Recent studies show that 1 out of every 100 emails sent globally has malicious intent.
This is one of the many statistics that illustrate the rise in hacking and phishing. The subject of phishing, in particular, has played big roles and some of the largest data breaches recently.
An example of this would be the 2014 Sony Pictures breach perpetrated is to be believed by North Korea per the US Department of Justice. in this instance, it only took one email being opened by an employee to provide malicious actors a way to take control of Sony’s network.
A common thing we see among phishing attacks is impersonating an actual employee inside of the business. Some Phishing messages have even been reported as coming from the CEO of the company and play off of existing relationships to convince the victim to part with confidential information.
Phishing attacks don’t just happen on traditional computers but also mobile devices as well.
Even more modern security measures such as two-factor authentication can also be targeted by phishing. The hackers of today are able to create fake login pages to get the information of a target and then use that information to access the actual website.
So why isn’t 2-step verification good? Why doesn’t it work? When the victim is prompted for 2-step Verification they also enter the verification number on the fake login page, thus giving the attacker complete access.
A Rise In Hacking & Phishing Attempts
A series of industry reports demonstrates the growing trend of hacking and phishing attempts in recent years.
According to PhishMe’s Enterprise Phishing Resiliency and Defense Report, phishing attempts have increased 65% from the previous year.
Additionally, a statement from Wombat Security State of the Phish report that 76% of businesses reported being a victim of a phishing attack in the last year.
Per the Verizon Data Breach Investigations Report, 30% of phishing communications are opened by their target and 12% of those victims visit or open a malicious attachment or link.
A report from The SANS Institute revealed that 95% of all hacks on enterprise networks are the result of phishing.
According to cybersecurity leader Symantec, phishing and thus hacking has increased across most business types all with varying sizes — no business or industry is immune it seems.
Per the Webroot Threat Report, nearly 1.5 million new phishing sites are built monthly.
Common Phishing Techniques
The most common phishing attack you will come across is one where you will be directed to a fake login page. This usually happens because of a “Forgot Password” or “Reset Password” email has been received by the victim and they act on it.
Another common way that a phishing attack will present itself is through malicious browser extensions and ads.
er a recent report, Google removed over 3 billion ads from its platform last year a 100% increase in malicious ad removal over the previous year. The same report also revealed that cybercriminals compromise over 100,000 devices with browser extensions. The browser extensions in question did everything from steal login credentials to mine cryptocurrencies.
Another method that is less common than two listed above is a tech support scam. This is where a fake tech support agent will call someone directly to “assist” them with an issue that their computer is having (caused by the caller in the first place). This is most often because of a”virus” the user got on their device.
How To Avoid Phishing Attempts
The biggest thing you could possibly do as a business to prevent phishing is to use a password management tool. This means the employees would never login directly to a website or service but would rather click a saved hyperlink in the password manager. This means the change that you or your employees will visit a fake login page would be almost zero.
Another huge measured that will help you prevent phishing attacks as educating yourself or your employees. This one clued both education on what phishing attacks are and also how to spot when they’re happening.
The most common way to spot a phishing email is to verify the email address it was sent from. While hackers can spoof email addresses this is a very quick way to recognize at least 50% of phishing emails.
Another great method is that before you or any of your employees click on any link in an email, first the user should right click on the link and copy the URL into a notepad to verify that it is a trusted website that they are about to visit.
Yet another great rule of thumb is to not open any email attachments you are unsure about especially zip files.
How can you spot a phishing attack? Always be on the lookout for:
- Grammar or spelling mistakes.
- An undue appeal for urgency.
- A request for information the requestor should already have that could be personal.
- An unfamiliar e-mail address.
- A link in an email to a website you don’t recognize.
Because of the rise of phishing and hacking both regular employees business owners and IT Security Professionals need to put extra effort into avoiding these threats. The landscape is changing almost monthly and new types of attacks are created weekly.
On top of email, there are many other possible ways that a hacker may target someone with a phishing attack. This extends beyond email to other communication methods such as LinkedIn messenger, WhatsApp or text messaging.
This also applies to any other third-party internal messaging system that you may be using such as Skype or Slack. If you were serious about preventing a costly data breach you need to put time, energy, and attention into making sure you are diligent in avoiding phishing and hacking attacks.