In an ideal world, cyber security would be a set it and forget it kind of thing. You walk through the process, secure everything, and go about your business. Unfortunately for us, that’s just not possible.
Cybercriminals are always on the hunt for new ways to access systems and separate us from our data (and money). Perhaps the biggest piece of the puzzle is knowing exactly what these attacks look like, so that you can prevent your business from being a victim.
The different kinds of attacks that you and your business face
There’s a common thread to all of these attacks – they rely on people either not paying close enough attention to what they’re doing or people who simply don’t know how a cyberattack starts or what it looks like. As you’ll notice, most of these attacks are variations on that theme.
Phishing is probably the most well-known of these attacks. With phishing, cybercriminals send a message, usually by email, to potential victims with the goal of hoping they’ll click on a link that loads malware into their computer (and the network). These messages are getting increasingly sophisticated. It wasn’t that long ago when it was easy to tell because the branding was off or the return address was clearly suspicious.
These days, however, it’s not as easy to identify phishing attempts. You’re often forced to think, “Would my bank actually send me an email like this?” More often than not, the answer is no.
Vishing shares goals with phishing, but the method is a little different. Where phishing relies largely on email, vishing attempts come through the phone. You get an official sounding phone call from someone telling you your bank account was compromised, or you owe the government money, or that your computer has been hacked and they want to help you fix it.
With vishing, you’re expected to call back and the person on the other end gets you to visit a compromised URL that installs a virus or malware on your computer. Again, it’s usually pretty obvious that these are scams or hackers, but if you know you’ve done something recently that could lead to a virus or if you’ve been traveling and it’s possible that your credit card was compromised, it’s easy to fall victim.
Another variation is smishing. With smishing, the main attack vector is text messages. SMS messaging tends to be more trusted than most other forms of communication, which means people are more likely to fall victim. This trust has lead to an increase in smishing attacks of more than 300% in Q3 of 2020 alone.
The goal with smishing is often to get you to click on a link, but it can be to call back, similar to vishing.
Pharming is the hardest one to notice because often, the user hasn’t done anything wrong. With a pharming attack, a website is first compromised by hackers. They then direct any and all traffic away from the original website to a fake site that contains a virus.
The challenge is that you could visit the same website everyday for months without anything happening, but one day, you’re sent to the fake site.
What can you do to prevent these types of attacks?
The single best thing you can do to prevent these types of attacks is to educate your team. Human error is the cause of a large majority of cyberattacks and phishing is still one of the most commonly used approaches to gain entry to businesses, with more than 20% of all breaches coming from phishing attempts.
What this means is that you need to make sure that everyone in your organization, from the top to the bottom, knows what these attempts look like. It’s not enough these days to rely on being protected by an antivirus platform, you need to stop attacks before they start.
Along with taking the time to educate your team on what these attacks look like, you need to take this one step further and run drills on them as well. You can hire cybersecurity experts to send them fake phishing emails that are designed to test everything they’ve just learned about cyberthreats. These help people to truly understand how easy it is to accidentally click on a bad link and reinforce the need to be critical of everything you get. Even emails and messages from trusted sources can be phony, something that we see all the time on social networks and in our daily inboxes.
It also helps to have strong access control in place. This means making sure that people have access to all the parts of your network they need to do their jobs and nothing more. Even the head of a company needs access to some things, but not everything. They don’t need root access to your network for example. What this does is help limit the damage a cybercriminal can do if they get into your network. With good access controls in place, it’s easier to completely isolate the issue, and solve the problem. Think of it like someone breaking into your house, but only being able to rummage around in the broom closet, instead of getting into everything.
Similar to this is the need to have good identity management systems in place. This means regularly making sure that current employees and contractors have the access they need, but that former employees and contractors aren’t still in the system. This removes the risk of exploiting orphaned accounts and it keeps people who no longer work for you from being hacked and providing unintentional access to your network.
Get serious about security
If you’d like to learn more about how you can prevent these attacks, including educating your team on the kinds of attacks that are out there. Let’s talk.
We have been guiding our clients in proactive prevention and end-user learning for more than 20 years and have programs in place that not only provide training, but help execute phishing drills that give you hands-on experience in dealing with phishing, smishing, and vishing (that won’t compromise your business).
Contact us today to learn more.