If I wanted to hack your business, I’d start with phishing your employees. The odds would be in my favor because it is one of the easiest and most effective ways to attack someone. And I only need to be right once – while your users can’t afford a single mistake.
I don’t plan to attack you, and I hope you never fall victim to an attack. So, in that spirit, let’s help you level up your defenses in this short series and teach you what you didn’t know you needed to know about phishing emails and similar types of cyber-attacks that are designed to trick your users.
We won’t get deeply technical, but across these three articles, we will dive deep into why it’s still a major concern today, how phishing attacks work, and how to protect yourself.
Part 1: Hook, Line, and Sinker
Chances are you’re already familiar with the term “phishing” and have probably already seen plenty of training on email red flags, to “think before you click”, and understand the risk opening random files on suspicious emails.
Despite how aware people are of this type of attack, it’s still a large problem – and one that is a growing concern, especially with the advancements of Large Language Models (LLMs) and Artificial Intelligence (AI).
If you’re worried about attacks like ransomware, business email compromises, or data breaches, it’s important to know that many attacks may start with something as simple as a phishing email.
Email security tools can help, but a lot of your ability to protect your business from phishing attacks depends on the user recognizing an email (or other interaction) as suspicious in the first place.
Today, let’s take a fresh look at what this is and what it means for your business.
Don’t Take the Bait
Social Engineering is a deceptive tactic used by threat actors to trick a victim into things like sharing sensitive information, capturing login credentials, and opening a malicious link or file.
All of this is usually done by impersonating another person or another trusted resource. At times, it may even come directly from someone else you trust that has suffered a compromise of their own.
Phishing is a specific type of Social Engineering attack that leverages email and is most common, but the same tactics can be used over SMS texts (“smishing”), phone calls (“vishing”), QR codes (“quishing”), instant messaging services, and social media.
It can become a real problem because:
- Businesses need to allow outside communications. We can’t fully cut ourselves off from the rest of the world if we want the ability to communicate with clients, partners, and others.
- AI is making it harder for users to identify Social Engineering attacks. These great new tools can give threat actors ways to write more compelling messages with greater efficiency.
- Social Engineering and phishing are often the initial attack vector. When these attacks are successful, they can lead to data breaches, ransomware, or other compromises (including Business Email Compromises).
- Business Email Compromises (BECs) can be particularly troublesome. If your email were to become compromised (perhaps because of a phishing attack), it could be used to launch additional phishing attacks in your name to people that trust you and harm your reputation. (A lot more can happen during a BEC, but we’ll have to dig into that in a future article!)
- Attackers go after the weakest links in our environment: our people! They play on human emotions, confusion, urgency, and other distractions that may cause even the most diligent of your staff to act irregularly.
- Users may not realize they have interacted with a phishing email or social engineering attack. The threat actor wants to stay hidden, so they do their best to try to trick the user, hoping they never realize what happened and that it goes unreported.
- Training can only go so far. Training goes out the window if the user never realized the email they were working with was suspicious in the first place – it’s easier said than done!
Plenty of Phish in the Sea
Phishing remains one of the top 3 initial attack vectors according to Verizon’s 2024 Data Breach Investigations Report:
Phishing is second to “Credentials”, which can end up in the hands of threat actors and the dark web from phishing attacks as well as other data breaches, using the same password repeatedly, connecting to unsafe networks, malware, looking at the password list under your keyboard, the list goes on…
When attackers are successful with phishing, social engineering, and stolen credentials, they tend to stay hidden longer. Take a look at this information from the 2024 IBM Cost of a Data Breach Report:
It shows the Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC ) data breaches based on the initial attack vector. Keep in mind here that Phishing could still be involved with attacks that used Stolen or Compromised Credentials, Social Engineering, and Business Email Compromises.
For the businesses IBM spoke to in their report, the average Phishing attack took 195 days to detect and another 66 to contain.
"It’s worth noting that there are of course outliers here, sometimes you may find out right away if you’ve suffered an attack. However, many threat actors want to try to go undetected to maximize their attack once they get into an environment."
Want to Avoid Becoming a Similar Statistic?
In the next two articles, we talk more about how these attacks play out and how to defend your business.
Catalyit Subscriber Offer
Something’s “Phishy”! Part Two
The Rising Threat of Phishing and Social Engineering
No Comments Yet
Let us know what you think