Why break windows when you can be welcomed through the door?
With the ongoing global pandemic, many business and organizations have been forced to shift to working from home with most of their activities done online. This naturally came with an increase in cybercrime coincidentally as cyber criminals went all out to exploit any if not all vulnerabilities caused by remote working. Globally, $1.6 Billion was lost in companies due to ransom ware and other phishing attacks alone between 2019 and late 2020. 97% of most company employees cannot recognize a sophisticated phishing email, especially if they handle a lot of data. This goes to say that any company, irrespective of its size, is vulnerable to these types of attacks.
So, what is phishing?
It is a legacy security challenge that dates as far back as the late 1990s and is perhaps the oldest trick and by far the most effective. Phishing attacks are the most versatile and low-cost weapon in an attacker’s arsenal that leverages on our digital dependency. It most often aims to perform financial fraud, theft of credentials, exploiting endpoints through distribution of malware, ransom ware, spy bots, backdoors and gaining access to target networks. Phishing attacks are successful because of the widespread reliance on email addresses, rather than having unique usernames and reducing the frequency in which we reuse one password. Wit most of the stolen credentials providing access to multiple user-accounts of a target in addition to the user-account that was initially the target.
How it works
In phishing, an attacker masquerades as a trusted person and tricks the victim into opening and clicking emails with malicious links that are spoofed eventually leading to installation of malware. Malware, unlike viruses have evolved over time to an extent not requiring user interaction. Some polymorphic ones study your system and adapt accordingly. If they find any misconfigurations, they exploit them. At the end of the day, the hacker is looking for a vulnerability that will grant them access to data, systems, or applications.
Phishing exploits the vulnerability of human error and judgment.
Phishing happens in steps, the first step involves the adversary looking for information about the target, where they work; what interests them and what makes them tick and click. The second step is the bait that will guarantee the attacker to perform the action they intend the victim to undertake. The baiting techniques makes us all targets of phishing attacks, this could be respect for authorities, curiosity, urgency often coupled with greed or fear, our willingness to help others and ignorance. The third step involves sending out the emails and waiting for your target to fall for the bait. Thereafter, the actions of the attacker are dependent on their motive.
Interestingly with the ever-evolving world of technology, increase in cybersecurity spending there would already be a solution to this menace, but no solution seems effective. Even so, there has been many solutions provided to combat phishing, especially in organizations.
Common solutions that have been tried including email filtering, web filtering, attachment scanning, and spoofing prevention. I would recommend that organizations carry out awareness session with employees through information security awareness programs how to recognize malicious emails, spoofed links, how to recognize phishing attempts and scams, legitimate sites to buy and download software, ways of securing personal devices and common security mistakes and how to avoid them. Phishing attacks can circumvent all technologies, including firewalls, and if we are being honest, all security gadgets in the world are not going to help your organization if your employees give up user credentials to a well-crafted phishing email link, so why break windows when you are welcomed through the door?
“As we have come to realize, the idea that security starts and ends with the purchase of a prepackaged firewall is simply misguided.”