Skip to content

How to protect your company against phishing attacks?

June 14, 2021
Phishing attacks are one of the most famous and popular cyber-attacks on the internet – and you should worry about it since it can cause substantial financial losses, putting companies into irreversible scenarios.
According to Verizon’s 2021 Data Breach Report, 96% of phishing attacks arrive by e-mail. Another 3% are carried out through malicious websites and just 1% via phone.
As stated by Sonic Wall’s 2020 Cyber Threat report, in 2019, PDFs and Microsoft Office files (sent via e-mail) were the delivery vehicles of choice for today’s cybercriminals. Why? Because these files are universally trusted in the modern workplace.
To help you understand how to protect your business from phishing attacks, we would like to share some recommendations that every business should adopt. In addition, we also present cyber-crime data and examples of phishing campaigns.

What is phishing?

The attack’s name comes from the junction of two words: “fishing” and “phreaking,” a term born in 1900 associated with telecommunications effectiveness tests.
In this sense, the term is related to digital fishing, in which cybercriminals “fish” their victims, using the “bait” of fraudulent e-mails, amidst an “ocean” full of business options characterized by the internet.
Its operation is quite simple. By accessing an e-mail, the scammer convinces the user to take some action, click a button or download an attachment to enter the victim’s computer, and, further ahead, have your company and all its data in their power.
The consequences are diverse: data theft, payments, information manipulation, access to confidential content, among others.

Phishing attacks in numbers

KnowBe4 estimates that around 156 million e-mails are delivered every day, of which only 16 million passes through filters. In 800,000 of them, users click on phishing links.
Among users who take action upon receiving a fraudulent e-mail, an estimated 80,000 share sensitive information. In addition, every four months, approximately 250,000 new phishing URLs are identified.
The numbers above are a testament to the fact that using protection applied to your e-mails is very important, along with your employees’ security awareness training. 
By associating the root cause of phishing attacks with your employees’ awareness process, you can see that they are your company’s last security barrier, so you need to “educate” them about cybercrime.

Phishing Campaigns

An example of a recent phishing campaign that’s involves the logistics company DHL. Criminals disguise themselves to distribute different threats such as viruses, Worms, RAT, ransomware, etc.
In this campaign, the method used was a DHL-themed delivery invoice, sent via e-mail, that notifies victims that there was a new delivery waiting for them.
To print the package details, the victim would click on a link within the body of the e-mail. This link hid a malicious Microsoft Word file containing a link to the attacker’s remote control server.
And also, criminals launch phishing campaigns, trying to convince the user that the e-mail was sent by their bank branch or social security, seeking information that could initiate an account invasion.
Phishing campaigns using fake bills are also frequent. In this case, criminals seek to convince the victim that the statement sent for payment is legitimate.
Attackers also use sophisticated social engineering techniques to camouflage phishing attacks in regular-looking e-mails. Analysis of real-world phishing e-mails by KnowBe4 revealed these to be the most common subject lines in 2020:
  •  IT: Annual Asset Inventory Changes to your health benefits
  • Twitter: Security alert: new or unusual Twitter login
  • Amazon: Action Required | Your Amazon Prime Membership has been declined
  • Zoom: Scheduled Meeting Error
  • Google Pay: Payment sent

Security Controls for Phishing

If the company handles sensitive information, the greater the chance of becoming a target. Thus, large companies, government agencies, and political organizations are the primary victims of this attack.
Although, that doesn’t mean that small and medium businesses shouldn’t worry about phishing. Every company needs to implement practical phishing testing tools to ensure the safety of the environment.
Some organizations rely on different security controls, such as Secure E-mail Gateways (SEGs), Sandbox, and content disarmament and reconstruction (CDR) solutions to protect their employees’ mailboxes.
However, incorrect configuration or implementation of these controls can lead to false assumptions of security.
Since phishing attacks need the user to take some action to launch, it’s essential to continuously promote security awareness exercises to all employees and implement safe e-mail navigation processes.

How to promote security awareness

Most companies have a hard time continuously promoting security awareness since it can be time-consuming and involve many employees. But they shouldn’t worry anymore because it’s already possible to automate this process.
The e-mail attack simulation vector of the Cymulate Breach and Attacks Simulation platform, for example, is designed to assess e-mail security and potential exposure from a series of malicious payloads sent automatically to the user’s box.
Its operation consists of a simulated attack, which exposes critical vulnerabilities in the e-mail security framework.
By sending e-mails with attachments containing ransomware, worms, Trojans, or links to malicious websites, the simulation reveals whether the simulated malicious e-mails could bypass your organization’s first line of defense and reach your employees’ inboxes.
It is also possible to access the simulation results in a comprehensive and easy-to-understand report. As a result, the platform gives mitigation recommendations for each security gap discovered and offers information on how the threat managed to bypass security controls and move through the environment.

Conclusion

We can say that while phishing attacks are still on the rise and continuing to gain traction.
Its consequences can lead organizations to irreversible damage by compromising confidential information, destroying reputations built over the years, or causing financial losses.
Thus, companies must rely on effective cyber-security measures and tools to protect the entire corporate environment against phishing attacks.
In addition, the IT team must increase a security management posture to educate employees continuously about the existing cyber crimes, making them act as a human firewall.
Would you like to better prepare your company against this threat? Schedule a quick call with our experts and discover the best solutions to protect your business!

Source: HiveCore Enterprise Solutions LLC

Scroll To Top