April 25, 2023

Phishing – how to deal with it?

Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware.

 

Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI’s Internet Crime Complaint Centre reporting more incidents of phishing than any other type of computer crime.

The term “phishing” was first recorded in 1995 in the cracking toolkit AOHell, but may have been used earlier in the hacker magazine 2600. It is a variation of fishing and refers to the use of lures to “fish” for sensitive information.

Measures to prevent or reduce the impact of phishing attacks include legislation, user education, public awareness, and technical security measures. The importance of phishing awareness has increased in both personal and professional settings, with phishing attacks among businesses rising.

Phishing attacks, often delivered via email spam, attempt to trick individuals into giving away sensitive information or login credentials. Most attacks are “bulk attacks” that are not targeted and are instead sent in bulk to a wide audience. The goal of the attacker can vary, with common targets including financial institutions, email and cloud productivity providers, and streaming services. The stolen information or access may be used to steal money, install malware, or spear phish others within the target organization. Compromised streaming service accounts may also be sold on darknet markets.

This method of social engineering attack involve sending fraud email or messages that appear to be from a trusted source, such as bank, amazon, or government agency. These messages will typically contain a link or attachment that, when you click, will install malware automatically on the targeted device or redirect them to fake login page of any trusted website where they will be promoted to enter their login credential.

  • Did you know that one of the main vectors of attacks on IT systems is fake e-mails?
  • Check if your employee clicks on a fake link
  • Check if your employee gives the fraudster login details to your systems
  • Check if your company is resistant to social engineering attacks

Facts:

  • In 2022, cybersecurity researchers reported a 48% increase in mailbox attacks. And 70% of these attacks involved phishing of credentials.
  • Over 90% of successful attacks on IT systems started with an e-mail with a fake link.
  • Almost 1.2% of all e-mails sent are malicious messages
  • Even IT staff click on fake links. Awareness and resilience of companies are still grossly low.
  • Even the best e-mail security systems cannot block 100% of fake messages.

What can clicking on a fake link result in?

  • Stealing money from your account
  • Phishing of username and password
  • Encryption of company computers
  • Blocking the operation of all or part of IT systems
  • Interruption of business and service continuity.
  • Identity theft
  • Breaking into IT systems, a complete takeover of systems
  • Spying on all employees’ operations on the computer, phone
  • Theft of confidential information
  • Theft of credit card details
  • Taking over access to an account on a social networking site
  • Stealing customer data and making it public
  • Penalties related to liability for breaching the security of personal data and company secrets.
  • Loss of confidence in the market
  • Reputation drop

What can a fake e-mail contain?

  • Information that a colleague shared a file
  • Information about blocking access to electronic banking
  • Shipment notification from the courier company
  • Information about the need to pay tax
  • A false invoice from the utility company
  • Information about the need to reset the password to the account on the social networking site
  • And many others…
  • There may also be fake, drop-off USB drives that infect computers

 What can we do to protect you and your assets?

  • As part of our service, we prepare an awareness campaign, which sends several (1-4) e-mails that look like real phishing e-mails to all employees. The content of the e-mail is prepared so that it is targeted at the company’s employees. After clicking on the link, the employee sees a fake login page, which allows them to check whether they are willing to provide their data to cybercriminals.
  • We can attach a fake attachment to an e-mail and then verify that the employee has opened it
  • All of the above actions are the same as in a real attack. Except that it takes place under controlled conditions, and no data on usernames and passwords are collected or transferred to anyone. We only collect information on which employees can be deceived during an attack.
  • At the end of the collection period, we generate a report of who clicked on the fake link and who entered their credentials on the fake, affected page.
  • When an employee clicks on a fake link, the relevant information page can be displayed, resulting in immediate and highly effective training.
  • It is also possible to prepare a prepared file, which can then be placed on a portable disk and delivered, for example, to the office. Each time an employee opens a file, it is immediately reported
  • Repeated, cyclical and well-thought-out, properly planned campaigns allow you to consolidate correct habits even in the most resistant employees
  • Cyclic activities show the progress of increasing awareness and, thus, the company’s resistance to phishing attacks

Additional info:

Experience shows that awareness campaigns result in a significantly reduced click-through rate after each subsequent campaign. An employee who has made a mistake becomes more vigilant and more resistant to social engineering attacks.

Phishing training for employees is one of the most effective ways to strengthen your company’s defences against malware, ransomware, data loss and Business E-mail Compromise (BEC) attacks.

Feel free to contact us to prepare an offer that will be ideally suited to your company. What’s more, on the occasion of the upcoming picnic and springtime, we have prepared special offers containing as many as four awareness campaigns that we will carry out for your company over the next quarters.

Contact us:  info@wearenavirisk.com

Read more:

Device Security: Best Practices for Phones

Threat actors increasingly target mobile devices to steal people’s credentials, gain access to corporate networks, or simply spy on victims’ activity. To help you maintain your device’s security, the expert recommends following these best practices: Create a strong lock-screen pin or password (at least six digits) and set your phone to lock automatically after 5 […]

Back To School – Cyber Guide

If we are discussing cyber security issues, we must admit that a safe child is a safe parent. If you take proper care of your children’s digital safety, you will avoid the risk of data theft, hacking attacks, data leaks to the web, and other dangers that minors are exposed to online. Take care of […]

Holiday cybersecurity with NaviRisk cyber guide

Here are some tips from our cyber risk experts. Read on to enjoy a safe vacation!   We are excited to search for the perfect vacation, trying to provide ourselves and our loved ones with a beautiful time and unforgettable moments. We usually take many precautions when going on vacation. We buy travel insurance, keep […]

CONTACT

NaviRisk Sp. z o.o.

ul. Huculska 5/6
00-730 Warsaw

+48 605 19 11 19 info@wearenavirisk.com

CONTACT FORM

Do you have any questions? Write to us!