When you hear the word “phishing”, two things likely come to mind. First, if you’re completely unfamiliar with IT, you may think of a fisherman at sea catching fish because the words “phishing” and “fishing” are homophones. And although these two words are not directly related, there is a connection. The word “phishing” was coined in 1996 by hackers using email lures, setting out “hooks” to “fish” for sensitive information and passwords in the “sea” of internet users. As the number of internet users grew, phishing became more common and sophisticated.
And, hence, the second thing that likely comes to mind is pesky emails from somebody pretending to be your bank or the CEO of the company. Whatever the message may be, the perpetrator uses social engineering techniques to try to deceive the user by pretending to be the credible entity. And if you’re not careful, you risk leaking your personal data and sensitive information. With the effects of the pandemic prompting a 7.7% growth rate of internet users and a substantial increase in phishing attacks, it is now more important than ever to ensure that your organization does not fall prey to cybercriminals.
What is phishing?
Phishing is a form of social engineering performed by malicious users on the internet in an attempt to divulge sensitive information. It is one of the most common acts performed by cybercriminals and is often achieved through the use of social engineering tools. For example, an email from a seemingly trusted source that states that there has been a database crash and asks for the receiver’s login information plays on the urgency and legitimacy of the message.
While email phishing is the most common form of phishing, considering that malicious internet users have been using this technique since the 1990s, other, more robust types of phishing have been gaining traction. Some of those include:
-
Spear phishing
Instead of sending out mass emails into the unknown, spearfishing targets a specific “fish” within the company, hence its name. The perpetrator often uses persuasion techniques prompting the user to open a link that contains malware.
-
Whaling
Whaling is similar to spear phishing, but it is even more specific. As you have probably already derived from the name, whaling targets a bigger “fish” in the company, like CEO, CFO, or even the company’s attorney. While harder to achieve, the payoff is greater in this scenario due to the level of authority these people possess.
-
Vishing
Vishing is similar to other forms of phishing but is done through a voice call. A perpetrator usually introduces themselves as someone with authority and attempts to receive your credit card information after claiming that there is a virus on your computer.
-
Search engine phishing
Also known as SEO Trojans, search engine phishing is performed by hackers attempting to get to the top of the search engine results list by following best SEO practices. After pretending to be another website, they steal your sensitive data.
Many executives are overconfident in their abilities to spot inauthentic messages. Generally, this can be explained by the Dunning-Kruger effect – a cognitive bias characterized by overestimation of one’s own competence in a matter. Simply put, many executives may think they know more about a topic than they really do. This effect explains why numerous organizations still do not have even basic cybersecurity solutions in place, despite the rising occurrences of phishing attacks.
The Ins and Outs of a Phishing Attack
While new types of phishing have been picking up steam, email phishing still accounts for a whopping 96% of all phishing attacks. And of all email phishing campaigns, those that employ some form of visual deception prove to be the most successful.
For example, attackers often misspell links of popular websites (e.g. “www.lnstagram.com”, where the first letter is a lower case “L”, instead of an “i”). In addition, misleading images may be used (e.g. Instagram logo), as well as misleading overall design achieved with deceptive images and an edited source code. According to research, if the attacker combines all three of these techniques, the phishing campaign has a very high chance of being successful (Hongpeng Zhu, 2020).
After the victim clicks on the misleading link, the attacker often uses advanced RAN programs to encrypt the user’s files and demands ransom to decrypt them. Depending on the importance of the files being encrypted, this could pose a serious risk to the company’s reputation and bottom line.
How to avoid the hook?
Phishing attacks continue to become more sophisticated every single day, as perpetrators figure out new methods on how to deceive users. Because the consequences of a phishing attack can range from damaged reputation to significant financial losses, organizations need to implement more active and robust methods of cybersecurity to stay protected.
While some organizations use traditional cybersecurity systems, like solutions that use certificates of authenticity, these have proven to be insufficient since perpetrators themselves can obtain these certificates. On the other hand, DNS protection and cybersecurity training are considered effective methods in limiting the consequences of phishing attacks. DNS protection adds an extra layer of security between the user and the internet by filtering out unwanted information, while cybersecurity training promotes awareness of the issue.
DNS Protection
Our DNS protection service offers enterprise-level protection with configuration managed in our cloud operations center and optimized for your needs. It also allows you to remove or add any additional licenses throughout the year. Because DNS protection works by translating domain names to IP addresses, it is especially useful for organizations that offer remote or hybrid work.
Cybersecurity Training
While DNS on its own is a powerful tool in filtering out unwanted content, and thus minimizing the effects of phishing attacks, it works better in organizations where employees are educated on cybersecurity best practices. That is why it is critical to provide training to employees to protect your network and organization from phishing and other types of attacks. A risk-aware team understands what cyber threats abound, how breaches impact business, and what measures resume and enable secure operations.
As perpetrators continue to find new and better ways to perform phishing attacks, your end-users, or the human element of your digital defense, become an increasingly vulnerable channel for phishers to reach your network. A cohesive strategy demands your users employ security diligence in conjunction with advanced infrastructure and current policy.