Phishing scams are among the top two malicious cyber activities being conducted on the internet. The first, and by far the most nefarious, is ransomware attacks. Phishing, however, is much less dangerous to human life and critical systems directly, but is very good at harvesting credentials and duping naive victims. There is a very logical and simple explanation as to why this happens, which is also why phishing has persisted for decades now and is still able to affect millions of people across the world with ease. Although phishing is technically a scam and is not a direct “hack” from an external hacker, it is certainly much more profitable and popular with cybercriminals because of the low amount of effort involved, as well as the option for automation. Of course, the width of options that phishing provides makes it a cybercriminal favorite. Something extremely nasty like a ransomware attack requires professional cybercriminal operations that cost time and money, and these types of attacks are usually targeted at specific organizations or governments, whereas anyone can “phish” these days with the help of openly available software and instructions.
Adding to that, the statistics on phishing are staggering, for such an innocuous-sounding activity. It is estimated that almost 80% of organizations around the world experience phishing attacks every year, ranging from between 11-50 attacks on average. 96% of these attacks arrive via email, the favorite attack vector and the most practical one that will catch naive and uninformed victims off guard. The remaining 4% of global phishing attacks are attributed to things like “smishing” (SMS attack), “vishing” (voice attacks), and other lesser-used forms.
As a result of phishing attacks, at least 60% of organizations lose data each year, while over 50% of them had credentials or accounts breached. A smaller portion was infected by malware and, as a result, financial losses.
The most impersonated global brands are brands such as; DHL, Microsoft, Amazon, Google, PayPal, and many others, so it is important to remember that. For crooks, it pays off to impersonate these brands, as this will lure customers in. Furthermore, the average cost per compromised record from a phishing scheme is $150, but if the attack is a little more serious this can mean $4 million lost due to a consequent data breach. One more thing we need to mention is the frequency and width of phishing attacks. It is estimated that employees receive an average of 14 malicious emails (phishing) per year, with most of that being retail workers and manufacturing workers. Now, phishing attacks are constantly rising by a few percent each year, especially when Covid-19 lockdowns hit. At least one person will be clicking on a phishing link in almost 90% of international organizations, which might lead to a data breach costing millions of dollars. Even still, stolen customer records mean that both the customer’s finances can be damaged (or personnel information compromised) and the company in question might lose all of its business.
What is Phishing?
Phishing alludes to “fishing”, as in baiting a victim (in this case a human being, not a fish) into a trap. The email is the bait, and the contents are the deadly hook. Phishing scams that originate from emails, that is the majority of them, come in the form of a suspicious, strangely crafted email that urges users to read the emotional text therein which will instill a sense of trust or fear in the target. The body of the emails usually contains a malicious link or attachment that, when clicked, will lead to a spoofed website that will attempt to steal user credentials. Alternatively, the email itself might contain an attachment laced with keylogger malware that will install itself on a victim’s systems and conduct malicious operations from there. Phishing is extremely concentrated in the United States, the UK, Australia, Japan, Spain, France, and Germany. This makes sense with the number of industries there, and the opportunities for scammers to make quick, anonymous profits.
How to Protect Yourself From Phishing Scams
It is entirely possible to protect yourself or your organization from phishing attacks, or at the very least bring it down to a minimum. The problem is those suspicious emails that usually go over people’s heads and end up with the victim clicking on links or attachments in an email they believe to be true. Of course, this is a classic scam, but it works and will continue to work on unsuspecting internet users. The creativity of “phishers” is only going to grow as they expand to more channels such as social media and their schemes become more long-term and fine-tuned a.k.a socially engineered.
However, what kind of practical steps can you take to stop phishing attacks at the door? Here are some tips;
- Avoid suspicious emails with the subject lines; Urgent, Request, Important, Payment, Attention, and/or similar
- Make sure that you check the sender’s address, as typos may reveal a malicious email
- The body of the email may contain errors
- Usually, legitimate organizations will have a policy of sending emails to customers
- Employ a security solution to secure your email inboxes, or get a third party to do that
- Adjust your email spam filters per your email service provider
Now, apart from these tips alone, you need to be using some cybersecurity tools. This means protecting your network with a VPN, your passwords with a password manager, and securing your WiFi router with a very long, random password and WPA2 protection at the minimum. Furthermore, look to use a privacy-conscious browser that will minimize your digital footprint. Do not forget to activate multi-factor authentication across all of your devices as well.
Finally, as a large portion of phishing occurs due to human error, misconfigurations, and the like, you must not publicly publish your passwords or share them with people across the web. Organizations must ensure that their email and servers are updated and configured properly. If you are a home user, you might also like to use antimalware software that can scan your internet browsing in real-time.