-style robbers and the plight of modern l law firms? On the surface, not really. After all, what can you steal from […]
April 25, 2023
Phishing Awareness Training – Simulating Phishing Attacks
Phishing training for employees is one of the most effective ways to strengthen your company’s defences against malware, ransomware, data loss and Business E-mail Compromise (BEC) attacks. Experience shows that awareness campaigns result in a significantly reduced click-through rate after each subsequent campaign. An employee who has made a mistake becomes more vigilant and more resistant […]
March 14, 2023
Technology, the development of which is intended to help humanity, is also used for evil purposes. More and more often, artificial intelligence becomes an ally of criminals, which helps them manipulate information, distort reality or blackmail. Business is often the victim.