According to a survey released by the Australian Cyber Security Centre (ACSC), 60% of businesses that fall victim to phishing attacks fail within 6 months of the incident. It is a sobering statistic that should make any business sit up and take notice, particularly because these forms of attack are becoming more frequent, more sophisticated, and better planned to target the infrastructure of modern businesses.
A few decades ago, corporate hacking was little more than a cottage industry, made up of isolated hobbyists more concerned with infiltrating vulnerable networks than gaining financial rewards. Today, professional hacking groups use social engineering and tailored software to steal financial information and other sensitive data from the biggest companies in the world, making millions of dollars in the process.
For these criminal entities, the easiest way to infiltrate your business is not through the digital defenses protecting your external networks – it is through the vulnerable users that make up your workforce and customer base.
How Phishing Attacks Work
Anyone with an email account has likely been the victim of a phishing attack at one point or another. Every year, 156 million of these messages are sent out as spam to different email platforms throughout the world.
Criminals send phishing attacks en masse rather than to a specific user. Typically, these emails provide links to helpful looking websites that prompt users to type credentials before they can proceed.
More dangerous forms of the practice, known as “spear phishing” attacks, use personal information gleaned from social media accounts and previously breached organizations that target specific people. Some of these emails are designed to look like urgent messages from your bank or credit card provider. The content within these emails is usually written and formatted in a manner that is almost indistinguishable from a legitimate message. Criminals often gain access to systems by asking users to confirm information within the fake email message. They bait the recipient into clicking the “phishing” link in the body of the email (deceptive phishing).
Other spear phishing messages are designed to look like social media notifications from people in your personal network. You will be urged to view or reply to the notification by clicking a handy link within the email body. The link will take you to a fake login page set up to capture your credentials.
Once they collect sensitive information, hackers can either sell the data to cybercriminals or make use of the data themselves for illegal purchases and other fraudulent acts.
A recent survey revealed that 4 out of 5 organisations were victim to these types of hacks. The average financial losses from spear phishing was estimated to be $2.1 million per targeted company.
Types of Phishing Attacks
Whaling attacks are usually geared towards extracting sensitive data from higher level company management (whales). They make use of a scam tactic known as Business Email Compromise (BEC) to impersonate high level executives within an organisation.
Whalers will use data from company publications and employee social media to bypass normal Email filters and appear convincing to the recipient. Usually, these attacks are used to prompt users to wire a certain amount of money to a select location or change the details of a pending transaction to funnel money to the hackers instead of the proper recipient. Meanwhile, customers for smaller businesses may be asked to resend payment as a result of initial processing errors.
According to law enforcement statistics, these types of attacks cost businesses upwards of $4.4 billion dollars every year.
With mimic phishing, cybercriminals attempt to borrow some of the credibility provided by trusted sites such as Dropbox, OneDrive, iCloud and Google Drive. Phishers send communications to users that are almost indiscernible from the official emails these services send on a regular basis. When users click links within the emails, they are taken to a fake sign-in page that looks just like the standard login pages of these services. Often, users type their credentials into these fake forms without giving it a second thought.
As users become aware of phishing attacks, hackers develop new methods of directing victims to malicious domains. One of these techniques is called pharming.
When you type a domain name into your web browser, the Internet’s naming system translates the characters you type into numerical IP addresses that your browser where to find the website or page.
Hackers have targeted well-known domain names and change their associated IP addresses to redirect to websites they set up. The redirected domains are used to collect information or infect user systems.
Best Practices for Avoiding Phishing Attacks
Be on the lookout for typos and other mistakes in official communications from banks and other institutions. Presume that if it looks suspicious, it is dangerous.
Double-check email addresses if the communications are from a company you regularly receive emails from. If the sender’s address is slightly different, chances are you are being phished.
Be very wary of embedded links or other calls to action within emails. If you are being asked to call a number, independently verify that number before calling. If you are being directed to a login page, hover over the link to verify it is going to the proper website and not something that is unfamiliar. If you do click a link, look for https in the web address, which indicates that the site is secure. Even so, verify that the entire web address is properly spelled and formatted.
Never fill out embedded forms asking you to provide personal details or financial information.
Update your spam filters, firewall and anti-virus software regularly. Put unrecognized domains on your blacklist.
Protect Your Business
Protecting your business requires vigilance, knowledge, training and a trusted IT provider.
Incito provides your business with solid service and guidance to combat existing and looming security threats. We provide IT strategy, design, implementation and IT monitoring and support to Australian businesses of all sizes.
Contact us today on 1300 300 583 or firstname.lastname@example.org.