Gone Phishing: Don't get suckered into social engineering scams

Updated August 2023.

Let’s be real. Phishing isn’t just scam emails.

It’s a relentless, constantly evolving threat that leaves conventional wisdom in the dust. And protecting yourself against it means more than just knowing about the types of phishing.

And while employing new technology is a crucial step for protection, hackers also have access to cutting-edge technology.

Hackers are now using AI powered chatbots to craft attacks that have none of the telltale signs of a phishing email.

Worse, cyber criminals are now acting as service providers. Selling tools and expertise in the form of Phishing-as-a-Service (PhaaS) phishing kits.

And it’s not just new technology you have to worry about.

Hackers exploit holes in psychology, human error, and social engineering to create the most effective phishing attacks – so that we give away data and credentials.

Mobile users also prove uniquely susceptible to deception due to their quick decision-making habits. With the ubiquity of mobile devices, the problem comes into sharp focus.

As you can see, modern threat protection has to work much harder to keep up.

The stark reality of the threat

Time for a reality check. The scale of this problem is immense.

An eye-opening IBM report paints a grim picture, revealing that a staggering 83% of organisations studied have weathered multiple data breaches¹.

And if that’s not enough to raise alarms, Verizon’s 2022 Data Breach Investigation Report reveals a whopping 36% of reported data breaches were rooted in phishing actvity².

Modern phishing is more than just phony emails

It’s time to rethink your perception of phishing. Hackers wield extraordinary creativity, capitalising on fear, poking holes in our psychology, and exploiting misinformation.

The goal remains the same though; deceiving individuals into divulging sensitive information, or falling for perilous links.

To understand how vast the phishing threat truly is, check our guide to the different kinds of phishing attacks further down the page.

Don’t take the bait: Strategies to mitigate phishing threats

With the escalating phishing threat, enterprises must be proactive, strengthen their defences, and cultivate a security-focused culture to safeguard their critical data and assets.

A multi-pronged approach to phishing prevention is essential to mitigate the risk of an attack.

Implementing a Zero Trust model

Less to do with technology, and more about building a security culture and ethos. Adopting a zero trust mindset means verifying every access request. Even from within the organisation.

This approach ensures that only authorised users and devices gain access to sensitive data and systems.

Robust cyber security protection

Employing the right cyber security technology is crucial to safeguarding your organisation from the ever-evolving threat of phishing.

Advanced solutions, such as AI-powered email filters, real-time link analysis, and multi-factor authentication, can fortify your defences against deceptive tactics used by cyber criminals.

These technologies not only help detect and prevent phishing attempts but also empower employees to make informed decisions, ensuring a robust first line of defence.

Embrace a comprehensive strategy for technology investments. For example, Microsoft Defender for Office 365 offers full detection and response to modern cyber threats.

It seamlessly integrates with SIEM solutions like Sentinel, and is a cornerstone of Microsoft 365 Defender, a unified pre- and post-breach enterprise defence suite.

Robust phishing awareness training

Comprehensive and ongoing phishing awareness training programs should be implemented.

Effective phishing training should train employees to recognise red flags, like suspicious links, grammatical errors, and unusual sender addresses.

For example, Microsoft Defender for Office 365 has phishing attack simulation to test your organisation’s readiness against phishing attacks.

There’s also human behavioural training that your organisation can undertake. Like the Human Risk Management platform and personalised learning paths offered by Kocho partner, Hoxhunt.

Incident response planning

Organisations should have well-defined incident response plans in place to handle security breaches swiftly and efficiently. Timely reporting of phishing attempts and suspicious activities can help contain potential damages.

Regular security assessments

Regular security assessments and penetration testing should be conducted to identify and address vulnerabilities in the organisation’s infrastructure and systems.

To identify these gaps and any other gaps in your digital estate, consider booking a security posture assessment with us.

The different types of phishing you need to be aware of

Let’s go on a whistlestop tour of all the ways a hacker might go fishing for your sensitive data. There are more than you think.

