Phishing attacks are rising in numbers and in complexity, but what are the risks to businesses and how can you prevent and protect your organisation?
With the change in how people now work, many employees working fully remotely, phishers and hackers are using every means possible to exploit the vulnerabilities that may be in a company’s security systems; this is only exacerbated by the change in work environment.
The phishing threat has drastically increased, with cybercriminals creating and sending thousands of phishing attacks daily. With such a sharp rise in numbers and an increase in their sophistication, phishing is now a major security concern for all organisations.
What is Phishing?
Phishing is an unethical process in which cybercriminals attack unsuspecting users in an attempt to steal personal information. Such attacks are attempted via the tools we use in our daily activities, such as email (phishing), text messaging (smishing) and phone calls (vishing). Many of these phishing attacks claim to be from a reputable company, in order to gain the victim’s trust, with a view to gaining personal details and information from them, that they can sell on the dark web or use for other malicious activities.
Recent reports on the latest statistics and trends in phishing over the last 12 months show that cybercriminals have launched thousands of new phishing pages every hour in order to gain personal information, steal corporate data and commit credit card fraud, and there is currently no sign of this slowing down.
In 2020, phishing increased by 42% in comparison to 2019. In mid-2020, the rate of daily phishing threats increased to over 25,000 a day, which is an increase of 30% from 2019, and these statistics will continue to grow as the year goes on.
Cybercriminals play on users’ fear, curiosity, and insecurities, encouraging them to think they are clicking on trusted links. As the sophistication of the phishing attacks rises, these now seemingly legitimate-looking requests, from recognised organisations or brands, are unfortunately, regularly, catching people out. Common examples of recent sophisticated phishing attempts include emails from HMRC, major banking providers, Amazon, Netflix, Royal Mail, PayPal, the list goes on. What these organisations all have in common is that they are trusted, widely-used, and well-known organisations, which you might expect an email from.
Pandemic Related Phishing Attacks
Another recent and widely seen phishing attack has been related to the COVID-19 vaccination initiative. With people across the UK set to receive their COVID-19 vaccinations, cybercriminals are taking full advantage of the vaccine roll-out with different types of phishing scams. Pauline Smith, head of Action Fraud, the UK’s national reporting centre for fraud and cybercrime said, “we have seen an increase in the last two months, particularly around scam text messages.”
Tech Radar reports that phishing attacks have risen considerably throughout the rapid spread of Covid-19. Google detected 2.11 million phishing sites in 2020, which is a 25% increase compared to 2019 when 1.69 million malicious sites were identified. Many people are receiving malicious SMS and emails disguised as the NHS regarding vaccinations. Although some may look genuine, it’s a risk that your personal details can be stolen. Many of these phishing attempts will include a link that will take you to a nefarious website that is operated by cybercriminals, mimicking a government branded site, in order to trick you into typing in your financial details.
What is the Risk of Phishing to Businesses?
If a user on your network clicks on a nefarious link or responds to a phishing email in some way, typically the expectation is that the cybercriminal is just attempting to steal money, however, the reality is, they are in fact attempting to steal something far more valuable, your data! With some phishing attempts, their sole purpose is to extract the personal information or data from the individual user, gaining login details, passwords, bank details etc for your employee’s private accounts. For organisations, however, phishing attacks have a far more serious connotation, their aim is to penetrate a business’s network with malicious intent to steal business-critical data.
With the rise of phishing over the past 12-18 months during the pandemic, ransomware attacks via email have also risen, with several forms of ransomware recently being circulated in phishing messages. In these scenarios, just one user, clicking on one link, or downloading one attachment, can give the cybercriminals the entry point they need to gain complete access to the entire network and all the sensitive and critical information that is stored there.
In an attack of this nature, the business may suffer a data breach or could be locked out of their network entirely, both of which have a hugely detrimental effect on the business, causing loss of revenue, incurring the financial cost of remediation, such as fines and/or bearing the costs of extortion, along with the reputational damage that impacts the business long after the incident has been resolved.
Financial & Reputation Ramifications
In addition to the immediate financial ramifications suffered, the loss of reputation due to a data breach has measurable and long-term effects on a business. According to a PCI Pal 2019 survey, it was reported that 44% of UK consumers would stop spending with a business for several months in the immediate aftermath of a data breach. 41% of consumers reported they would never return to a business that had experienced a breach.
With the risk to business so high, businesses must address this rising threat and implement measures to prevent and protect themselves.
How can your Business Prevent Phishing Attacks?
Such attacks on organisations can be prevented to avoid these devastating consequences.
The main factor that needs addressing is that businesses need to start analysing their human vulnerabilities; organisations will have implemented firewalls, threat prevention, anti-virus, zero-day tools etc, which are all a normal part of an IT security strategy, but the often-forgotten vulnerability, is the human element. We, as humans, are unfortunately a weak link in any security strategy, we are prone to make mistakes. A simple mistake, however, through lack of education, or concentration, can cause a major data breach.
Much like you would embark on regular network monitoring or network testing, to ensure that your business and your users are protected, organisations need to run regular human security testing, testing the vulnerabilities that you have in your employees. By regularly evaluating and then educating end-users, you can create an additional security layer – in essence, “the human firewall”.
Having a regular and controlled phishing assessment, as part of your business’ security strategy, enables organisations to measure the internal risk, delivering valuable insights into where any human security weakness resides, with the ability to deliver immediate remedial training if a nefarious link is clicked or a phishing email is opened. By regularly testing, and then educating users immediately when they have clicked or opened something they shouldn’t have, you can strengthen your security measures significantly from within.
Krome’s Phishing Assessment Service
As part of our Security as a Service offering, Krome can deliver a fully managed phishing assessment service, which offers critical management reporting on the overall level of vulnerabilities found across the users of your business.
- Using our phishing simulation platform, we link securely with your Active Directory
- A series of phishing content is created, tailored to your company
- Fake phishing emails are sent out to specific users/groups
- We analyse and report back on the success/failure of emails and users
- We identify weaknesses and deliver user awareness training
- Re-test users following training by sending out revised emails
- Re-direct users immediately to an e-learning system on failure
- Benchmark and report on trends and revise testing based on findings
The service is flexible and can be tailored to your specific requirements, based on the findings of your assessment.
For further information on the Phishing Assessment Service, or our other security services please follow the links below or use the contact form to request further information:
Request more information