Phishing: A Global Threat to Employees in 2021
In the world of digital warfare, phishing attacks are one of the most dangerous and prevalent cybercrimes organizations are facing today. Fraudsters are using Artificial Intelligence (AI) and Machine Learning (MI) techniques to advance their attack methods.
According to the 2021 State of the Phish Report, published by ProofPoint, 57% of respondents said that their enterprise experienced a successful phishing attack in 2020. Another report – namely Phishing Activity Trends Report 1st Quarter 2021 – also witnessed a historic growth of phishing attacks and January 2021 smashes all records. Look at the following graph for more detail:
What Are the Mostly-Used and Trickiest Template Themes in Phishing Attacks?
Phishers frequently establish new and innovative phishing tactics and strategies to circumvent rules and defense systems developed by cybersecurity professionals. Scammers use Tactics, Techniques, and Procedures (TTP), which are also stipulated in the MITRE ATT&CK framework.
Fraudsters often capitalize on the latest trends to create phishing template themes in order to trick a victim into divulging sensitive information such as Personally Identifiable Information (PII).
Trickiest Template Themes
- Covid-19 mask availability and free vaccines
- Reminders related to an overdue invoice
- World Cup T20 2021 advanced ticket sales
- Free month of Netflix streaming for employees
Mostly-Used Template Themes
- Covid-19 is a key phishing template theme. People are frequently receiving health warnings and advisory alerts usually in the guise of the World Health Organization (WHO).
- Password expiration notices associated with Microsoft 365.
- Fake warnings showing that your old OneDrive account has been deactivated.
- Deceptive OneDrive shared contract notifications.
- UPS shipping notifications.
- New voicemail message alerts.
A phishing email often involves malicious links or attachments, and can often be spotted by its poor grammar, spelling errors, unprofessional graphics, unnecessary urgency, and generic greetings such as “Dear Customer” instead of your name. When employing end-user education about phishing awareness training, organizations should include the aforementioned mostly-used template themes; as new themes become prevalent, they too should be incorporated. While a phishing awareness training program should be contemporaneous to be most effective, not doing one at all is allowing the perfect to be the enemy of the good.
What Are the Different Types of Phishing Attacks?
A phishing attack has various types that attackers use in different circumstances to achieve their malicious agenda. Below is the list of some most common types of phishing scams:
- Spear phishing
- Email phishing
- Domain spoofing
- Social media phishing
- Water hole phishing
- HTTPS phishing
- Evil Twin
- Angler phishing
- Business Email Compromise (BEC)
- Search engine phishing
What Is the Impact of a Phishing Attack?
Phishing attacks have a serious impact on the affected organization. Proofpoint’s 2021 State of the Phish Report revealed that 17% of organizations reported malware attacks as a result of phishing scams and 47% suffered a direct loss. See the following graph for more detail:
How Do I Prevent Phishing Attacks?
The single best way to prevent a successful phishing attack can be summed up in three words: TRAINING, TRAINING, TRAINING.
Successful phishing attacks rely on people who can be “tricked” into doing what the cyber-criminal wants them to do; this is called social engineering. By impersonating real-world people or companies or playing on their emotions of the person being phished, cyber-criminals use them as pawns in their scheme to steal, extort, or just wreak havoc. Only when people can recognize a phishing attack can they prevent it from being successful. Educating and continually testing them to identify and report these attacks are, ultimately the cure for this threat.
Follow these tips to help you or your team to prevent a successful phishing attack:
- Learn proper email security etiquette and actively participate in security programs.
- Immediately report any suspicious email to your IT department or designated individual or team.
- Collaborate and communicate with security professionals.
- Employ an ongoing simulated phishing training program to educate employees.
- Include a reporting system that correlates phishing reporting and failure (a.k.a. individual victim) rates so that you can quantify resiliency.
- Protect your accounts using Multi-Factor Authentication (MFA).
- Use an email spam filter applications to scan for phishing emails block them from reaching your inbox.
- Use a next-generation antivirus/antimalware program and keep it up to date.
- Regularly backup of all of your critical files.
- Don’t click on the malicious links or attachments. We like the term “Loose Click Sink Ships!”
- Forward suspicious emails to your IT department or designated individual or team without opening them.
- Never trust alarming messages; confirm with the sender by calling them.
- Never trust gifts or free money offers.
Phishing scams are the dominant form of cyberattack against you and your business. They rely on you to ensure their success. Organizations face reputational damage, compliance issues, financial losses, and more when they fall victim. Digital fraudsters use different Tactics, Techniques, and Procedures (TTP) to lure the victim into revealing sensitive information. To thwart phishing attacks, train yourself and your employees to spot them before you become another statistic.