Many of you have probably heard about the term “phishing.” However, not many may be aware of its meaning hence the purpose of this newsletter. Phishing is a form of cyberattack whereby victims are reached by an individual impersonating a genuine organization or person by email or message trick them into giving critical or confidential information, like bank account numbers (Rains, 2020). There are different forms of phishing attacks, including Spear phishing, whaling, and others. Most individuals are at risk of being the victims of such attacks daily. One never knows when they will be the victim, which is why every Sifers-Grayson employee and non-technical manager needs to take this newsletter seriously.
Spear phishing attacks have been on the rise in recent years. A spear-phishing assault is when a hacker customizes an email using the victim’s identity, role, organization, office phone number, and other details to fool the victim into thinking they are communicating with the actual sender (Kwak et al., 2020). Hackers might combine email spoofing with configurable URLs and drive-by installations for spear-phishing attacks to get around safety measures. More precisely, sophisticated spear-phishing assaults might take advantage of software weakness loopholes in browsers and plug-ins. The spear-phishing attempt could be a precursor to executable downloads, outgoing Trojan connections, and data breaches in the future.
The whaling assault is a special kind of phishing attack that targets high-ranking businesses, officials, and personalities as its intended victims. In a whaling assault, the target is tricked into divulging personal or company data through email or webpage impersonation (Rains, 2020).
To deceive targets into disclosing confidential information via email or accessing a faked site that imitates a reputable entity and requests private information like transaction or bank details. Case in point, recently, the most common form of spear phishing has been Business Email Compromise (BEC). According to Bakarich and Baranek (2020), a BEC hack uses a purportedly valid email address to persuade the recipient to perform a specific action. Using a BEC attack, the hacker typically wants the intended company to believe that they are doing a genuine commercial transaction while wiring funds to the hacker. Spear phishing scams prey on those who post their private info online.
Employees should be extra attentive to avoid falling victim to a phishing scam. Often, phishing communications have tiny inaccuracies that reveal their genuine credentials, like spelling issues and alterations to web addresses, which a person may easily detect. Individuals should avoid responding to these sorts of emails to prevent being scammed. Other strategies to avoid falling for phishing scams include constantly updating your antivirus software, ensuring continuous cybersecurity training to the staff, ensuring that workers do not save or share sensitive and private data online.
More importantly, the organization should amend its financial policies to ensure that nobody can authenticate a money transfer through email. Likewise, businesses should invest in workarounds that can analyze incoming emails for phishing scams and block potentially malicious links, set up strict verification processes, create two-factor authentication, and encourage employees to use strong passwords.
Workers should promptly notify the IT Security Team or relevant personnel in charge of security protocol of any phishing attack they may have come across. Companies must create incident response teams (IRT) dedicated to addressing cybersecurity issues. Immediate reporting is crucial in halting the attackers since the IRT can take action and inform everyone else in the company of possible phishing attacks as soon as they are detected. Prompt reporting will enable employees to take temporary safety measures such as shutting down servers or backing up data before the attack ultimately compromises the organization. In turn, the organization can rescue crucial data and protect the employee and customer data from the breach.
References
Bakarich, K. M., & Baranek, D. (2020). Something phish-y is going on here: A teaching case on business email compromise. Current Issues in Auditing, 14(1), A1-A9.
Kwak, Y., Lee, S., Damiano, A., & Vishwanath, A. (2020). Why do users not report spear-phishing emails?. Telematics and Informatics, 48, 101343. Web.
Pienta, D., Thatcher, J. B., & Johnston, A. (2020). Protecting a whale in a sea of phish. Journal of Information Technology, 35(3), 214-231. Web.
Rains, T. (2020). Cybersecurity Threats, Malware Trends, and Strategies. Packt Publishing.