"Dear network user, This email is meant to inform you that your [company] network password will expire in 24 hours. Please follow the link below to update your password" (Imperva, n.d.).
Phishing emails like this one are sent out across the internet every day. Phishing is a form of identity theft where the victim unwittingly volunteers information that can be used for nefarious purposes (Hayes, 2021). The above example is an email that looks and feels legitimate, but in reality, the link points to a malicious website where malware and other types of cyberattacks can be launched on your business computer and further populate across the company network without remorse.
Phishing attempts can get quite sophisticated. For example, "cybercriminals start by using open source intelligence (OSINT) to gather information from published or publicly available sources like social media or [the] company's website. Then, they target specific individuals within the organization using real names, job functions, or work telephone numbers to make the recipient think the email is from someone else inside the organization" (Hewitt, 2021). This is known as spear phishing. Spear phishing directed towards senior leadership such as a CEO is known as whale phishing or whaling.
According to Ricardo Villadiego from Forbes, in 2016, phishing and other types of cyberattacks resulted in 4.2 billion records being stolen, which caused 81% of organizations to lose customers. In addition, such attacks cost $1.6 million per organization on average. Phishing provides information little by little to attackers. This information is built together piece by piece in preparation to launch the grand attack(s).
phishing.org lists ten ways to avoid phishing scams:
Keep Informed About Phishing Techniques
Think Before You Click!
Install an Anti-Phishing Toolbar
Verify a Site’s Security
Check Your Online Accounts Regularly
Keep Your Browser Up to Date
Use Firewalls
Be Wary of Pop-Ups
Never Give Out Personal Information
Use Antivirus Software
All employees must learn how to detect phishing attacks. An excellent cyber awareness training program can accomplish this. Many companies provide training that can be outsourced. This is the recommended approach if you don't know how to build cyber awareness training from the ground up. Yes, it will cost money, but it will significantly reduce the chances of a successful cyberattack on the organization, saving money in the long run. The weakest link in any network is and will always be the people who use that network. Therefore, investing in cyber awareness training is one of the most important things for a company's cybersecurity program. Another major thing that employees should know is how to report phishing attacks. Reporting phishing attacks as soon as possible helps security teams alert other employees and contain the threat (PhishProtection, n.d.).
Summary
Phishing is a form of identity theft that tricks people into volunteering information to cybercriminals. The information is later used to launch severe and sophisticated attacks on any scale. Cyberattacks hurt companies' bottom line overall due to the loss of sensitive data and damaged reputation, losing customer trust. There are several ways to help avoid biting on a phish, but training is the main focus. If employees know how to spot phishing attacks and report them, security teams can take action and shield the company from the threat.
References
Hayes, A. (2021, May 18). What is phishing? Investopedia. https://www.investopedia.com/terms/p/phishing.asp
Hewitt, K. (2021, May 5). 12 types of phishing attacks and how to identify them. Security Ratings & Cybersecurity Risk Management | SecurityScorecard. https://securityscorecard.com/blog/types-of-phishing-attacks-and-how-to-identify-them
Imperva. (n.d.). What is phishing | Attack techniques & scam examples | Imperva. https://www.imperva.com/learn/application-security/phishing-attack-scam/
Phishing.org. (n.d.). 10 ways to avoid phishing scams. https://www.phishing.org/10-ways-to-avoid-phishing-scams
PhishProtection. (n.d.). Phishing awareness – Important things that every employee needs to know in an organization. https://www.phishprotection.com/content/phishing-awareness-training/phishing-awareness/