Our business and personal emails are under constant attack. With phishing emails what started as ‘script kiddies’ (individual hackers casually attempting to gain access to another persons account) has moved into the space of much larger organised crime.
“Phishing is currently the dominant attack vector for entry into networks, and its popularity isn’t hard to understand. It’s easy to carry out, easy to profit from, and from the perspective of cyber security professionals, it’s notoriously difficult to defend against.”
Oz Alashe, CEO, CybSafe.
Emails posing as those sent from legitimate companies or services you use attempt to convince you of a problem that needs your attention, and more importantly your login details. The links to the login page appear to be correct, but in fact you’re being sent to a compromise page made to look like Amazon, Netflix or other common service. You login and your details are compromised. Simple pages produce an username/password error where most people give up and move on. More sophisticated pages actually take you to the correct website where you try and find the issue you were alerted to, but cannot. Because it was fake.
Why do they do it?
Access. Pure and Simple.
Sometimes the compromised account is interesting enough. An Amazon account login allows thieves to set a new delivery address and potentially order items to be delivered there. Companies are working to put fail safes in place to prevent this, but thieves are ingenious!
Research shows that most users have 1 or 2 common passwords that they use repeatedly across the internet. So your Netflix password might well be the same as your work email password.
Once they have a doorway login, it will be used to try and compromise other services you have. Access to your work email can lead to potentially sensitive information that’s far more valuable.
43% of UK SMEs have experienced a phishing attempt through impersonation of staff in the last 12 months. Of those impersonation phishing attempts, it was discovered that two-thirds (66%) had suffered a successful attack.
>> via: Helpnetsecurity
What can we do to guard against this threat?
Education and Training.
If you’re in a business then Educate your staff to the risks. Many people are not even aware this type of activity goes on. Individuals, read up on the threats and start to find some good security resources to regularly read to keep up to sate with this information. Techniques change regularly!
Training – find examples of common attacks and learn from them. I have worked with various companies to provide training on cyber security and common phishing attacks using examples to teach staff how to spot a fake email from a real one.
As a bonus, I will be sending out a link to all our newsletter readers containing a PDF I put together with several common phishing emails examples and I’ve annoted them to show you common signs to look for that will tell you the email is fake. Sign up below to receive our newsletter and receive your FREE PDF now.
Once your staff are aware of the risks and how to spot them, follow this up with improved policies in your business. Interested in getting help? Contact me here.