Anyone can be the target of a phishing attack. No matter how big or small your company is. No matter which industry you’re in. It’s so simple now to set up accounts and distribute emails that cyber criminals can easily send out millions of messages in the hope of catching just a few in their wide net. All it takes is one user to click on a malicious link and the security of an entire organisation can be compromised.
Alternatively, your company could be the target of a more sophisticated spear phishing attack. This takes considerably more effort as it requires research and knowledge of individuals and business operations, but means the messages can appear much more authentic and are harder to protect against. Unsurprisingly, a recent study found that these targeted campaigns comprise just 0.1% of all email-based attacks.
However, their personalised nature means they are responsible for around two thirds of all security breaches. In 2023, the National Cyber Security Centre (NCSC) found Iranian and Russian spear-phishers were targeting UK nationals with sophisticated campaigns designed to elicit sensitive information and enable credential theft and compromise.
How damaging is phishing?
Being the victim of a phishing attack is damaging in many ways. First, most are designed to extort money in some way from either individuals or companies, so significant financial losses can occur.
But that is often only the beginning.
Identifying the security breach and rectifying it is a huge operational task that costs both time and money. And once news of the breach gets out, which it usually does, a company can suffer devastating reputational damage. Even if there are no direct financial losses, the fallout of a phishing attack can have catastrophic consequences that affect long term success. After all, who wants to deal with an organisation that can’t keep its own or customers’s data safe?
Given the potential for such negative PR, it’s understandable that Booking.com insisted that their systems hadn’t been breached during a 2023 phishing attack. However, this has clearly cost customers, hotels, and other partners significant amounts of money, and will almost certainly make people think twice before using their services in the future.
Email continues to reign as the top choice for cyber attackers looking to phish their victims, with many of these deceitful campaigns kicking off with a cleverly crafted "bait" or "reconnaissance" email. These bait emails serve a dual purpose: confirming the existence of the victim's email account and gathering additional information about the victim, enabling cybercriminals to launch more precise and targeted attacks in the future. The more insight the attacker gains into their victim, the greater the likelihood of manipulating them into falling for their deceptive tactics.
Over 90% of bait emails are sent via a Gmail account. This is likely because:
- Google is big. It is the second-largest email client by market share
- Gmail accounts are user-friendly and boast of being one of the quickest to set up. It helps that it is free, too.
- Gmail provides "read receipts," informing senders when a recipient opens their message, regardless of whether they respond or not.
According to research from KnowBe4, the common subject lines used in actual phishing emails in Q3 of 2022 were as follows:
- Equipment and Software Update
- Mail Notification: You have 5 Encrypted Messages
- Amazon: Amazon – delayed shipping
- Google: Password Expiration Notice
- Action required: Your payment was declined
- Wells Fargo: Transfer Completed
- DocuSign: Please review and sign your document
- IT: IT Satisfaction Survey
- Zoom: [[manager_name]] has sent you a message via Zoom Message Portal
- Microsoft: Microsoft account security code
From these subject lines, it is evident that cybercriminals have honed in on two key areas for their phishing attacks:
Firstly, individuals tend to place trust in emails that appear to be from well-known and reputable brands whose services they actively use.
This sense of familiarity and trust makes it easier for malicious actors to deceive recipients into clicking on harmful links or providing sensitive information.
Secondly, the global shift towards remote or hybrid work environments has opened up new opportunities for cyber attackers. With many organizations relying on cloud technologies for crucial communications and remote data sharing, malicious actors are quick to exploit potential vulnerabilities in these systems. The increased reliance on digital platforms and the seamless integration of cloud services have created a breeding ground for sophisticated phishing schemes.
By capitalising on these factors, cybercriminals can craft convincing emails that appear legitimate, making it more challenging for individuals to discern between genuine communication and malicious intent.
AI and Phishing
Phishing, bolstered by AI capabilities, poses a multifaceted threat to businesses. Advanced algorithms empower malicious actors to craft hyper-realistic emails, messages, or websites, mimicking legitimate entities with unprecedented accuracy. Through AI-driven social engineering, these campaigns exploit human vulnerabilities, bypassing traditional security measures with alarming ease. Moreover, AI augments phishing attacks by automating the customisation of deceitful content, amplifying their scale and impact. As AI evolves, the sophistication of phishing techniques will escalate alongside, challenging cybersecurity professionals to adopt equally innovative strategies to safeguard against this pervasive threat.
5 anti-phishing steps to take today
With the current statistics, it makes business sense to protect against phishing. If you haven’t yet, take action today to keep your business safe. Here are our five tips to kick off your defence against cyber criminals:
Configure accounts with the least amount of privilege necessary
The more accounts in your organisation that have access to sensitive information, the more chance there is of that information being compromised. Each user should be assigned access rights only to the information they need to do their jobs. That way, if they are the victim of a phishing attack, the damage would be limited.
Use multi-factor authentication (MFA)
It is highly recommended to use multi-factor authentication (MFA) for all your online accounts. MFA adds one or more additional layers of security to your accounts by requiring two or more authentication methods, such as a password and a code sent via SMS or generated by an authentication app.
Educate staff and encourage them to report suspicious activity
No matter how many security measures you have in place, it's beneficial to have watchful employees. Providing regular training and communication to make users aware of potential AI-powered scams or attacks can act as an added layer of protection against threats. AI-powered attacks can trick users into sharing sensitive information or downloading malware, which can result in data breaches or system compromise. Make sure that employees can easily report anything they believe to be suspicious, especially when it comes to AI-generated messages or requests. Let teams know that there will be no consequences if they think they may have been the victim of an AI-powered attack. It's much better to inform the IT team as soon as possible rather than having a user keep it to themselves because they're embarrassed about being fooled by an AI-powered scam.
Check your digital footprint
More sophisticated attacks will use information about your organisation and staff to make phishing emails more convincing. Consider how much information you need to display on your website and what level of detail is superfluous but could be useful to attackers. Also, be aware of what information your partners, contractors, and suppliers publish about your organisation online. And when training staff, educate them about how sharing too much personal information online can also have further implications.
Set up email filtering and actively monitor for attacks
Email filtering services will send phishing emails to spam or junk folders. However, they are only as good as the way in which they are configured. If the rules are too strict, important legitimate emails will be missed. If they are too relaxed, dangerous emails will get through to inboxes. So, it’s important not only to choose the best email filtering service, but also to ensure that it’s configured by experts for optimum effectiveness.
Depending on the size and skills of your IT department, some of these steps will be easier than others. But they are all crucial. Each is equally important in the ongoing battle against cyber criminals.
Speak to the experts
At Conosco, we take data security extremely seriously. We know customers need to have complete trust in their IT systems to not only perform effectively but also protect them from any external threats. We’ve invested heavily in our cybersecurity team so that you can focus on what you do best - running your business. Get in touch today to speak to one of our expert consultants and discover how we can keep your business, staff, and data secure.
