Conscious employees as the weapon against phishing attacks
In recent years, the danger of phishing attacks has increased enormously. And although every organization or individual is a potential target, there is still a feeling among some organizations that 'it doesn't happen to us anyway'. What does the phishing risk look like currently, but importantly, how do you resist this? A conversation about this with Project Manager Awareness & Social Engineering Timo Koot. "Keeping employees alert is essential to be able to arm your organization well against phishing."
Phishing, as the name implies, is the 'fishing' for data and other sensitive information. "That definition is still the same as it was ten years ago, but the techniques and methods used changed," Timo begins the conversation. "This method is, of course, becoming increasingly sophisticated and reacts to current events. Where previously the well-known phishing emails contained poor language and formatting, now more and more emails are indistinguishable from the real thing. Furthermore, phishing is no longer only carried out via email, but also via telephone, post, SMS or WhatsApp."
Increased threat
Due to the outbreak of the COVID-19 crisis, the threat of phishing has increased considerably, according to Timo. "You can clearly see a shift from offline to online crime. Now that everyone is sitting at home and working, 'offline' breaking in has become very difficult. But because everyone is busy online, the chance of breaking in online via phishing is increasing. In addition, employees are often alone at home, which makes them more vulnerable to phishing attacks. They are more dependent on themselves, are more easily distracted by the lack of a suitable workplace or children, which malicious parties want to take advantage of. And unfortunately, they succeed because, in the tests that we carried out last year, we saw that the number of clicks and logins increase by roughly 30 percent compared to the situation before the corona crisis."
Everyone as a potential target
According to Timo, phishing has two possible primary purposes: obtaining sensitive information and data to resell it or gaining access to an organization's network. "In the latter case, the criminals look for valuable information or the crown jewels of the organization and then 'take them hostage.' This means that information is encrypted by the criminal so that the organization no longer has access to this data. Only against payment, the organization can possibly get the data back. Certain sectors will be under extra scrutiny for criminals because they have a large amount of valuable information or sensitive data. For malicious parties, this can be exploited. But basically, any organization or individual is a potential target for phishing attacks."
Spear phishing
There are several ways in which phishing occurs. For example, the well-known general phishing email is sent to large groups of people, but more specific attacks also exist. "Criminals then focus on one specific employee. This form is also called 'spear phishing'. A well-known form of this is CEO fraud. The criminal pretends to be the director or someone else with a high-ranking position. This way costs criminals more time because they need to collect information about the organization, come up with a credible story, and interact with the employee. But the possible returns are enormous. Think, for example, of Pathé, which lost 19 million euros in 2018 due to this form of phishing."
MFA and strong passwords
With technical measures, the risk of a phishing attack can be reduced. "Spam filters and firewalls are getting better at recognizing and stopping these emails, but one of the most important measures you can take is Multi-Factor Authentication (MFA). MFA prevents criminals from accessing a system with only your credentials. In addition, strong passwords also contribute to reducing the danger because simple passwords can easily be cracked by software."
At work and at home
But with just the technical measures, you are not there yet. Timo: "It is necessary to keep the awareness among employees high and set up clear procedures and processes about sharing and handling information. Furthermore, just warning about phishing is not enough. You also have to make it tangible and close to employees, for example, through presentations or sessions about the subject. But also, by sharing received phishing emails so that employees will recognize them. Additionally, it is essential to pay specific attention to dealing with and verifying requests that ask you to share employee or customer data. A malicious request is then noticed by employees much faster. In addition, phishing is a topic that employees have to deal with in the workplace and privately. This makes easy subject to discuss. Making employees more aware is a continuous process and not a subject that should be addressed once."
Insight into awareness
Audittrail can help organizations with this through its phishing tests, which can be carried out via email and SMS. "In this way, organizations gain insight into the awareness of their employees about phishing," Timo explains. "Especially now that employees are working from home, it is important to gain insight into how employees deal with these types of actions. Additionally to a report containing the test results, a phishing test also provides insight into the incident response. It is extremely valuable to follow the reactions within the organization as a result of a test. How quickly does the first notification come in? And how do employees react after a report has been made internally? These findings can then be considered in awareness sessions."
Stay alert all the time
Because the phishing risk among organizations will only increase further in the coming years, Timo concludes: "People make mistakes and are impressionable, that will not change. That is why phishing will continue to develop and make use of new technologies and methods. For example, I see artificial intelligence as a real threat in the future, particularly through deepfakes. This makes it harder to distinguish real from fake. Criminals can use this in phishing attacks by pretending to be or sounding like an organization employee. Therefore, awareness about the dangers of phishing and knowing what to look out for will become even more critical in the future."