In 2013, retail giant Target suffered a data breach, resulting in the compromise of more than 41 million customers’ retail card accounts. Target had to pay $ 18.5 million for a multistate settlement following state investigations. The attackers did not launch the attack directly against Target; instead, they targeted the servers of Fazio Mechanical Services (FMS), an HVAC vendor for Target that had trusted access to Target servers. The attackers acquired credentials of an employee at FMS through a phishing attack, gained control of FMS servers, and injected malware to siphon data from Target servers.
The successful attack against such a behemoth company is a cautionary tale for other businesses. Since virtually every company is bolstering protection for their systems, more and more attackers are targeting the weakest link: humans. According to Verizon’s 2020 Data Breach Investigation Report, phishing was involved in an estimated 22% of the security breaches reported that year. Businesses and their employees need to know what phishing is, how to spot phishing attempts, and what to do when they’ve fallen victim to an attack. Typically the best way to go about this is through comprehensive phishing training.
What is Phishing?
Phishing is a mode of cyberattack in which attackers gain access to sensitive data by camouflaging themselves as a trusted entity in electronic or direct communication. The sensitive information can be usernames, passwords, employee login credentials, bank account details, credit card information, etc. Electronic communication used can be emails, text messages, direct phone calls, or spoofed websites. The fraudsters use the name, brand logo, and other identities of a trusted or well-known brand in emails, spoofed websites, and other visual information used to deceive the unsuspecting target.
A commonly occurring example is scammers creating clones of a trusted bank with identical brand elements and an exact replica of every detail on the actual financial institution’s website. The link to this cloned website is sent to unsuspecting users with a message that gives an urgent motive for the reader to click the link, such as asking them to log in to update a password or confirm a suspicious transaction. Unsuspecting users will enter their personal and sensitive information on the clone website.
3 Types of Phishing Attacks Targeting Businesses
There are many variations of phishing techniques cyber attackers use to gain sensitive information. The following three types of attacks are often used to target businesses:
- Mass email phishing: In mass email phishing, the same email is sent to many recipients, sometimes targeting all employees from the same company, with the aim of tricking recipients into taking an action, such as logging in to a system or downloading a malicious file. Mass email phishing typically relies on email spoofing, in which the sender information is forged so that the email appears to be coming from a trusted person or entity.
- Spear phishing: In this case, cyber attackers target a specific employee within the company. The attackers will already have some information about the employee they want to target and use that information to gain the trust of the employee through digital communication and eke out further information they can exploit to access sensitive information. In 2016, the Democratic National Committee was hacked using extensive spear-phishing tactics.
- Whaling: In this instance, the attackers target high profile individuals in a company. In these cases, emails with bogus URLs rarely work. They use more subtle social engineering skills to gain the trust and obtain valuable information they can then use to create a carefully crafted phishing email that’s more likely to trick a high-value target.
Best Practices to Avoid Falling Victim to Phishing Attacks
Scammers with malicious intent are often persistent in attempting to gain access to sensitive information through any means necessary. Businesses should be vigilant about this and should strengthen the last line of defense – the human element, or in this case, employees.
Employees should be made aware of phishing and how various phishing schemes are executed by cyber attackers through training sessions with domain experts. Everyone in the organization should be practicing the minimum cyber hygiene practices recommended by cybersecurity experts. Here are a few of the best practices that small and medium-sized businesses can implement easily:
- Instruct employees to use caution when opening external links: The most common tactic employed by cybercriminals in phishing attacks is to fool targets into thinking that an email comes from a trusted source using a nearly identical domain name (such as replacing o with 0, or m1crosoft.com instead of microsoft.com), which is likely to go unnoticed if the recipient isn’t careful. These domains are also known as cousin domains or look-alike domains. Employees should confirm the authentic URL is used in the electronic communications they receive before clicking the link. If the link is provided as a hyperlink, hover the cursor over the link to display the URL on the screen to confirm authenticity.
- Make sure employees know how to identify email spoofing: In addition to spoofing domain names, attackers also spoof the display names of the email sender. Modern email clients have a display name for every email address, and it is displayed as the name suggests. To view the email address, the user needs to click the display name, which unsuspecting users fail to do. This behavior is leveraged by scammers by having a trustworthy display name for email addresses from common services like Gmail.com. Phishing training should include teaching employees how to confirm a sender’s email address before interacting with any email. Scammers also use email addresses linked with cousin domains (e.g., email@example.com).
- Implement cloud-based email protection: A best practice for businesses to prevent phishing is to have a cloud-based email protection solution. Such solutions block spurious emails before they reach the inboxes of the intended recipients.
- Use resources and tools: Use cybersecurity resources and tools available online to prevent phishing incidents from happening. Cybersecurity tools should not be an excuse to engage online without caution but an added layer of protection. Browser add-ons can be useful tools in preventing phishing attacks and other cyberattacks. For example, uBlock Origin is a chrome extension that can be used to block trackers and other spurious activities, while Netcraft is a chrome extension specifically designed to protect users from phishing attacks.
- Have clear guidelines on what to do if you fall victim: Provide clear policies outlining the steps employees should take if they fall for a phishing attempt, such as notifying the IT department and changing their credentials immediately. Additionally, your company should have an incident response plan in place to mitigate further risk and address any potential compliance requirements.
Phishing Training Resources & Tools to Protect Your Business
There are online tools and resources available to help SMBs stay up to date on threats and protect online activities. Here are a few useful tools for SMBs to employ to implement effective employee phishing training and cybersecurity awareness training.
- DoD cyber exchange: The website is run by the Defense Information Systems Agency (DISA). It provides free interactive training sessions and various tools to enhance cybersecurity. The website also has a phishing awareness interactive training module available for free that SMBs can use in phishing training programs for their employees.
- Google’s Phishing Quiz: Google’s Phishing Quiz is an informative and interactive tool that helps you determine how well your employees can spot phishing attempts while also arming your team with the knowledge to better detect fakes.
- Marine Lowlifes Cybersecurity Awareness Campaign Kit: This kit from Infosec IQ helps you prepare your campaign and teach employees how to identify phishing attempts to avoid falling victim.
- Infosec IQ Phishing Risk Test: Like Google’s Phishing Quiz, Infosec IQ’s Phishing Risk Test can help you determine how well your employees can detect phishing attempts. Instead of a quiz format, this tool sends a simulated phishing email to your employees and records the number of recipients who open the email or click the link. Infosec IQ also has a phishing simulator and training tool, PhishSim™, which allows you to build simulated phishing campaigns from a library of more than 1,000 templates to simulate common and emerging phishing attack methods and turn mistakes into teachable moments.
- FTC’s Phishing Quiz: Part of the FTC’s Cybersecurity for Small Business tools, this phishing quiz asks questions about identifying and responding to phishing attempts and what to do if you fall for a phishing scam.
Regular training and constant caution online can mitigate almost all phishing attempts, but employee awareness and adherence to best practices is key. Because cyber attackers are improving their tactics constantly, all employees must remain vigilant about their online activity.