As more criminals turn to online scams to steal your confidential data, phishing prevention has become critical. We now know what spam emails are and have learned to ignore them, but phishing emails can appear to be legitimate. They are sometimes tailored to individual needs.
By Hardik Panchal- General Manager, Networking Services & Operations at Rahi
Phishing emails have become more common over time, especially during the holiday season, when the numbers spike. Despite the fact that it has been around for more than two decades, phishing remains a successful assault strategy among scammers. One reason for its high success rate is its capacity to develop social engineering abilities that prey on human emotions and trust.
A recent survey by Proofpoint found out that 74% of U.S. organizations surveyed reported experiencing a successful phishing attack. To avert data breaches, businesses conduct regular training and educate staff on the various forms of cyber assaults.
Even if your organization has a strong grasp on cybersecurity, data security compliant systems, and end-user security awareness programs, unintentionally downloaded malware or clicking on a link sent through a phishing email; can infect your organization with ransomware, or you will experience a data breach due to a business email compromise (BEC) or email account compromise (EAC).
As per Terranova Security Gone Phishing Tournament, more than 20% of employees are likely to click on phishing email links, and an astounding 67.5 percent of them visit a phishing website and enter their credentials. Microsoft files and PDFs were the most preferred delivery vehicles of attackers, as these documents are widely trusted across the business environment, as per Sonic Walls cyber threat report.
Phishing emails employ different themes as enticement and are sent from top-level domains that instill trust in the minds of the recipients. The email contains attachments hosted on Microsoft Sharepoint or links to websites or landing pages. The documents attached are named ‘Pricing changes’ or ‘Employee bonus information’, however, visiting the link would redirect viewers to a page made for the sole purpose of phishing. Users will be prompted to input their credentials in order to sign in, bypassing a number of sandboxes at various levels.
The use of Microsoft and Google cloud infrastructure is one of many techniques phishers employ to circumvent email security systems and gateways. Some phishing emails will be blocked in user email accounts handled by desktop applications such as email client software. However, in order to totally eradicate the problem, businesses should consider teaching and training personnel in a simulated environment.
Purchase a URL for your phishing emails and send them out at regular intervals with a variety of topics such as requesting network passwords, Diwali gifts, password reset requests, and so on. The click and open rates can be tracked, and the compromised URL can go to a blank page, error 404, or you can take it further to a payment gateway or mine their credentials, just as in a phishing attack.
The practice can be beneficial when it results in lower open and click rates, but what’s more essential is the reporting to the IT desk; this is what organizations want from their workforce. With multiple simulated phishing attempts, IT reporting will rise as employees become more aware of various phishing methods and are less likely to fall when a real attack happens.
See also: How Cybercriminals Use Phishing Kits
Protection from phishing starts with your mindset towards potential red flags. Following precautions need to be taken with your emails all the time –
- Alarming messages shouldn’t be trusted – Organizations will never ask about your account details or personal information on an email. In the case of retail companies, when a customer asks for payments and the amount is unusual or item quantity is huge, immediately raise a red flag and report it to your IT department.
- Attachments are vehicles of vulnerability – Attachments especially, word, excel, PDFs, and powerpoints in phishing mail might compromise your system security. If an email looks suspicious, do not download the attachment.
- Check the website before sharing sensitive information – Before filling a form or handing over your personal information, copy the link and open it in your browser to verify if the website is real or a landing page created to steal your credentials.
- Embedded links can seed malware – Embedded links in emails should be avoided as they can install malware on your device or redirect you to another web page where your credentials can be compromised. Enter the correct URL into your browser and review the website’s security report before filling in any time details.
- Impersonators can phish you without hacking – When dealing with vendors and customers, there may be times when a phisher will send you an email impersonating the client with whom you are dealing. Before responding to the email or taking any further action, double-check the email and domain name. In most cases, phishing emails have fake domain names that differ slightly from the real ones. For example, if the actual domain name is ‘xyz.com’ a phisher will use ‘xyztech.com’ with other details remaining the same. Thus while doing financial transactions take one extra step and verify the domain name of the company.
The best defense is a trustworthy endpoint security solution that filters out spam and phishing emails. Your best offense will be to educate and raise awareness among employees using a simulated phishing environment that provides a learning opportunity and is a cost-effective way to implement cyber security into your organization.
About the Author
Hardik Panchal is the General Manager, Networking Services & Operations at Rahi. He is a network engineer with a hands-on approach and technological mindset for designing and implementing Enterprise IT and Data Center architecture, including configuration, optimization, and supporting network management systems. He conducts network modeling and analysis to construct a reliable, high-performance integrated network. Panchal also designs, recommends, and implements new solutions to improve the resilience of network operations. He specializes In-Network/Data Center/Security/Wireless & Cloud Technologies.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.