What is phishing and is my business at risk?
A Grassroots Look at Phishing (In Case You Were Too Embarrassed to Ask)
Phishing. It seems like every day there’s a new phishing scam alert when you open an app or your emails. You know it has to do with sneaky fraudsters, but beyond that, you ask yourself, “What is phishing and is my business at risk?”
The word has become so commonplace that you feel like it’s too late to ask. Don’t worry. In this post, we go through the basics of phishing with no confounding technical speak.
Where Phishing fits Into the Cyberthreat Landscape
There are numerous types of cyber threats. You’ve probably heard names like DoS (Denial-of-service) and Malware (Malicious software) before. All cyber-attacks have one common goal, to gain access to your network—in simple terms, they hack.
Most often, the purpose of these hacks is to steal sensitive data. Sometimes, the attacks are just plain malicious and aim to disrupt, scramble and even disable your digital operations.
So, under the banner of cyberattacks lies social engineering attacks and just beneath that, lies phishing.
What is Phishing?
Phishing is the most common type of social engineering cyberattack. Here, cybercriminals impersonate a trusted source to fool you into handing over private information.
In other words, the attackers are fishing for information, hence the name. Fishing is the perfect analogy because the victims are quite literally baited.
Where phishing casts a wide net, spear phishing is a far more targeted attack that usually has a bigger agenda than reeling in passwords. Spear phishing typically targets you as a mark that is likely to give the attackers entry to your network through the front door.
You’ve heard of scams where criminals pretend to be the electrician or TV repair guy to force entry into an unsuspecting victim’s house? It’s the same idea as spear phishing. Both attacks use a similar modus operandi, so we’ll explain them together.
How Phishing and Spear Phishing Work
You receive an email about your SARS tax return when it happens to be tax season, so you think nothing of opening it. It says you need to verify the details. OK, plausible. You click the link to update online, OR you open the alleged form that needs filling. Too late.
- The attacks are designed to look like they come from a legitimate source so that you will open them. For example, the revenue service, your bank, your medical aid, or even Google Play or Apple Cloud.
- They will always ask you to supply credentials, a.k.a private information such as your ID number, a credit card number, or—most often—your login or banking details.
- They typically contain a link or attachment that once opened, allows malware on your computer. The malware is usually designed to retrieve (steal) even more information.
Who Do Phishing Attacks Target?
Sticking to the fishing analogy, usually, it’s whomever they can catch. In the case of spear phishing, an attacker may have their eye on a particular kind of fish—or whale for that matter.
There’s usually more than one victim because, although the scam targets an individual, the aim is to infiltrate an organisation.
My Business is small, or at least it doesn’t have a large client base, is it safe?
In the underbelly of the cybercrime world, data is currency (the more, the better). So the thinking goes, “A small catch leads to a bigger catch, which leads to a bigger catch.”
It doesn’t matter how many staff you employ, the size of your customer base or revenue. If a cybercriminal can get a few hundred email addresses, then they have a few hundred more targets. Plus, they now know that these unsuspecting victims will more than likely be expecting, and therefore open, communication from your company.
Some attacks deploy ransomware, a type of malware that will make your data inaccessible until you pay a ransom. Here, tech brands and financial services are prime targets.
How Can I Protect My Business from Phishing Attacks?
There are several steps to guard against phishing attacks, such as implementing robust firewalls with threat prevention and installing antivirus (with anti-spam and anti-phishing) software on all endpoint devices. They are all necessary, and they all work together to improve protection.
However, of them all, employee awareness training remains the most critical phishing prevention measure.
Remember that phishing is a form of social engineering, social being the operative word. They are deliberately disguised to be trustworthy, helping them to circumvent ‘normal’ security measures, and trick a person into taking their desired action. For this reason, people will always be the weakest defence.
Employees must receive regular cybersecurity awareness training. In this, they must know how to spot a phishing scam and what to do. Phishing scams grow more sophisticated each day, so it is essential that the training material is up-to-date and includes examples of the latest attacks.
Threat detection and prevention is a full-time job that requires specialised skills. In the same way that you would hire a physical security company, employing experts to manage your organisation’s cybersecurity is, arguably, the best thing you can do.