When you think about phishing attacks, you probably envision sketchy emails cobbled together with a pixelated logo, an obviously phony sender address, and a ludicrous request to wire thousands of dollars to a mysterious Nigerian prince. There’s no way today’s technologically savvy workforce could fall for such a trite scheme, right?
Unfortunately, phishing has become more sophisticated, personalized, and widespread over the past decade. A whopping 76 percent of businesses reported being victimized by a phishing attack in the past year, according to an annual report by Wombat Security. And with the average cost of a phishing attack on a midsize company totaling $1.6 million, phishing attacks aren’t just annoying—they can leave your organization in financial ruin.
While there’s no way to prevent phishing attempts on employees, educating users on how to identify potential scams is a great place to start. To help, let’s break down how new phishing campaigns operate and compile a few best practices, so you can arm employees with the hacking education they need to fight back against this type of cybercrime.
Watch out for the hidden dangers of social engineering
It’s normal to be skeptical of an email from an address you don’t recognize, but what if the sender is someone you know? Or, at least, that’s how it appears. Consider this warning from renowned hacker-turned-security consultant Kevin Mitnick, who leveraged social engineering to hack the networks of countless organizations, tallying an estimated $300 million in damages.
“Companies spend millions of dollars on firewalls, encryption, and secure access devices, and it’s money wasted,” Mitnick said in an interview with Frontline. “Because none of these measures address the weakest link in the security chain: the people who use, administer, operate, and account for computer systems that contain protected information.”
Of course, money spent on security is never money wasted if it works. But Mitnick is right: The best way an organization can prevent a successful phishing attack is by making sure employees understand attacks aren’t always obvious. One of the most successful types of phishing attacks is impersonation—disguising oneself as someone the victim knows and trusts by using information found on their social media profiles. The criminal then cons the victim into providing sensitive information, wiring money, or—as is the case with a new phishing attack—downloading credential-stealing malware.
To read the full article, and other important technological news refer to the source.