Phishing scams are on the rise — here’s how you can be prepared
Corporate phishing is on the rise, with several high-profile phishing scams making global headlines of late. Hackers made off with the data of mns of Robinhood users at the start of the month, using social engineering tactics to gain access to 5 mn email addresses and 2 mn full names through an employee of the digital trading platform. Meanwhile, the US brought charges in early November against one Ukranian and one Russian in connection with the Russia-linked REvil ransomware attack earlier this year which targeted US businesses and government entities, including multinational software company Kaseya. Add to that the surge in cryptocurrency-related scams, such as when hackers stole USD mns from DeFi platform bZx through a phishing scheme targeting a company employee, and the online world seems to be turning into a hacker’s Wild West fantasy.
But what exactly is corporate phishing? Bad actors on the internet try to breach online security systems to gain access to companies’ data — often through surprisingly unsophisticated methods. Often, it’s a strange-looking email landing in the inbox of a company employee from an unknown contact, or someone impersonating a known contact. The email will use social engineering tactics — psychological manipulation techniques employed to gain someone’s trust — to attempt to get the recipient to click through to an innocent-seeming link. The link usually allows the attacker to install malware on the employee’s device, granting access to company files through vulnerabilities in their digital systems.
Phishing is on the rise here at home as well: We’ve been hearing of more phishing attacks taking place here, where homegrown hackers have also been targeting employees over the phone. Fraudsters appeared to have gotten their hands on one or more telemarketing lists and were placing calls in which they used social engineering tactics, pretending to be the Central Bank of Egypt or your bank of choice, to try to brow beat you out of your personal information back in September. The tactics, in a call one of us received, included aggressive threats of fines and frozen accounts if we didn’t cough up the information they wanted.
Why do some of us fall for it? The psychology behind phishing is also fairly simple. Hackers exploit people’s natural inclination to trust, and our tendency to respond to a sense of urgency. Scammers put pressure on their mark to respond quickly to the request, not leaving us time to engage our analytical brains, and will often stress the confidentiality of the matter so that the employee is discouraged to ask colleagues for a second opinion, according to cybersecurity firm Egress. New employees are especially likely to be targeted, as are people with busy, stressful positions who may be expected to respond to communications around the clock, Egress says. New hires may be less familiar with usual practice and hesitant to ask for help from colleagues, while overworked employees are more likely to lose concentration and make impulsive decisions.
So, what happens in a data breach? In a successful phishing attempt, the hackers will either get their victim to hand over sensitive information or successfully install malware on the victim’s device, according to security news and research firm CSO. In the first scenario, the hackers, newly armed with an employee’s login credentials, are then able to enter company files and steal sensitive data, either to leak it, sell it on, or use it to launch further attacks on company clients. In the second scenario, the malware infects the company’s computer systems with code that serves the hackers’ purposes. That could mean adware, spyware, or, as is common in corporate contexts, ransomware: When company data is irretrievably locked up until a ransom is paid up to the scammers.
You need to be watching your inbox: More than 35% of over 10k companies surveyed by ransomware protection firm Barracuda were targeted by so-called bait attacks this past September, with each company receiving on average three bait emails. These attacks see hackers send very short or even blank emails to potential marks, and are meant to suss out how likely a recipient is to reply. Once the employee hits send, they’re “on the hook”: Further emails will arrive persuading them to divulge sensitive or financial information in preparation for a hack attempt. Usually sent through newly set-up Gmail accounts, these attacks are both hard to trace and, because they don’t contain much information, near impossible for phishing filters to detect.
But phishing has evolved into more than just an email problem: Most of us know to think twice before clicking on links or responding to emails sent by unknown contacts but hackers now have more angles of attack. Employees have sprawling online identities that stretch across multiple platforms — and many of us are guilty of recycling the same passwords for email, workflow platforms, messenger and video apps, cloud-based work files and even bank accounts. If one password falls into the wrong hands, it can open up multiple entry points to a company’s online work and storage spaces.
Humans are the weakest link: Digital security startup SlashNext calls multi-channel digital attacks “human hacking,” writing in its 2021 Human Hacking Report that, “humans are the most porous cybersecurity entry points into an organization.” Last July saw the number of active, malicious URLs for use in phishing scams peak at over 1 mn — a more than 40% y-o-y increase — as attackers sought to capitalize on the Tokyo Olympics with fake ticket offers meant to steal credentials, according to the SlashNext report. Meanwhile, 85% of all online data breaches involve human interaction, according to Verizon’s Data Breach Investigations Report 2021.
How can you spot and prevent a phishing attack? Look for anything that seems “off.” Warning signs include typos and poor grammar (or the lack of typos from a busy exec); a bank asking for or sharing account information, which in the vast majority of cases should only be done over a secure digital platform; and messages from unknown contacts, or from known contacts who usually contact the recipient via other channels, cybersecurity experts tell The Conversation. For more red flags, check out this useful resource from security awareness training provider KnowBe4 (pdf).
But it's not just an individual responsibility. Company managers should also work to lay the groundwork to protect their organizations from phishing attacks before disaster hits. The UK government’s National Cyber Security Centre recommends that all companies put in place an incident response plan and run drills to practice it. The plan should cover everything from how to quickly force a password reset if credentials are compromised, to the staff member responsible for removing malware from the system. Its Exercise In A Box tool allows companies to test their resilience against attacks in a safe environment.
Awareness is the best defense: The first and most important step is to make sure all company employees know what phishing is. Armed with that knowledge, when an odd message comes into an employee inbox on any digital communications platform, they will already be alert to the potential danger.
The bottom line: Never click on a suspicious-looking email or link; never give out sensitive information, including personal credentials, passwords or account information, over a non-secure platform; and never be intimidated into thinking that it’s wrong to verify someone’s identity before carrying out their request. If in doubt, trust your instincts and take the issue up the line to a more senior member of staff.