Phishing & The Pandemic
The COVID-19 pandemic changed the way we work and how we think about securing critical assets, as more employees have transitioned to working fully remote. Although the flexibility of working from home or a cafe helped increase productivity, it also brought along a new level of concern for IT – as the thought of unsecured remote access attacks had not crossed their minds before.
One of those attacks, in particular, is phishing. Phishing attacks soared by 6,000% since the start of the pandemic. Phishing attacks have also grown more sophisticated. Detecting a malicious email is not as simple as it should be. Part of the problem is a lack of awareness and training. Both are essential components in securing the workforce and keeping sensitive company resources safe from attackers.
How Phishing Attacks Work
Phishing is a type of social engineering attack that works by duping a user into clicking a malicious link and being redirected to a fake site or downloading an infected file which is then used to deploy malware onto the recipient’s machine. The end goal is to have an unknowing participant provide personal details, such as credit card information.
Once an attacker has access to your private information, they can hack into the organization, leak sensitive files, or hold them for ransom. And ransom fees are not cheap. The cost of an average ransom attack as of 2022 is $1.4 million.
Your organization must implement strong cyber-security protocols to keep your network and employees safe from phishing attacks.
Different Types of Phishing Attacks
83% of organizations experienced a phishing scam. There are over 3 billion phishing emails sent out on a daily basis. It takes just one to bring down an organization. Businesses must protect themselves from such a severe threat to their online security, especially in the new WFH model. Here are some types of phishing attacks you should know about:
Spear phishing targets specific individuals within an organization. Over 65% of phishing attacks are spear phishing. Attackers will gather as much information as possible about the person or company. The email is almost indistinguishable from a regular business email and can easily bypass spam folders.
This involves sending a fake corporate email to hundreds of people. The idea is to make it seem believable since multiple people received it. These phishing attacks are hard to spot and can cause lots of harm to a company if harmful links are opened.
Clone phishing, as the name implies, is when a hacker copies a legitimate corporation’s email and either adds a link or changes the existing link to direct users to a malicious website. Clone phishing is a more advanced level of spear phishing.
Larger enterprises need to be extremely mindful of this one. Whaling targets prominent C-level executives. It usually involves asking for a wire transfer or requesting access to important company documents. It is hard to distinguish from regular company emails.
Taking Preventative Measures Against Phishing Scams
Here are some helpful tips employees can take to ensure they do not become victims of a phishing attack and give away private company information:
- Do not share any personal information through emails.
- Only log in to sites protected by HTTPS. This protects you from pharming, where the fraudulent email directs you to lookalike sites identical to the website you want to visit to steal private information.
- Don’t input your personal information on pop-up screens.
- If you’re unsure whether the email is from a legitimate company, contact the company and inquire about the email.
These preventative steps will ensure that you understand the mindset of an attacker and understand what to look out for when opening an email. It can be tricky at first since phishing emails are incredibly well-detailed and hard to spot unless you are properly trained.
You should always verify your emails if you’re unsure about their legitimacy. Read through the email carefully and check the email subject. Sometimes, there may be multiple spelling and grammatical errors. A huge red flag. Check the ‘From’ email, and compare it to the email on the official company website. You can also compare it to emails you have received in the past.
How to Keep Your Organization Safe from Phishing Attempts
1. Adopt a Zero Trust Security Model
A zero trust security model ensures that individual users within the organization have limited access to files in the company network based on their needs and position in the organization.
Zero trust ensures that in the event of a successful phishing attack, the cybercriminals have a limited attack space-based on network segmentation and access control policies. This will significantly reduce the impact of a breach as only users who have specific permission sets will be able to access certain resources.
2. Have Regular Cyber Security Awareness Training for Employees at all Levels
Phishing scams have become so elaborate that they can fool business owners and even highly experienced company staff into sharing their personal and business information. It is one of the biggest threats in cyberspace.
Even people who know about phishing and claim to understand how phishing attacks work still fall victim to phishing attempts.
Companies need to host cybersecurity training programs to teach employees how to correctly identify phishing scams and act accordingly so they don’t give away sensitive company files.
Consistent phishing awareness training will make employees better at detecting hints of fraudulent activities in emails, phone calls, and malicious websites.
3. Safeguard User Accounts with Multi-Factor Authentication (MFA)
A multi-factor authentication system requires more than two user verification credentials to permit access to company files. It goes beyond the regular username, and password companies ask for and requires detailed identity verification.
This could include SMS verification, biometric scans, email verification, and other security methods. This makes it difficult for cybercriminals to hack into an account. Even if they can get the user’s login details through phishing, they will not have the complete credentials necessary to access the company network.
4. Deploy Secure Service Edge (SSE)
Security Services Edge (SSE) is a unified approach to cybersecurity that includes a Secure Web Gateway (SWG) for filtering out harmful content and blocking certain websites, a cloud firewall (FWaaS) to monitor all inbound and outbound traffic, a Cloud access security broker (CASB) for enforcing company security policies, and Zero Trust Network Access (ZTNA) for network segmentation and granular access controls – all in a single cloud-based admin panel.
Through SSE’s streamlined cybersecurity approach, you can gain full visibility into all areas of your network to help prevent phishing and other cyber attacks from harming your organization. Discover how you can become an SSE Superhero and how you can add an extra layer of protection to secure remote workers.
Take the necessary precautions to protect your organization from phishing attacks by educating employees, upgrading your security stack, and defending your critical cloud and network infrastructure with Zero Trust policies. Don’t be tempted to click on that email attachment. Secure your network from external attacks with Perimeter 81’s ZTNA solution today.
Sponsored by Perimeter 81