Most of us have been the target of a phishing attack at some point. Sometimes these phishing attempts take the form of a badly worded and poorly formatted email, which rather helpfully makes them easy to spot.
While it’s easy to highlight examples of poorly executed phishing attacks, and draw the conclusion that phishing doesn’t really work, the fact is that phishing attacks can be very effective. Phishing attacks are on the rise and are becoming increasingly sophisticated. And with around 91% of all cyber attacks in the UK involving phishing, taking phishing seriously is critical.
So, what actually is phishing?
Phishing is the act of tricking an individual through digital communication into divulging sensitive information or performing a given action. Phishing attacks are usually performed on a large number of victims at once to increase the chance of success. A successful phishing attack can lead to the exposure of sensitive data such as login details and financial information as well as giving access to online account functionality.
Phishing attacks (sometimes referred to smishing when involving text messages) commonly involve receiving an email or text message with a website link or malicious attachment. Once the link or attachment is clicked, it may initiate a malicious request to websites you are logged in to or to an attacker’s web server where the malicious action will take place. For example, perhaps the attacker sends you to their own web server which mimics a popular web application such as Facebook or Gmail. When the user enters their login details, the attacker will then collect these credentials and forward the victim to the real site, the victim none the wiser. The attacker will then use these credentials to later log in to that web application and gain access to your online account.
What about spear phishing?
Spear phishing is a more focussed form of phishing that involves an attacker tailoring their digital medium (such as an email) for a specific target, for example the CEO of a company. Spear phishing requires more time and research for the attacker but can increase the chance of success against that particular victim. Attackers will use publicly available information, which might involve using details from social media, company websites and documentation.
How bad can a phishing attack really be?
Sophisticated phishing attacks can have a range of consequences. Gaining access to online user accounts can expose sensitive user information or allow them to take certain actions such as bank transfers. It can often provide the attacker with information to help them launch subsequent attacks against their unlucky victims.
What is the best defence against phishing attacks for businesses?
The IT industry has a natural tendency to look towards technical controls, but the simplest and most effective form of defence against phishing attacks is something as simple as staff training. Your staff are on the frontline of your organisation and ensuring that they have regular, engaging and impactful cyber security training is a great first step.
How can Predatech help?
Predatech offers a range of security testing services, including vulnerability assessments and penetration testing, as well as certifications including Cyber Essentials which can help to protect your business against cyber attacks. Predatech also offers a dedicated phishing simulation service which can help you understand how your staff react to an attack and the extent to which an attacker can extort information and cause damage. The results of a simulation can also be used to better engage staff and to help inform training.