Why are phishing attacks still at large across enterprises?
It's safe to say that phishing attacks are among the biggest cyber pests ever. You would think that, with it being a veteran threat, we would have the upper hand against it. Unfortunately, even after all these years, phishing attacks are very much thriving.
We know that the technology is a quickly evolving field, so as new threats enter the horizon, a solution is often not far off. However, this begs the question: how has phishing, an old school threat, stood the test of time?
A different kettle of phish
Although 'phishing' is entrenched in the cybersecurity dictionary, its capabilities and definition today are now skewed to the modern era. As a refresher, traditionally, phishing is an attack disguised as an email. In particular, this email delivers malicious links to gain sensitive, confidential information.
Often, these emails have a sense of urgency. For example, their subject lines usually read something like "Tax Refund" or "Suspended Account". As well as this, they're usually littered with spelling and grammar mistakes. Thus, they have tell-tale signs that we have become familiar with, meaning we should be ahead of the phishing curve.
However, as workplaces change and build cultures such as bring your own device, phishing attacks have evolved to follow suit. This has paved the way for a different type of attack: lateral phishing.
Looking out for the lateral
With phishing scams often masking themselves to look as legitimate as possible, they have now taken it to the next level. Rather than just sending out bogus emails from "Google", they are now trying their hand at internal emails.
In particular, an attacker will contact you from a hacked email account of someone you often correspond with. In doing so, they can ask you to perform an action to get them the information they need. These follow a similar 'urgency' to phishing scams we've already encountered. For instance, the subject line will suggest that there is a problem with your account and to take action. Therefore, the recipient will follow the phishing links (unknowingly, of course) and fill out a bogus form, which is where the scammer will steal credentials.
This is especially effective because, well, why should anyone doubt it? Even if you had your suspicions, you would probably think it a little far-fetched that somebody would target you specifically. However, this is the new reality for phishing scams, and it's going to need more than your instinct to combat.
Preparing your tackle
Unlike their traditional counterparts (you know, the "Your Salary Increase" type from a Gmail account that's a. external, and b. not your boss's), lateral phishing is relatively successful. Thus, the sooner you protect your business, the better.
Firstly, and quite unfortunately, phishing attacks really do depend on human behaviour. However, it's not limited to 'gullible' people – as mentioned before, why would you suspect that a message from an internal email account with a perfectly reasonable request is actually an attack? Therefore, the first step is to educate your workforce. In particular, you may wish to conduct mock phishing drills and implement best practices, such as calling the individual with the request.
Of course, quite obviously, you will need to heighten your company's security. Pull out all the stops: get spam and web filters, make sure all of your security systems are updated, and encrypt all of your information. Once you have done so, you must keep on top of monitoring. I mean, you want to be monitoring your security at all times anyway, but as phishing evolves, you need to ensure your strategies do too.
Julie Sweet, CEO at Accenture, is our CxO of the Week. Read all about it here.