Phishing: 5 Things You Need to Know
Dating back to the 1990s, phishing is one of the oldest types of cyberattacks. But it remains an effective, widespread technique even today thanks to ever more sophisticated techniques.
Phishing emails – where attackers pose as trusted colleagues or other contacts to trick the unwary into handing over passwords or other details – are easy to send and hard to combat.
Here are 5 things you need to know to protect your company from phishing.
1. It’s Extremely Successful
Many of the biggest data breaches in recent years – from the attack on Sony Pictures to the Democratic National Committee hacking – have all started with phishing emails.
Yet many of us underestimate just how effective phishing is. The SlashNext Phishing Survey found some eye-opening results:
- 95% of respondents underestimate how frequently phishing successfully breaches enterprise networks
- Only 5% of respondents realize that phishing is at the start of over 90% of successful breaches
- Phishing is one of the most used and most successful attack vectors
2. It’s Everywhere
One in every 99 emails is a phishing attack. Gmail alone blocks more than 100 million phishing emails every day.
45% of IT professionals believe they experience 50 or more phishing attacks per month. 14% believe they experience more than 500 phishing attacks a month.
Phishing is also constantly evolving to outsmart existing protections. Google says 68% of the phishing emails they stop each day are new variations. Avanan’s Global Phish Report found 25% of phishing attacks bypass default security measures built into Office 365.
Nearly 30% of IT professionals don’t believe their current security tools are effective protection against this threat.
15 Real-World Phishing Examples – and How to Recognize Them (CSO Magazine)
3. It Uses Social Engineering
Most of us are smart enough not to fall for a Nigerian prince’s plea or a get-rich-quick promise.
Today’s phishers know you’re not going to give money or information to a stranger. But what about your colleague? Your boss? Your company’s CEO? You wouldn’t say no them, would you?
Social engineering is the practice of influencing people into taking action that might not be in their best interest. It does so by exploiting our trusting nature. We want to believe people are honest and telling us the truth.
So when you get an email that looks like it comes from someone you know or a source you trust (like a bank, Google, or Microsoft) asking you to login to your account or send a payment to a new destination, most people don’t think twice before doing it.
Social engineering taps into the human psyche by exploiting powerful emotions such as fear, urgency, curiosity, or sympathy. For example, “Google” is threatening to deactivate your account if you don’t login immediately.
You may be thinking, “Well, so what if my employee gave out their Google login credentials?”
Considering roughly half of employees use their business login credentials on personal accounts like Google, you should be very worried. And if an employee gets duped by fake Microsoft into giving out their Microsoft Office 365 credentials, you’re in big trouble.
10 Signs You’re Being Socially Engineered (CSO Magazine)
Hacking Your Head: How Cybercriminals Use Social Engineering (Malwarebytes Labs)
4. It Isn’t Just for Emails Anymore
You get an email from your bank asking you to change your account password. You click the link and arrive at your bank’s website, where you update your credentials as requested. Bam – you just gave a hacker the keys to your kingdom.
Cybercriminals are taking their phishing attacks to the next level by creating dynamic websites that look identical to trusted sites. The attack begins with an email that looks like it came from a legitimate sender and then takes you to what looks like a legitimate website. All in order to trick you into giving them your sensitive information.
How to Spot a Phishing Website (GlobalSign)
Half of All Phishing Sites Now Have the Padlock (Krebs on Security)
5. Employee Training is Your Best Bet for Stopping It
Google found that 45% of internet users don’t understand what phishing is or the risk associated with it.
Even younger generations like Gen Z aren’t as well-versed in security practices as you’d think. While 71% said they are too smart to fall for a phishing scam, only 44% said they actually know what “phishing” means.
All the cybersecurity tools in the world can’t help you if your employees choose to interact with a phishing email. Training people on what to look for is key. But you can’t count on end users to read through long anti-phishing emails, much less show up to a boring seminar about it.
That’s why companies like our partner Mimecast are making phishing training so fun that people can’t help but want to participate. You can learn more about it in our blog post: Email Security Training That’s Actually Fun
For more information on how to stop email attacks, visit our Resource Library.