From an unexpected invoice sent by a supplier, a random message from HR offering you a salary increase to an odd email from DHL asking for shipping costs, 91% of all cyber attacks and 42% of ransomware attacks, start with a phishing email.
In fact, phishing has become such an effective attack vector, that at least one person clicked on a phishing link in around 86% of organisations last year, with experts predicting that another six billion attacks will occur in 2022. Recent world events have also created a large increase in ransomware attempts, almost all of which begin with simple (untargeted) phishing emails. Others begin with spear phishing, a more sophisticated approach which involves the attacker researching the target carefully, then crafting emails to directly appeal to them.
While larger organisations focus on education and awareness to ensure their employees are the first line of defence against phishing attacks, further down the supply chain, you may have smaller suppliers with fewer security-aware employees who are more likely to unwittingly click on a malicious website. This could have repercussions right across the supply chain, triggering ransomware attacks on larger organisations. As a result, phishing has become one of the biggest threats to cybersecurity this year.
Preying on human instinct
The objective of a phishing email is to dupe the victim into either downloading malware or clicking on a malicious website link and entering their login credentials so the hacker can access their network. In other types of phishing scams, the hacker asks the victim to input their credit card details into a fake website, so they can steal them.
To execute a phishing attack, hackers typically send phishing emails in bulk with the expectation that they can trick at least a small percentage. Hackers often try to imitate a supplier, a courier, the victim’s HR department or even their boss. In fact, hackers have become so good at impersonating brands and people that 97% of victims can’t identify phishing emails.
However, social engineering human behaviour is ultimately why phishing attacks are so effective. Hackers often prey on an employee’s desire to be helpful or do what an authoritative figure tells them. Being threatening or enticing is another way. Hackers may promise ‘free iPhones to the first 100 respondents’ or threaten that ‘your credit card will be suspended without immediate action,’ or an invoice must be paid to avoid termination of services. This creates panic, urgency or curiosity. By implying financial gain or potential financial loss, they are forcing victims to respond to their emails quickly.
Availability of phishing tools
The availability of phishing kits on the dark web, at a fairly low cost, gives even the most novice of hackers an easy opportunity to enter the market. A phishing kit often contains lists of email addresses for attackers to target as well as HTML, images, and code that enable hackers with little or no knowledge of phishing to create thousands of phishing pages and easily attack a large audience. A phishing kit may also include email templates, sample scripts, and graphics that impersonate well-known brands and are used to carry out phishing, spear phishing and whale phishing.
But the most worrying part is that people with minimal IT experience can buy and use these phishing kits and still reap the benefits.
Education and technology
As phishing attacks continue to accelerate, education and awareness is an effective way to reduce their impact. Employees should be encouraged to read emails carefully and not just skim them. They need to look out for spelling mistakes and grammatical errors, especially as many attacks are launched from abroad.
Employees should also check the sender’s email address. If an email appears to be from someone at work, make sure the email address is spelt correctly. Furthermore, if your organisation uses Microsoft Teams, for example, there’ll be a green dot by their name to indicate they’re online proving the email is legitimate.
Companies can also use technology solutions that scan emails for malware, helping employees to distinguish between legitimate and phishing emails.
However, education and technology shouldn’t just be deployed within your own organisation. Phishing attacks on suppliers are typically how hackers launch ransomware attacks on larger organisations. To avoid this, assess your supplier ecosystem, and identify high risk suppliers, i.e. those that have access to your sensitive data like HR, financial and operational. Analyse the high risk supplier’s security measures and ask for any improvements or training needed to strengthen their security posture and make employees more security-aware.
Safeguarding your future
It’s clear the wide availability of phishing kits has lowered the financial and technical barriers to entry, giving hackers an easy opportunity to enter the market and reap the rewards of stealing credit card details or gaining access to an organisation’s network to deliver ransomware. However, with 500 million ransomware attacks recorded in the first half of last year, and the number set to rise this year, it’s time for you to take urgent action to stop employees clicking on phishing emails both within your own organisation and across your suppliers. Only then can you safeguard yourself from phishing scams and the potential of being crippled by ransomware attacks.