Phishing Vigilance: What Your Employees Must Know to Identify and Stop Attacks

Overwhelmed by the wide variety of cyberattack techniques being used by criminals today? If you have to focus your efforts on the greatest threats to your business, consider starting with phishing attack prevention. In this type of attack, the sender attempts to collect personal information or credentials, or drive the recipient to a malicious link, by impersonating a legitimate and compelling organisation or individual.

Consider that Verizon’s 2021 Data Breach Investigations Report reveals that 96% of social engineering attacks are delivered by email, while only 3% are delivered through a website. Among successful breaches, 36% involved phishing, up 11% in 2020 compared to 2019 – and just 10% involved ransomware, though this is what generates the most publicity. And according to recent research from Proofpoint, 75% of organisations internationally experienced a phishing attack in 2020, and 74% of phishing attacks targeting US businesses were successful. The FBIs Internet Crime Complaint Center (IC3) received a record number of complaints from American citizens in 2020 and found that phishing was the most rampant cyber threat in 2020, with 241,342 victims.

Types of phishing

“Phishing” is derived from fishing for good reason; there’s always a hook, bait, and a vulnerable victim who can’t distinguish a tantalising lure from an authentic communication. These are the most prevalent types of phishing attacks used against businesses.

• Domain spoofing emails: Mass-delivered emails appear to come from legitimate companies that many Americans have accounts or shop with, including CVS and Amazon. These emails appear to come from the company’s email address. These emails typically claim there is a problem with the receiver’s account and include a malicious link.
• Spear phishing: Highly personalised and targeted communications, beginning with subject lines that the intended victims will find compelling, are composed through social engineering techniques.
• Vishing: The cybercriminal makes a call and leaves a voice message if there is no answer, claiming to be from Microsoft or a widely used security software firm. The caller says the victim has a virus on his or her computer and needs to call to update the antivirus software. The attacker steals personal information and/or payment over the phone and then provides malicious malware.
• CEO fraud: In these phishing attacks, the sender poses as the CEO or a high-ranking company official of the company for whom identified lower-level employees work and asks for personal information.
• Whaling: The opposite of CEO fraud, these emails target C-suite or high-ranking executives through a variety of means, such as appearing to be from a lower-level employee.

7 tips to share with your employees

While your official training session should be exhaustive, sharing these tips or this article in its entirety will provide an excellent introduction in the interim. This may be enough to enable your staff to thwart many attacks before the training session.

1. Expand the sender’s name to spot spoofed email addresses. Here, the phisher is disguised as a legitimate company name as the email sender, but the actual address can be seen when expanding the email address as something illegitimate. This is known as display name spoofing. Cousin domain spoofing is similar but can be spotted without expanding. It uses a variation of a legitimate email such as ‘Walmart.co’ instead of ‘Walmart.com’.
2. Don’t click through on emails with too-good-to-be-true or threatening subject lines. The more enticing or urgent an email line, the higher the click rate. Just like marketers, phishers use this fact to their advantage, so beware of subject lines offering something of value for free or claiming that immediate action must be taken to avoid penalties or repercussions.
3. Hover over included links to see the real website destination. When unsure of the legitimacy of an email, hover over the links to see if the URLs match the linked text. If they don’t, that’s an almost certain sign of an attack.
4. Don’t open attachments from any unverified senders. Sophisticated phishers avoid detection by email security filters in many ways. One of the most common is by including links as attachments rather than in the email text. Never open any attachments from unverified senders.
5. Too short and ambiguous emails have vague or short messages designed to catch recipients off guard. An email may appear to be from a legitimate sender, including an internal source or partner, with a short message, like ‘Here’s what you requested’ and a link.
6. Look out for poor English and typos. Fortunately, there is a dead giveaway for many attacks. Foreign attackers with poor grammar, unfamiliar and awkward phrasing, and errant spelling give away their malicious intent by not having their work proofread prior to sending. Even typos are a red flag.
7. Contact IT or your security partner firm immediately if an employee does click on a phishing link. Make sure your employees know the internal chain of command, and that a system is in place to act ASAP if an attacker is successful in getting through your first line of defence.

Phishing attackers can be unsophisticated individuals with easy-to-spot errors, or they can be as well-organised as your own company. Organisations that are successful in stopping attacks take a serious approach to prevention that include training, simulated phishing campaigns, and continual monitoring of results and reinforcement of awareness. Let this article be the catalyst for your business to become more phishing aware and vigilant.