It’s safe to say that we have all encountered a phishing email of some kind. Since the Covid pandemic phishing scams have increased by a staggering 667%. In 32% of phishing emails the keyword ‘payment’ was used in the subject line. These attacks are not innocent at all. In 2019 €26.2 billion was lost due to business E-mail attacks.
So what exactly is phishing? The official description is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.
The annual Microsoft Digital Defense Report, details how things have shifted. In the past malware attacks were the preferred way to harvest people’s credentials. Today about 70% of illegal data harvests are achieved through phishing attacks. They often imitate top brands such as Amazon, Apple, Zoom, UPS, and Microsoft. Here’s a recent example on behalf of Disney+.
Gone are the days when it was easy to detect whether someone was trying to trick you. No longer is a prince of Nigeria, with bad spelling, asking for financial assistance. Today’s phishing emails are ‘polymorphic’. The people sending them add minor changes to an existing template, subject, sender line, or domain name. It makes it very difficult to detect.
If an attacker does manage to get in through one person in your company, they will try to use the data they can find to collect information from other colleagues. Once an email is sent on behalf of a colleague addressing you by your name it is even harder to detect potential phishing threats.
There’s plenty more to share on the subject, but what action can you take if you accidentally clicked on a link?
- Run a virus scan as quickly as possible.
- If you shared bank details or codes, contact your bank immediately and stop your cards.
- If you shared your password, change your password for all accounts that use it.
- Let your IT department know. It is important they are aware and can take appropriate measures.
- Alert websites such as https://www.safeonweb.be/ about the attack.
What can you do to prevent this from happening to you? Several steps can be taken to reduce the threat of phishing attacks.
- The first step is training. Follow or plan in a training with colleagues to identify emails that can be a threat. Simulate fake phishing campaigns to keep you and your team on their toes.
- Always check the domain name of the website you visit for a typo. This is certainly the case when visiting websites that ask for sensitive data like your bank.
- Enable two-step verification whenever this can be applied.
- Use a secure email gateway with regular maintenance and filters that detect threats.
- Make sure your anti-virus software is running the latest update.