How is phishing still an effective way to breach companies?


Written by Victor G. Snyder, Consultant at BossMakers

When it comes to illegally infiltrating company data, there are various techniques that are employed by the ‘bad guys’ to garner the information they desire.

Many of us will think that brute force attacks and other forms of hacking are the most popular ways to get a foot in the door for the more nefarious members of the cyber world, but the truth is that phishing scams are still by far the easiest and most popular way for hackers to gain access to private and sensitive data.

The reasons for this fall into two major categories. Firstly, these attacks are easy to deploy, and secondly, we unfortunately seem to fall for them all too often.

Forms of phishing

So, how does phishing work? Well, in a nutshell, phishing is the practice of fooling someone into relinquishing access to private information.

This can be something as simple as clicking a link that results in either being taken to a fake website or installing malicious code on a machine without the knowledge of the user.

It often takes the form of email correspondence that has a call to action, encouraging the user to click on a link in order to perhaps change an outdated password, pay an outstanding client, or log in to review some suspicious account activity.

When an email looks authentic, it is surprising how few users actually bother checking whether the URL on the link is correct or even if the email sender is official. To add further to these worries, it is worth knowing that the origin of an email can actually be spoofed anyway, so even the most diligent of users can still fall foul of this sort of scam.

To be fair to the majority of the workforce out there, these scams aren’t always that easy to spot, and the ways in which phishing attacks are being deployed are getting ever more sophisticated.

A scam email from what looks like one of your company’s usual suppliers asking to be paid can look every bit as legitimate as the real thing, especially to an untrained and busy employee who is trying to get through the workday as efficiently as possible.

You may think that these attacks are confined to the realms of the smaller companies out there, but anyone with an ear to the ground is well aware that plenty of huge data leaks at large corporations are still taking place across the globe.

While nobody is ever 100% safe from these sorts of scams, there are lessons that can be learned from each breach.

Educate your employees

Often, the best ways to stay safe from these attacks is to keep the advice you give employees as simple as possible. You cannot expect each and every staff member to know the intricacies of phishing attacks and how they work, but you can put into practice a set of rules that should lower the risks posed.

Making sure payments are made through official website portals, rather than clicking links within emails is easy to implement. It is also worthwhile making sure the whole company (or at least those with access to sensitive data and accounts) are comfortable speaking up when they feel something feels amiss.

One wrong move when you are faced with a phishing attack can lead to vast amounts of money going missing, or malicious software installed on your network that quickly turns into a ransomware situation.

With this type of attack seemingly going nowhere in the near future, more services are cropping up to deal with the threat, helping to train employees using simulated attacks as practice for real-world situations.

What are the next steps?

Ensuring that your team knows what to look for and how to deal with phishing attacks and drives down failure in detection rates for employees across the board. This, coupled with an automated phishing filter within an email client, is the best way to currently guard against this particular security risk.

Given the level of devastation that a breach can cause, more and more companies are turning to these measures to shield themselves. Any time humans deal with emails, there is always going to be some risk of human error.

If you can’t totally eliminate a threat, the next best step is to minimize it. Those who don’t manage to do so are all the more likely to find out the hard way just how devastating a phishing attack can be.

More thought leadership

Comments are closed.