It was in March 1992 that the expression "surfing the web" was first coined by librarian Jean Armour Polly. Now nearly 30 years later, the sea of daily internet browsing is the home of an ever-growing phishing problem.
Phishing is the practice of using a reputable company's name, email signature, or 'login page' to get access to someone's personal information. The goal? Tricking the email recipient into believing the message is honest and convincing a victim to click a link, download attachments or enter login details.
Although one of the oldest forms of cyber attacks - with roots deep in the 1990s - it is still one of the most widespread and harmful attacks that circulate our widely connected lives today. It is a sophisticated and ever-changing form of cyber attack which can be difficult to combat.
Google has compiled a list of more than 2.5 million registered phishing sites as of January this year. This means that there are now 75 times more phishing sites present on the internet than malware sites, which has long reigned as the force to be reckoned with when it comes to cyber crime for over a decade.
What is more sobering is the fact that as of 2021, a business falls victim to a ransomware attack every 11 seconds. This is a nearly 400% increase from 2016 showing that even as people become more cyber-savvy the threats continue to grow at a rapid pace.
There has been the emergence of well-produced and ‘off-the-shelf’ tools and templates that perpetrators can use, making phishing attempts difficult to detect, especially if someone is unfamiliar with what they look like.
There are several forms of phishing attacks. One of which is that of a password reset.
It is not uncommon for someone to forget a password. Especially if that person follows the advice of any login system and has a variety of different passwords for each site. Phishers take advantage of this and try to access important personal data. An example of this could be “Your email address has been accessed from this location, click here to reset password and confirm your identity”.
There are a lot of potential targets for phishing attacks, as they can be aimed at any business or person. However, there are three common targets for most phishing attacks due to the information they hold. These are pharmaceutical companies, government agencies, and retail or eCommerce stores. A famous example of a successful phishing attack can be seen in 2016 when hackers got access to John Podesta’s personal G-mail account, who was a campaign chair for Hillary Clinton's presidential campaign.
Most phishers use a ‘phishing kit’ which is easily available and usable even for those without superb technical skills. It is not uncommon for an attacker to use trusted brand signatures and imagery, increasing the plausibility of the attack. Through research, it has been revealed that variants of Microsoft, PayPal, and Dropbox have been used in previous incidents.
A lot of businesses are using a chat room or communication provided to keep employees in contact with each other, and this can be a target for phishers. An important technique to avoid falling for a phishing attack is to know your company's processes and being able to spot anomalies. Also, having a solid cybersecurity plan or provider in place can minimise the chance of someone you don't want to get access to your personal info.
What are the risks?
Phishing can have a number of highly impactful effects on a business:
The first risk to consider is the dollar impact that a phishing attack can have on a business. SMB’s are typical targets for phishing scams, and while these are easily avoidable, should a business find itself a victim of an attack, the result can be extremely damaging, especially if you are a small business. Phishing attacks are often used as the delivery method for ransomware attacks, meaning a ransom fee is presented to the business in order to get their data back. These fees may be beyond the current capacity of a business, or should the fee be paid, cripple the business for months, potentially even shutting a business down.
Another thing to consider is the psychological and personal impact being a victim of an attack can cause. This is evidenced in a report by ACA research earlier this month showing that 20% of those who experienced a privacy incident did not report it. What is perhaps more sobering is that 10% of people who didn’t report a privacy incident said it was because they thought it would jeopardise their job, while 24% felt embarrassed.
It may result in the victim being ostracized for being tricked into entering credentials and extremely damaging for their self-esteem.
The cost is not only detrimental to the financial state of a business, but also to your business as a whole. It erodes the trust that clients, vendors, coworkers, etc. place in your business, which naturally results in a loss of clients, revenue and confidence. You may struggle to retain or attract new customers and even if the fee is paid, if word gets out there may be a cloud of doubt over their heads regarding their own data.