The current cybersecurity climate makes it hard not to be cautious of phishing attacks. Forget reclaiming lost family fortunes or assisting Nigerian princes, today’s phishing scams are targeted, complex and incredibly prevalent.
It feels like a new, high-profile phishing attack is getting reported every other month. In May, Google Docs users were being targeted with malicious invitations to edit fictional documents. Before that, DocuSign users were sent bogus emails encouraging them to download a Microsoft Word document that installed malicious malware.
Despite increased awareness for these attacks and “I’d never fall for that” attitudes, Verizon’s 2017 Data Breach Investigations Report showed that 1 in 14 users fell for a phishing scam by clicking on an unidentified link or downloading a suspicious attachment.
I recently sat down with Edric Wyatt, a security analyst with CyberScout, to discuss the evolution of phishing attacks, what attackers are trying to achieve, and how organizations can effectively defend themselves. (Full disclosure: CyberScout underwrites ThirdCertainty.) Here are the key takeaways from our discussion:
Attacks have evolved. Attacks have become far more advanced in recent years. Rather than posing as Nigerian princes, attackers are creating hyper-targeted, hyper-relevant emails that leverage social engineering to encourage users to click. Attackers are spending longer researching organizations to try to get as much information as possible before sending out targeted emails. They know your name, your role and your title and tailor each attack to reflect this. So when you receive 1,000 emails a day, you won’t think twice about clicking one that “seems” normal.
Attacks are just one of many. If you are targeted with a phishing email, you might not be the primary focus. Attackers are targeting multiple individuals within an organization as part of a more advanced attack. The information that you provide by falling for the phishing email might not be the end goal. But anything you provide is information they can use in a future attack.
Constant training is the key to successful defense. The more that training and awareness are reinforced in employees, the more likely they are to recognize attacks for what they are. The more you hear it, the more you see it. As soon as new threats come out, training should be scheduled. Regardless of the measures IT departments have in place to protect an organization, it only takes one individual to click on one link to compromise the entire company.