April 25, 2023

Phishing – how to deal with it?

Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware.

 

Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI’s Internet Crime Complaint Centre reporting more incidents of phishing than any other type of computer crime.

The term “phishing” was first recorded in 1995 in the cracking toolkit AOHell, but may have been used earlier in the hacker magazine 2600. It is a variation of fishing and refers to the use of lures to “fish” for sensitive information.

Measures to prevent or reduce the impact of phishing attacks include legislation, user education, public awareness, and technical security measures. The importance of phishing awareness has increased in both personal and professional settings, with phishing attacks among businesses rising.

Phishing attacks, often delivered via email spam, attempt to trick individuals into giving away sensitive information or login credentials. Most attacks are “bulk attacks” that are not targeted and are instead sent in bulk to a wide audience. The goal of the attacker can vary, with common targets including financial institutions, email and cloud productivity providers, and streaming services. The stolen information or access may be used to steal money, install malware, or spear phish others within the target organization. Compromised streaming service accounts may also be sold on darknet markets.

This method of social engineering attack involve sending fraud email or messages that appear to be from a trusted source, such as bank, amazon, or government agency. These messages will typically contain a link or attachment that, when you click, will install malware automatically on the targeted device or redirect them to fake login page of any trusted website where they will be promoted to enter their login credential.

  • Did you know that one of the main vectors of attacks on IT systems is fake e-mails?
  • Check if your employee clicks on a fake link
  • Check if your employee gives the fraudster login details to your systems
  • Check if your company is resistant to social engineering attacks

Facts:

  • In 2022, cybersecurity researchers reported a 48% increase in mailbox attacks. And 70% of these attacks involved phishing of credentials.
  • Over 90% of successful attacks on IT systems started with an e-mail with a fake link.
  • Almost 1.2% of all e-mails sent are malicious messages
  • Even IT staff click on fake links. Awareness and resilience of companies are still grossly low.
  • Even the best e-mail security systems cannot block 100% of fake messages.

What can clicking on a fake link result in?

  • Stealing money from your account
  • Phishing of username and password
  • Encryption of company computers
  • Blocking the operation of all or part of IT systems
  • Interruption of business and service continuity.
  • Identity theft
  • Breaking into IT systems, a complete takeover of systems
  • Spying on all employees’ operations on the computer, phone
  • Theft of confidential information
  • Theft of credit card details
  • Taking over access to an account on a social networking site
  • Stealing customer data and making it public
  • Penalties related to liability for breaching the security of personal data and company secrets.
  • Loss of confidence in the market
  • Reputation drop

What can a fake e-mail contain?

  • Information that a colleague shared a file
  • Information about blocking access to electronic banking
  • Shipment notification from the courier company
  • Information about the need to pay tax
  • A false invoice from the utility company
  • Information about the need to reset the password to the account on the social networking site
  • And many others…
  • There may also be fake, drop-off USB drives that infect computers

 What can we do to protect you and your assets?

  • As part of our service, we prepare an awareness campaign, which sends several (1-4) e-mails that look like real phishing e-mails to all employees. The content of the e-mail is prepared so that it is targeted at the company’s employees. After clicking on the link, the employee sees a fake login page, which allows them to check whether they are willing to provide their data to cybercriminals.
  • We can attach a fake attachment to an e-mail and then verify that the employee has opened it
  • All of the above actions are the same as in a real attack. Except that it takes place under controlled conditions, and no data on usernames and passwords are collected or transferred to anyone. We only collect information on which employees can be deceived during an attack.
  • At the end of the collection period, we generate a report of who clicked on the fake link and who entered their credentials on the fake, affected page.
  • When an employee clicks on a fake link, the relevant information page can be displayed, resulting in immediate and highly effective training.
  • It is also possible to prepare a prepared file, which can then be placed on a portable disk and delivered, for example, to the office. Each time an employee opens a file, it is immediately reported
  • Repeated, cyclical and well-thought-out, properly planned campaigns allow you to consolidate correct habits even in the most resistant employees
  • Cyclic activities show the progress of increasing awareness and, thus, the company’s resistance to phishing attacks

Additional info:

Experience shows that awareness campaigns result in a significantly reduced click-through rate after each subsequent campaign. An employee who has made a mistake becomes more vigilant and more resistant to social engineering attacks.

Phishing training for employees is one of the most effective ways to strengthen your company’s defences against malware, ransomware, data loss and Business E-mail Compromise (BEC) attacks.

Feel free to contact us to prepare an offer that will be ideally suited to your company. What’s more, on the occasion of the upcoming picnic and springtime, we have prepared special offers containing as many as four awareness campaigns that we will carry out for your company over the next quarters.

Contact us:  info@wearenavirisk.com

Read more:

The New Law on the Protection of Whistleblowers is getting closer to coming into force

The New Law on the Protection of Whistleblowers is getting closer to coming into force. It will result in huge changes for entrepreneurs in Poland and the need to implement tools to handle intake.   An experienced advisor such as NaviRisk will be needed to help manage whistleblower cases because companies face large fines for […]

How to deal with cyber risk in the era of Artificial Intelligence

When most people hear about cyber-attacks, they imagine suspended monitors, ransomware demands, ransomware and DDoS attacks that disrupt connectivity for hours or even days. But some experts fear that with the advent of widespread artificial intelligence in the hands of hackers – both lone wolves and states – we may be entering an era of […]

Cybersecurity Trends 2024

As in every other field of business and technological endeavor, artificial intelligence (AI) will have a transformative impact on both attack and defense. Its impact will be felt across every one of the trends in cybersecurity in 2024.   The cyber security trends that everybody should be on high alert for as we head into […]

CONTACT

NaviRisk Sp. z o.o.

ul. Huculska 5/6
00-730 Warsaw

+48 605 19 11 19 info@wearenavirisk.com

CONTACT FORM

Do you have any questions? Write to us!