Phishing is a type of cyberattack in which criminals disguise themselves as reputable businesses or trusted individuals to obtain valuable information, like your network credentials, passwords, or financial information.
As of 2019, phishing is one of the most popular types of cybercrimes in the United States. Despite increased awareness about the dangers of phishing, the variety and success rate of phishing attacks have continued to increase in the States, which now accounts for 86% of all phishing attacks globally.
Phishing attacks aren’t just on the rise; they’re harder to defend against. Phishing causes more than four times the damage that viruses and ransomware cause. All it takes is one fraudulent email to fool one of your employees, and the damage is done. So, what are the best ways to stop a phishing attack? The first step is to understand what makes the threat so dangerous.
The Changing Face of Phishing
In the past, fraudsters relied on “spray and pray” approaches to phishing. This method uses emails with minimal personalization and very generic, templated emails. The idea was that one recipient among the thousands of emails would be gullible enough to click on the dangerous link.
Today, the phishing landscape is much more diverse and sophisticated – often customized to target your organization or employees. This has helped keep the efficacy rate of phishing attacks high — despite the proliferation of new and advanced cybersecurity tools — and made mitigating phishing attacks a priority for the majority of cybersecurity decision makers. Here are the new phishing-style attacks you’re likely to see in 2019.
Spear phishing is one of the more targeted forms of phishing techniques in which the attacker has gathered some information about you, usually from social media channels or the world wide web. Using information about a recent purchase, business trips or life event, the hacker will then craft a convincing email that asks you to help them with something related to that event, such as refunds, claims of outstanding balances and so on.
To increase their success rate, spear phishing attacks often frame this request as an urgent need, requesting the user to visit a fraudulent website – one that looks very close to a genuine website the user is already familiar with. This method has a high chance of success. For the last several years, spear phishing attacks have been the most popular attack vector for organized hacking groups.
Business Email Compromise
The Business Email Compromise (BEC) is an advanced phishing attack in which hackers pose as an executive in the company and direct a financial director or accountant to remit a payment on behalf of a business. BEC attacks often rely on a sense of urgency for their success, requesting the invoice or transfer get processed immediately to steal the money before the accountant has time to realize it’s not legitimate.
Because of the research and time that goes into a BEC, they can be extremely effective. Take for example this Lithuanian man who successfully scammed both Google and Facebook out of over $100 million — and those are technology experts!
HTTPS in Phishing Attack
For many years, users have been taught that the little padlock symbol in Google Chrome and Microsoft Edge meant that you’re safely browsing over an encrypted connection. That’s no longer true. While the connection may be encrypted, hackers have gotten wiser and are deploying a new strategy – they are now designing spoofed websites that use an encrypted channel to appear safe but can steal your information like a regular phishing page.
This is a recent phishing trend in 2019, but it’s gaining popularity. According to cybersecurity expert Brian Krebs, 49% of phishing sites now utilize an encrypted connection, largely due to the proliferation of low-cost web hosting services offering encryption service.
How to (Help) Stop Phishing Attacks
Phishing is a reality that demands far stronger cybersecurity protections than ever before. But beyond investments in multi-factor authentication and powerful firewalls, there are things that you can do right away to help prevent phishing from becoming a serious problem in 2019. Here are some ways you can keep your organization safe and secure:
1 – Encourage Good Digital Hygiene
It’s important that employees proactively police their own social media accounts and posts that might contain information which could be used to launch a phishing attack. With no “in” to launch a credible phishing attack, hackers are forced to revert to anonymous phishing attacks, which are far easier to identify and defend against.
2 – Watch for Grammatical Errors and Typos
A lot of phishing attacks originate from overseas. Knowing this can give you an advantage when trying to determine if a page or email is legitimate or not. Scan it carefully for English problems. Are there spelling mistakes, poor punctuation, or issues with awkward verbiage? Those are major red flags, so proceed with caution.
3 – Urgent Messages? Not So Fast
Hackers want you to act urgently before you get wise to what they’re up to. To stay safe, your staff should be trained to approach every email with the opposite mentality — skepticism and patience. A message that carries an urgent or threatening tone must be taken with a big grain of salt, especially if it’s asking for your personal information. If they’re really suspicious, they may even want to confirm that email with the sender on the phone or in another email thread.
4 – Stress Mobile Security
There’s a trend toward phishing attacks appearing in apps like Slack, Skype, Teams, Facebook Messenger, and other chat software. According to IBM, mobile users are 3x more vulnerable to phishing attacks than desktop users. This isn’t a problem that can be automated away, because these applications don’t have the same built-in security functions that email clients have developed over the years. Instead, you’ll have to train employees to change their mindset and be vigilant about links and private information no matter what platform they’re on.
Phishing Protection for Businesses in NYC
For companies that don’t feel well-protected from phishing and other cybersecurity threats, it may be beneficial to work with a cybersecurity expert. Manhattan Tech Support has been providing businesses in New York City with cybersecurity expertise for two decades. Our security division, Kaytuso, can help bring your security protections up to date and train your team to spot phishing attacks before they damage your company. If you’d like more information about how we can help, contact us at 212-299-7673 or email@example.com
We look forward to speaking with you!
Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.
Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC