Phishing attacks are still the most popular attack vector. Individuals and businesses worldwide confront issues in keeping their information safe. Businesses can spend money on security software, appliances, and new secure technology. However, companies typically pay little attention to their employees, which is a major vulnerability.
Vulnerabilities and targeted attacks look for vulnerabilities in hardware or software, respectively i.e., persistent advanced threat (APT). By taking advantage of human error, phishing and ransomware are often successful in getting access to the corporate network.
When a firm is attacked, it frequently suffers major financial losses as well as a loss of market share, reputation, and consumer trust. OpenText Security Solutions interviewed over 2,000 employees from UK companies with 25 to 999 employees earlier this year. 41% were unable to recognise a phishing email pretending to be from the Royal Mail.
A DDoS (distributed denial of service) email attack was unfamiliar to 52 %, while 61% was unfamiliar to BEC (Business Email Compromise ). In addition, 27% had never gone through any kind of cyber-risk training.
The fact that criminals have never been so deceitful in masking their phishing attacks makes this problem so serious. Phishing has heavily focused on deception to persuade users to input credentials or install malware. The attacker tricks the victim into believing that an email, or website, came from someone they knew or had authority.
It only takes a few easy steps to stop the attack. For example, when you hover your mouse over a link, you’ll see that it leads to an entirely different URL than the supposed source. A website’s branding, logos, or colours would not match the original, and there may be grammatically mistakes. The absence of an HTTPS header in the URL can also go some way of distinguishing a fake website from a legitimate one, although this is not always the case.
New technique
Almost every phishing attack follows the same basic pattern: users are tricked into clicking on a fake link or downloading a harmful file. They may leverage curiosity (click to discover more), opportunity (click for free gifts), or even fear (enter your login and password to learn who has placed an expensive order through your PayPal account).
The vast majority of new phishing attacks also follow this pattern. What is different is that more deceitful attackers are playing things more cleverly. Gradually improving at covering the normal warning signs that anything is wrong.
For example, you may receive a spoof email apparently from paymentdue.com. According to the email, the license is soon to expire. Payment must be made within 24 hours by going to paymentdue.com/renewal. The user is sent to paymentdue.renewal.com, a fake page that looks precisely like the actual renewal page and asks for credit card information. The attacker watches the page and steals the credit card information. However, a malicious script runs in the background and steals the user’s session cookie. As a result of the reflected XSS attack, the attacker also gains credit card information.
Attackers are also becoming creative in their attempts to hide attacks within fairly normal corporate emails. As remote work has become increasingly prevalent, phishing attacks disguised as automated emails from Google Drive, OneDrive, SharePoint, or Dropbox have become more common. The email directs users to a bogus Microsoft 365 or Google Workspace login page.
Attackers are also coming up with innovative tactics to remove attention and get over security measures. It can merge authentic and their own links, redirecting people to an organisation’s official contact page. They may even mix regular code with malicious code copied from the legitimate website to mislead spam and malware screening solutions. They also use shortened URLs to mask the true URL from security software.
Browser vulnerabilities succeed in making simple anti-phishing checks more difficult for users. Even though they are still uncommon in the field. A bogus page with a real SSL certificate and a secure HTTPS domain can be created using the same approach. This cuts the ability to discover the real address by pausing a link.
Apply advanced mitigations
Users and businesses must secure themselves from phishing attacks. Although hardware and software security solutions are important, addressing employee weaknesses via education, and consistent effective training, is also essential.
To protect businesses from phishing and spear phishing attacks, they can take the following steps:
- Employees are more likely to pay attention and think before clicking on a link if the training is short and entertaining.
- A must-have additional security measure is enabling two-factor authentication (2FA) on all accounts.
- Organizations should impose strict password management policies, in addition to use 2FA.
Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.