Phishing Emails

Phishing emails continue to be a major source of devastating data breaches worldwide, with over 3.4 billion phishing emails sent daily³.

They’re designed to mimic legitimate sources, such as online customer support, banks, or other recognised organisations.

These deceptive emails often hide their true intentions in little details like the sender’s URL or an email attachment link.

Spear Phishing

A spear phishing attack takes a more targeted approach, relying on previously collected data about the victim or their employer.

Using urgent and familiar language, they attempt to prompt the victim into immediate action.

In 2022, spear phishing attacks made up 76% of all threats phishing threats⁴.

Link Manipulation

In this attack, carefully worded phishing emails include a link to a popular website.

However, the link redirects victims to a spoofed version of the site, tricking them into confirming or updating their account credentials.

Fake Websites

Cyber criminals use phishing emails to direct victims to fake websites that resemble legitimate ones, such as mobile account login pages for known mail providers.

The victims are then prompted to enter their credentials or other sensitive information.

Session hijacking

Far more direct than other forms of phishing, this is where cyber criminals infiltrate a company’s web server to pilfer confidential data and user credentials held within.

CEO Fraud

CEO fraud phishing preys on a victims’ trust in familiar email addresses, often impersonating CEOs, Human Resources Managers, or IT support departments.

The urgent emails pressure victims into taking actions such as transferring funds, updating employee details, or installing new apps on their computers.

Content Injection

Savvy cyber criminals hack into well-known websites and include fake login pages or pop-ups to direct website visitors to malicious sites.

Malware

Malware remains a major threat, with 560,000 fresh malware instances being detected daily as of 2023^5.

In malware attacks, phishing emails contain attachments that, when opened, install malicious software on the victim’s computer or the company network.

These attachments often masquerade as harmless files, such as funny cat videos, eBooks, PDFs, or animated GIFs.

‘Malvertising’

This phishing technique uses online advertisements or pop-ups to entice users to click seemingly valid links.

However, these links lead to the installation of malware on their computers.

Man-In-The-Middle

In this deception, two unsuspecting individuals are duped into believing they’re communicating with each other via email.

The hacker exploits this illusion, dispatching fraudulent messages to both, coaxing them to divulge sensitive information or update confidential corporate data.

“Evil Twin” Wi-Fi

This tactic involves spoofing free Wi-Fi access points in public locations like coffee shops, airports, hospitals, and shopping malls.

Victims unknowingly log into the fake Wi-Fi hotspot, making them vulnerable to cyberattacks.

Updating your enterprise wireless network can help to protect you and your users from this sort of phishing. Improving performance, leveraging the latest AI tools and bolstering your security

Mobile Phishing (Smishing)

Mobile phishing uses fraudulent SMS, social media messages, voice mails, or in-app messages to trick recipients into updating their account details, changing passwords, or responding to alleged security violations.

The messages often include links designed to steal personal information or install malware on mobile devices.

Voice Phishing (Vishing)

A modern use of an older technology, the hacker leaves a forceful voicemail that demands swift action. Usually urging the recipient to dial a provided number immediately.

With AI technology being sophisticated enough to spoof voices, a target may believe that they’re being called by someone they’re already familiar with.

Conclusion

Outdated notions of phishing are dangerously inadequate in the face of modern enterprise threats. Hackers continuously innovate their attack methods, rendering traditional understanding obsolete.

The surge in remote and hybrid work, coupled with the widespread use of mobile devices, has also vastly expanded the attack surface.

It’s imperative for businesses to overhaul their cyber security strategy, educate employees, and adopt cutting-edge technologies for real time prevention.

Anything less is a recipe for disaster.

Key Takeaways

Next Steps

Sources:

1: IBM Cost of Data Breach Report 2022  | 2: Verizon 2023 Data Breach Investigation Report |  3: Three billion phishing emails are sent every day | 4: Targeted spear-phishing attacks make up 76% of all threats | 5: 560,000 new pieces of malware are detected daily.