Business Email Compromise (BEC) , Fraud Management & Cybercrime
Everyone Can Contribute to Stopping Phishing Attacks With Security Awareness Training
Phishing has been around for decades but remains one of today's greatest —and fastest growing—cyber threats. Phishing activity was a growing challenge before the COVID-19 pandemic and has subsequently only gotten worse.
By any measure, cyber attackers are clearly succeeding in their efforts to exploit human vulnerabilities. Yet research from the "2022 State of the Phish" report from Proofpoint found that only 53% of working adults know what phishing is.
The message for organisations: Phishing needs to be a focal point of their security awareness program.
What is phishing?
Phishing is an example of social engineering, which is a collection of techniques—including forgery, misdirection and lying—that attackers employ to manipulate human psychology.
Phishing emails use social engineering to encourage users to act quickly, without thinking things through. And when attackers succeed in tricking users with phishing messages, the rewards can include access to sensitive data, critical systems and networks, cloud accounts and often money.
Most phishing messages are sent by email. But some attackers deliver these messages to victims through other methods, including smishing and vishing (using text messages and voice-changing software to send SMS messages to users or robocall them).
Three primary threats in phishing messages
There are three primary phishing strategies attackers use to try and trick the user:
Attackers often use malicious URLs in phishing messages. When users click on a malicious link, it may take them to an impostor website, or a site infected with malware (malicious software). Often, attackers will carefully disguise these links in phishing messages so that they appear to be from trusted sources. Techniques may include using company logos or registering email domains confusingly similar to those of a trusted brand or business.
And all too often, the attacker succeeds. Our research from the "2022 State of the Phish" report shows that 1 in 10 users will click on a malicious link in phishing simulations.
Attachments infected with malware can compromise computers and files, and they often look like legitimate file attachments. In phishing simulations we conducted for customers, we've observed that 1 in 5 users will open an email attachment.
It's important to explain to users the harm phishing can cause. Malware infections and ransomware delivered through a phishing attack can easily spread across networked devices—and even to cloud systems.
These requests are designed to convince the email recipient to return sensitive information, such as login credentials, credit card information and more. They are often presented as a form (for example, from a tax authority promising a refund) to prompt the user to provide sensitive information.
Once the user fills out and submits the form, malicious actors can use that data for their personal gain.
All phishing attacks use social engineering
As noted earlier, phishing attacks are a form of social engineering. In an organisation’s security awareness training, it is important to draw attention to some of the ways that attackers take advantage of human psychology to manipulate users, such as by:
- Masquerading as someone or something the user would likely know and trust
- Taking advantage of emotions such as fear (or even just stoking the fear of missing out) to motivate users to act quickly
- Making exciting promises that sound too good to be true (and definitely are)
Also, malicious actors will often try to time their attacks for when a user is likely to have their guard down, such as when they're feeling tired or distracted. Many attackers will also study a company's billing cycle or learn when important meetings are held before they launch a phishing attack.
How every user can spot phishing lures
Phishing is a people-centric threat—so users play a significant role in protecting themselves and their organisations from this cyber attack. To help users become successful defenders against phishing, Proofpoint’s “3 Weeks of Cybersecurity Best Practices for ‘23” program can be a first important step. It provides three weeks’ worth of cybersecurity best practices and educational assets which IT security professionals can share inside of their organisations to help people become more knowledgeable about cyber threats so they can:
- Avoid falling for ransomware attacks
- Stay safe when working from home
- Remain vigilant against phishing lures