Whether you are a small business or a large enterprise, you may be a phisher’s next target. An organization that succumbs to such an attack usually suffers from serious financial losses in addition to reducing market share, reputation, and consumers’ loyalty.
Phishing is an attempt to get confidential data from a company by posing as a trusted authority via emails, messengers, or any other means of communication. According to statistics, phishing has persisted as the most common type of cybercrime for years. There are two main reasons for this: 1) you don’t have to be a great hacker to try phishing, 2) human factor is a big problem as employees still often struggle with recognizing when they are being ‘phished’.
You have to know what you are protecting yourself from to become more efficient at securing your business. To help you out with this, we have prepared this article. It’ll introduce you to the main types of phishing, the key phishing trends and facts, and some tips on how to avoid it.
There is a great variety of attacks, so it would be impossible to list them all in one article. Still, facts show that some of them are more popular while others are already outdated. According to our expertise and cybercrime statistics, there are 6 prevalent phishing schemes, so let’s take a closer look at them.
Deceptive phishing targets both individuals and companies. You get an email from a fraud which claims to be sent by a trusted source (a bank, your supplier company, service providers etc.) with a request to provide sensitive data in order to verify your account, re-enter certain data, make a purchase, etc. It contains a link to a website page that looks trustworthy but is created by frauds to steal the data you enter.
Such emails are a more sophisticated version of the previous method of phishing. While deceptive phishing usually lacks any personalization and uses generic salutations, these emails are full of personal data and facts about their victim. For example, such an email may contain the person’s name, job title, phone number, etc. The goal is the same — to trick the target into opening malware and handing over sensitive data.
In this case, frauds impersonate a top executive (often the CEO) to request the company’s employee to transfer corporate money to a bank account of their choice. This attack is especially dangerous if a top executive handed the login and password to attackers as the result of a phishing email.
Pharming is done by DNS cache poisoning. DNS, or domain name system, ‘translate’ the website URL we enter (like google.com) into the IP addresses of the servers. DNS cache poisoning means that the attacker changes the IP address associated with the website URL, thus redirecting users that enter the correct URL to a fake page to get their sensitive data.
If you use Dropbox for file sharing and collaboration, watch out for such an attack. In this case, the target gets an email which claims to come from Dropbox with a request to click a malicious URL or open a shared file. The aim is to trick the person into entering their credentials or installing malware on their device.
Phishers may fake a website of an exchange or any fintech enterprise, buy ads on google adwords at the request of the sitename, and they receive traffic and all the data of people from the original. Also, an attacker can buy the domain of the popular ICO and start writing to people on social networks such as Telegram on behalf of the project administrator and offer a discount on the purchase of tokens/coins and provide a link to the fake ICO website with a fake personal account.
Knowledge is power, so you need to know what you are up against to build an efficient cybersecurity system and protect your business from potential losses. This is why we have prepared top five phishing facts based on statistics that describe what you should look out for.
Annual phishing statistics are quite upsetting, to say the least — 76% of companies became the targets of phishing attacks in 2017, according to Wombat’s State of the Phish report. So, if your company hasn’t been targeted yet, it is rather an exception than a rule, as statistics proves.
As stated in Symantec’s recent Internet Security Threat Report, almost 55% of all emails are spam. Every user gets 16 phishing emails in their inbox per month, statistics suggest. Even if you have only 10 employees at your company, they are likely to get 160 fraudulent or spam emails per month which builds up to 1,920 potentially harmful emails per year.
92.4% of all malware distributed is sent via emails. There is no surprise here as it is the simplest way to reach your target: all you need is to have your own email account and know the target’s email address.
However, there are some surprises in the phishing statistics here. Frauds shifted from using attachments to URLs in order to deliver malware. In 2017, according to Proofpoint’s stats, 75% of potentially harmful emails contained malware in the attachments. In the first quarter of 2018, however, facts show that 80% of fraudulent emails contained malicious links. Banking Trojans are currently the most common malware out there (it even replaced ransomware as the number one malware).
As stated in the Symantec’s recent Internet Security Threat Report, invoices and bills were the most widely used disguise for malicious emails (15.9% of all potentially harmful emails). Other disguises include email delivery failure (15.3%), law enforcement (13.2%), scanned documents (11.5%), and package delivery services (3.9%).
As stated in the Proofpoint The Human Factor 2018 Report, more than 30% of lures accounted for Dropbox services in 2017. Other top lures included the ones associated with banks and insurance companies, generic email credential harvesting, and Microsoft OWA services, among others.
