If I wanted to hack your business, I’d start with phishing your employees. The odds would be in my favor because it is one of the easiest and most effective ways to attack someone. And I only need to be right once – while your users can’t afford a single mistake.
I don’t plan to attack you, and I hope you never fall victim to an attack. So, in that spirit, let’s help you level up your defenses in this short series and teach you what you didn’t know you needed to know about phishing emails and similar types of cyber-attacks that are designed to trick your users.
We won’t get deeply technical, but across these three articles, we will dive deep into why it’s still a major concern today, how phishing attacks work, and how to protect yourself.
Chances are you’re already familiar with the term “phishing” and have probably already seen plenty of training on email red flags, to “think before you click”, and understand the risk opening random files on suspicious emails.
Despite how aware people are of this type of attack, it’s still a large problem – and one that is a growing concern, especially with the advancements of Large Language Models (LLMs) and Artificial Intelligence (AI).
If you’re worried about attacks like ransomware, business email compromises, or data breaches, it’s important to know that many attacks may start with something as simple as a phishing email.
Email security tools can help, but a lot of your ability to protect your business from phishing attacks depends on the user recognizing an email (or other interaction) as suspicious in the first place.
Today, let’s take a fresh look at what this is and what it means for your business.
Social Engineering is a deceptive tactic used by threat actors to trick a victim into things like sharing sensitive information, capturing login credentials, and opening a malicious link or file.
All of this is usually done by impersonating another person or another trusted resource. At times, it may even come directly from someone else you trust that has suffered a compromise of their own.
Phishing is a specific type of Social Engineering attack that leverages email and is most common, but the same tactics can be used over SMS texts (“smishing”), phone calls (“vishing”), QR codes (“quishing”), instant messaging services, and social media.
It can become a real problem because:
Phishing remains one of the top 3 initial attack vectors according to Verizon’s 2024 Data Breach Investigations Report:
Phishing is second to “Credentials”, which can end up in the hands of threat actors and the dark web from phishing attacks as well as other data breaches, using the same password repeatedly, connecting to unsafe networks, malware, looking at the password list under your keyboard, the list goes on…
When attackers are successful with phishing, social engineering, and stolen credentials, they tend to stay hidden longer. Take a look at this information from the 2024 IBM Cost of a Data Breach Report:
It shows the Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC ) data breaches based on the initial attack vector. Keep in mind here that Phishing could still be involved with attacks that used Stolen or Compromised Credentials, Social Engineering, and Business Email Compromises.
For the businesses IBM spoke to in their report, the average Phishing attack took 195 days to detect and another 66 to contain.
"It’s worth noting that there are of course outliers here, sometimes you may find out right away if you’ve suffered an attack. However, many threat actors want to try to go undetected to maximize their attack once they get into an environment."
In the next two articles, we talk more about how these attacks play out and how to defend your business.