Organisations understand the power of data, and my job is to help them overcome challenges so they can achieve their data acquisition goals.
Working with data involves more than just collection, however. Ensuring that it is secure is also a fundamental part of the equation, and part of that effort involves teaching clients how to protect their operation from cybersecurity attacks.
Phishing – the act of sending emails that falsely claim to be from legitimate organisations – is a growing concern. Google recently reported that the number of phishing websites increased by 350% last year from 149,195 in January to 522,495 in March. Besides attempting to extract passwords to bank accounts and other sensitive information, many of these attackers used COVID-19-related content to coerce unsuspecting users into giving up personal information.
This quick guide is going to familiarise you with the threat this can pose to your organisation. In addition to outlining the types of attacks, there are also sections with guidelines your company can implement immediately to safeguard against future attacks.
Phishing is a growing threat
Understanding the enemy is one of the keys to winning battles in cyberwarfare. Most people will recognise a blatant attempt in their spam folder – like an advertisement for branded sunglasses or sneakers – however attacks have recently increased in sophistication to include less obvious types.
A new report from Webroot claims that the number of phishing-related emails increased 34% worldwide over the past year and that more than a fifth of UK employees have received at least one Covid-19-themed phishing email over the past few months. While three-quarters of the UK respondents believe they are armed with enough knowledge to stay safe, two-thirds are known to open emails from unknown senders according to the report.
The problem is further compounded by the interchangeable use of devices for both work and personal matters. Nick Emanuel, the Senior Director of Product at Webroot summed it up perfectly by stating that “with mass work from home, an influx of emails and a general ‘always connected’ attitude, there are more opportunities for cybercriminals than ever before.“
Phishing threats are more sophisticated than ever before
The perceived threat of COVID-19 has given fuel to the fear that makes phishers thrive. Users of email know well enough not to click on obvious solicitation spam, however phishing tactics have evolved beyond consumer ads for drugs and designer apparel.
Spotting a phishing attack is the best proactive measure one can take to neutralise the threat and protect corporate information. There are many types of phishing attacks that use different tactics – and they are increasing in number. Some of the most common, according to David Bisson at Tripwire include:
Deceptive phishing is where fraudsters attempt to impersonate a legitimate organisation in order to obtain personal data or login credentials.
Techniques used include the provision of legitimate links, redirects and shortened links, modified brand logos, and the use of images with written content to evade detection.
A typical example is an email by a payment processing company asking the user to click a link and enter their information to resolve a claim dispute.
Spear phishing is a more personalised attack whereby an attacker identifies in advance their target’s personal information and sends a customised email with a malicious URL or email attachment asking for personal data. These types of attacks are most prevalent on social networks like LinkedIn that contain rich data sources that can be used to personalise an attack email.
While phishing relies on email, “vishing” uses phone calls set up over a Voice over Internet Protocol (VoIP) server to impersonate reputable organisations in order to steal sensitive data like passwords. Protection against vishing attacks starts with awareness about the issue, especially when receiving calls from unknown phone numbers asking for sensitive information.
Along with vishing, “smishing” is another phishing technique that uses SMS messages rather than phone calls to obtain personal data. In addition to using malicious links, attackers may attempt to coerce the victim into downloading an app that deploys ransomware that may enable them to remotely control their device.
Defense Tactics That Fight Phishing
When it comes to phishing, the best offense is defense. Here are some tactics employees can use to keep personal and company information safe:
- Use strong passwords that mix special characters, numbers and capital letters
- Check if sites are trusted before entering personal login credentials and sensitive information
- Inspect the website’s SSL certificate and ensure it matches the URL
- Do not click attachments on suspicious emails and scrutinise email addresses to ensure they are from legitimate organisations
- Hold company workshops and webinars to increase awareness
- Update all applications related to the operating system including software and browser updates
- Use antivirus software and anti-phishing toolbars
- Use web application firewalls
Fight phishing with next-level proxies
Cybersecurity companies take a proactive stance by scanning websites for threats, however malicious websites are aware they are under scrutiny. Rather than allow themselves to be identified, they block I.P. addresses they suspect may belong to cybersecurity companies so they can stay anonymous and undetected.
High-performance datacenter and residential proxies ensure that cybersecurity firms stay anonymous by acting as a cover for cybersecurity companies’ IP addresses. This allows them to scan websites for threats in their efforts to protect clients from cybercrime.
Not all proxies are equal. Ethically-sourced proxies provide increased stability and performance and ensure that web crawling and scraping efforts are successfully executed with speed and efficiency.
Phishing is a threat, and it’s growing. Attackers are increasing in numbers and sophistication, posing a threat to the data security of companies and organisations throughout the world. Along with advanced training and awareness, progressive cybersecurity efforts bolstered by proxies ensures that hazards are minimised or, better yet, completely eliminated from cyberspace.
Autor: Andrius Palionis, VP Enterprise at Oxylabs