There are two types of “fishing” – the good and the really bad. Let’s start with the good, which is when you are chilling on a boat on a warm summer day, kicking back with your buddies, and having some beers. Unfortunately, we won’t be discussing that one in this newsletter. Rather we’ll be providing an overview on phishing, which is the most common form of cyberattack and in 2020 accounted for 96% of cyberattacks. So yes….it is really bad.
While most businesses believe that a strong firewall, Windows security updates, and active virus protection will stop malicious attacks, they are completely wrong. Hackers do not want to waste their time trying to penetrate the security features that I just mentioned, rather they will try to breach the weakest piece of an organization… the employees.
Overall employees are not aware of the cyber threats and the detrimental impact that a cyberattack can have on their employer. They make the assumption that the IT guys are taking care of the “security stuff,” but in reality, these are the people who are responsible for making the best decisions when confronted with a phishing attempt.
Phishing is when a hacker will send an employee an e-mail that is tailored to look legit and usually does not have anything malicious attached. By not having a malicious attachment or code, these messages will slip through the cracks of most anti-SPAM solutions. Phishing attempts will also have a spoofed name so that it appears that it is coming from someone they know, another employee or an executive of the organization so that they are more likely to respond.
The idea of these e-mails is to either get them to click on a link to bring them to a website and from there, a payload of malware will be delivered to their systems and then spread to the network/servers. Other phishing messages will have a link and ask them to provide private information, such as passwords or social security numbers. In all fairness to employees who get duped, these messages look VERY legitimate and even we need to do a double-take. The messages will appear to come from Microsoft stating that your mailbox has been compromised, or from Amazon stating that their credit card was declined during their last purchase.
You cannot combat phishing by throwing technology at it, rather you need to provide continuous training and testing of employees. There are several effective solutions that will send employees fake phishing messages, track who fails the tests, and then provide them with online cybersecurity training that only takes about 10 minutes. Organizations will also require cybersecurity training as part of their new employee onboarding, which we have seen to be very effective in combating phishing and cybersecurity attacks.
To discuss phishing training and testing for your employees, please reach out to Frank at [email protected] or (847) 894-6304. Together we are in this ongoing battle in keeping businesses safe!