However, the most efficient lure was not Dropbox — it was Docusign. Phishing attacks statistics proves that harmful Docusign links and attachments were clicked three times more often than Dropbox ones (7% click rate amounted versus less than 2%).
This type of fraud is a more sophisticated and, therefore, more costly attack than any other scheme. As stated in the FBI’s Internet Crime Report, CEO fraud costs organizations almost twice as much in 2017 as in 2016 ($675+ million in 2017 versus $360 million in 2016). Cyber attacks statistics shows that such an attack brings the fraud $130,000 on average.
Now that you know the key stats, let’s take a closer look at the top 10 reasons why you should invest in anti-phishing services, including training, crafting advanced policies, software, support services, etc.
As we’ve mentioned above, being ignorant towards the threat may lead to severe financial losses. A company that employs 10,000+ people suffers a $3,7 million damage from one phishing attack on average. Considering the potential losses, investing in phishing countermeasure services will definitely pay off in the future.
Frauds may impersonate your company and target your potential or existing customers with malicious links, Google ads, emails, etc. Or, one of your employees could be tricked into compromising the personal data of your customers. This could cost you a lot not only in terms of reputation but fines (under GDPR and other regulations) as well. Moreover, in both cases, you would also lose your customers’ trust.
Your reputation may suffer if you fall victim to fraud due to a number of reasons. If your customers’ personal data gets into the attackers’ hands, there would be no reason for them or your potential customers to entrust you with such sensitive data. If you fall victim to CEO fraud or another phishing technique, your potential and current investors may turn their backs on you because investing in such a business won’t seem safe anymore. Consequently, damage to your brand reputation inevitably leads to financial losses, one way or another.
Phishing is not only about stealing money. Sometimes, attacks are conducted by your competitors or those who trade corporate secrets. If you ignore the possibility of your corporate secrets or other sensitive corporate data getting to your competitors, it is the same as handing over the competitive advantages to them yourself.
Besides losing money and corporate secrets, phishing may lead to blackmail. If one of your employees gets their sensitive data compromised, perpetrators may gain access to the sensitive data that can be used to blackmail them into doing anything attackers may find necessary. This could lead to an employee revealing corporate secrets, handing over corporate data, giving access to internal systems and services, etc. — the consequences could be catastrophic.
Potentially harmful emails are not likely to be messy and full of mistakes anymore. DNS cache poisoning, fake Google ads and other, more sophisticated ways to trick potential victims into compromising their sensitive data are getting more common among perpetrators. The reason is simple — people are more likely to fall victims to such attacks. This is why we suggest turning to anti-phishing companies for qualified services like anti-virus systems because just raising your employees’ awareness about phishing is not enough today.
It is obvious that phishing exploits the human error. They employ various social engineering methods to trick their targets into doing what they need — logging in on a forged web page, compromising their credit card details, etc. This is why anti-phishing services focus heavily on eliminating the possibility of human error by training and advanced company policies.
If you get your credentials compromised, it may lead to your identity getting stolen. As a result, frauds may be able to authorize financial transactions on your behalf, communicate with others and trick them into sending money or compromising their credit card details.
Perpetrators may use malicious techniques to take advantage of your brand’s reputation and trick users into thinking they are dealing with you. This may lead to them transferring money to the frauds’ account and blaming your business for not delivering on the services they paid for. As the result, your brand reputation may also suffer.
All the reasons mentioned above build up to the main one: falling victim to fraud may destroy your company’s future and bury your business. It could happen if your competitive advantage gets revealed, or if you lose your customers’ trust, or if your brand reputation gets irreversibly damaged, etc.
Your anti-phishing strategy should be comprehensive. Single countermeasures here and there won’t be efficient at preventing fraud. There are several ways to avoid phishing scams you should take into account:
If you want to be fully prepared for potential attacks, we advise you to turn to a company that provides the services of a full-fledged penetration testing. This means simulating an attack on your company to reveal all the vulnerabilities and get rid of them.
When you are looking for a company to provide you with the anti-phishing service, pay attention to the following criteria:
Phishing and anti-phishing are things you should give your full consideration regardless of whether you run a large enterprise or you want your small business to become one someday. All the numbers tell us fraud is getting more advanced and, therefore, more damaging, so securing your business is a matter of its survival.
Are you willing to invest in securing your brand’s future? Reach out to Hacken and our anti-phishing services, and we’ll make sure your business becomes a fortress that can’t be broken into.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.