Updated: Aug 25
Despite improvements in technical security measures, phishing remains one of the easiest and cheapest means for criminals to steal sensitive information. Victims can easily infect their computer or the company's entire computer system with just a click of one link from an infected email. In the process, hackers can steal personal data like credentials, or worse, financial information. We'll look at how phishing works, alongside ways to avoid being a victim.
So, what is phishing?
Phishing is a criminal activity in which hackers trick their victims into handing over sensitive data or installing malware. It usually involves a scammer sending emails to convince the potential victim by pretending to be someone from a trusted company or individual.
How does phishing work?
Most hackers use one of two methods to deceive their victims: 1. Malicious attachments They send email users malicious attachments containing enticing names. It could be something like a mail informing potential victims of a Lottery Winning Number, which installs malware on computers when opened.
2. Links to malicious websites The emails come with malicious links to shady websites which are often clones of real and legitimate sites. The links may also initiate a direct download of malware which can harvest login credentials from the user’s web browser.
Check out our article on the different types of phishing websites for a closer look into these malicious tricks.
How to identify phishing emails
Phishing emails are still growing every year. As per Proofpoint's 2019 State of the Phish Report, as many as 83% of data security professionals reported attacks in 2018, which is a considerable increase from the 76% in 2017.
Some phishing emails will still get through even if your company has a strong security team and systems in place. Therefore, it is vital for every employee to recognise such emails. They should look out for the following typical indicators of phishing:
Public email domains
Misspelt website domain names
Bad English grammar and spelling
Suspicious attachments and links
A sense of urgency in the emails
How to mitigate phishing attacks 1. Deploy the right technical measures Always use a robust cybersecurity system or software. If your system has a robust security system, you can take appropriate measures even in the case of breaches.
2. Build a positive security culture Cybercriminals are good at social engineering, and one of your employees may even become a victim. Don't punish them. Rather, encourage them to report such incidents. The sooner someone admits they are the one responsible for the breaches, the sooner you can act to thwart off further damages.
3. Study psychological triggers All social engineering attacks use human psychology to get past their victims' natural wariness. Some of the common signs of a hacker’s psychological tactics include:
Creating a false sense of urgency to trigger an emotional reaction from their victims;
Creating a sense of indebtedness; or
Relying on conditioned responses to authority.
4. Train your employees Anyone from your workforce can fall victim to phishing attacks. The best way to mitigate this risk is through training, and enforcing the company's cybersecurity policies. Everyone should be made aware of what phishing is and how it works. This is the only way personnel will be able to report any signs of security breaches.
5. Test effectiveness of employee training Create a simulated phishing attack in a controlled environment within the company's network. This will help you study the effectiveness of employee training.