Cybersecurity requires organizations to spot and respond to an array of threats, some of which are easier to identify and guard against than others. One of the most prevalent types of cybersecurity breaches is phishing.
Phishing is a scam that enables a cybercriminal to trick ordinary users into providing personal information, such as login credentials. A user may be fooled into clicking a fraudulent link, or misled into entering his or her personal information on a form.
Either way, the attacker gains access to valuable data, which can be used for harmful purposes in the future.
The Dangers of Phishing
Phishing is dangerous in part because of how common and easy it is to execute. Nearly a third of all breaches in 2019 involved some kind of phishing. In cyberespionage attacks, a whopping 78% of breaches involved phishing.
You don’t need to have a degree in computer science, nor do you even have to be a “hacker,” to engage in successful phishing. A phishing attack may be executed simply by creating a website or sending an email that looks as if it’s been issued from an authority; for example, a bank or a tech company.
Thanks to the availability of technologically simple “phishing kits,” even people who have no technical experience or expertise can design and launch their own phishing attacks.
The extent of an attack depends on how it was executed and who the target is. If an individual hands his personal information over, including name, date of birth, Social Security number and/or credit card details, this can result in direct theft or identity theft.
If an organization is the victim of a phishing attack, it might give the hacker a foothold, which can be used as a tool in a larger criminal enterprise. For example, a cybercriminal could get access to a company’s internal servers, which would provide the opportunity to launch a much more sophisticated raid.
This can be especially dangerous for your organization because even a single vulnerability can open the way to a devastating chain reaction: When one person in your company falls for a phishing scam, this could jeopardize the integrity of the entire operation.
It might even have a ripple effect that extends to partner organizations, suppliers and your customers. In other words, if a third-party vendor suffers a phishing attack, that could leave you vulnerable as well.
Examples of Phishing
It’s easiest to understand the nature of phishing when you study an example of how one has played out. Many phishing techniques can be employed: sometimes independently, other times using many different techniques as part of a single assault.
Some common techniques include:
- Link manipulation. Here, a cybercriminal disguises a link in an email to fool you into clicking on the link. For example, it might read www.paypall.com, which closely resembles “paypal.com” but with only a subtle difference. Sometimes, hackers use subdomains to pose as a familiar, trustworthy website. Either way, when you click on the link, you might download malware to your device, or be led to a forged website.
- Forged websites. These function like regular websites, but are mocked up to resemble a trustworthy site. For example, you may see a page that looks like a typical login page, and it prompts you to enter your usual entry information. However, when you attempt to do so, the cybercriminal at the other end captures your credentials. Forged websites are usually identifiable if you pay attention to the details; the design won’t look quite right, and the URL will be subtly different from the site you know well.
- Social engineering. Phishing can also take place via social engineering. An individual may call you, pretending to be the representative of a trustworthy organization. If the person is persuasive enough, he or she may manipulate you into providing vital personal information.
Most phishing attacks attempt to motivate action through a compelling or time-sensitive demand. For example, their messages may warn you that your password is about to expire, or there’s an undefined “problem with your account.”
How to Combat Phishing
The best way to combat phishing in your own organization is through education. The more knowledgeable your employees are, the less likely they’ll fall for a phishing scam.
Most phishing attempts can be avoided with the following understanding:
- Unusual emails should never be trusted. If you get an email from someone you don’t know, or a message that’s worded in an unusual way, you shouldn’t automatically accept it. Clicking a link or downloading an attachment, even out of curiosity, can have devastating consequences.
- URLs should always be double-checked. One of the easiest ways to spot a phishing attempt is by checking the URL you’re currently clicking or visiting. Are there any strange spelling errors? Do you perceive a subdomain that doesn’t match what you intended to visit? You might also notice subtle design differences; for example, the company’s logo may be slightly misplaced, or the color scheme appears slightly “off.”
- No one will ever ask you for your password. This is common advice, and should be common knowledge, but it’s often neglected; no person in or outside of your organization should ever ask you for your password directly. If someone does, it’s almost always a nefarious attempt to obtain your sensitive information. To maintain excellent security, always practice password resets with caution. Even if everyone knows and follows the practices above, your firm may still be vulnerable to a phishing attack if one of your vendors, suppliers or third-party partners becomes a victim.
- Enable and Enforce Two-Factor Authentication. Authentication takes on three parts: what you know, what you have and what you know. Two-factor authentication requires you to authenticate with two such factors in order to proceed with a transaction. Having two-factor authentication enabled means that even if you fall prey to a phishing attack that stole your password, you still minimize the risk of a fraudulent transaction going forward since the attacker may not be able to succeed adding one of the second authentication factors.
Phishing and Third-Party Vendors
You could have a fantastic cybersecurity strategy in place for your own operation, but how confident are you about the cybersecurity of your third-party vendors? How vulnerable are your suppliers to phishing attacks? Since your suppliers may be accessing, storing or processing your data, a phishing attack on their employees might put you in risk of a breach as well.
That’s why it’s critical to use automated third-party security management software to vet your suppliers, so you can assess the security risk they pose to your company. Assessing a supplier’s security posture must also include measuring the risk that their employees pose.
Panorays is the only security rating platform that includes an assessment of the human factor. With Panorays, you can be confident about your suppliers’ security; sign up for a free demo today, and see it in action!