Creating awareness – Phishing

Phishing techniques are evolving – don’t get hooked

In today’s age of technology and data, it’s important for all companies to take extraordinary cybersecurity measures. Regardless of industry, size and geography, all companies are targets for cybercriminals. Hackers use various techniques but there is one that stands out the most: phishing. Phishing exploits human error, is the least demanding to undertake and is the most successful.

Phishing can have an extensive negative impact on your business. That is why all companies should be able to secure themselves against phishing by testing and training its employees.

Chat with a security expert

Testing and training

Increasing your companies resilience against phishing attacks is not a one-time effort. People need to be tested and trained on a regular basis. A one time test or training will typically only increase the awareness amongst employees for 2 weeks. Phishing awareness must be a continuous process.

At the Security Factory, we are partnering with Phished.io. Phished is a solution that automates the entire phishing awareness process by implementing:

Automated phishing simulations: tailor-made and on an individual level
Academy: provides microlearning on cyber security topics
Activation: provide your employees with the opportunity to report phishing attempts and contribute to the safety of your organization
Reporting: in depth analysis of the weak spots

The entire solution is based on AI-driven technology which greatly reduces the manual effort that needs to be allocated.

Read more about the vision of our partner Phished in our Q&A with their CEO.

Ready to put your company to the test?

Email us

What is phishing?

Phishing is a cyberattack used to steal user data such as login credentials, account information and credit card credentials. It mostly occurs when an attacker, masquerading as a trusted entity, lures a victim into opening an email, instant message, or text message. The victim is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or leading them to fraudulent websites to deceive them into giving away confidential and sensitive information. In other cases, targets are contacted by telephone or other communication channels, with the same intention.

Phishing is one of the oldest types of cyberattacks, going back to the 90s, and is still one of the most popular and successful techniques used. One of the reasons is that it is far easier to trick someone into clicking a malicious link in a phishing email than it is to break into a computer’s defense system. Phishing targets to exploit the inattentiveness and carelessness of individuals and is therefore widely considered as social engineering.

Phishers use social engineering and other public sources of information, such as social networks like LinkedIn, Facebook and Twitter, to gather background information about the victim’s personal and work history, interests and activities. These sources are usually used to uncover names, job titles and email addresses of potential victims, as well as other additional information. This information can then be used to craft a believable email or message.

Around the world, phishing attacks are evolving, increasing in number, and both the techniques and messages are becoming more sophisticated. Even the world’s largest corporations aren’t immune and experience more than 1000 phishing attacks a month. That’s why we train your employees to be aware of phishing and teach them about the possible consequences.

“When you are a victim of a phishing attack, a hacker can take over your system or account in less than 2 minutes on average.”

Types of phishing

The are multiple types of phishing. These are:

Credential harvesting: the attacker impersonates a trusted entity, a well-known brand or service such as Amazon or Bpost in order to steal your log-in data. This is a technique that is mostly used on a larger scale without much research on the person. It targets both personal and business e-mail addresses.
Extortion: victims of extortion are told that the attacker has sexually oriented photos or videos of them. In exchange for payment(s), mostly via (untraceable) cryptocurrency accounts, they claim not not to publish or send these to their friends and families.
Malware: malware is software designed to cause damage to a computer, server or client. It can be attached to an e-mail and will be installed when the victim clicks on it. When infected, the attacker can steal personal, financial or business information or disrupt business operations, which can be used for financial gains. Spyware, ransomware and viruses are the most common types of malware.
Spear phishing: spear phishing targets a specific person or enterprise. It’s a more in-depth technique of phishing where information specific to the victim is gathered to more successfully represent the message as being authentic. Spear phishing emails might include references to co-workers or executives at the victim’s company, as well as the use of the victim’s name, location or other personal information.
Whaling: whaling attacks is a type of spear phishing attack that specifically targets senior executives within a company, often trying to steal large sums of money. As with spear phishing, attackers research their victims in detail. A typical whaling attack targets an employee with the ability to authorize payments. The phishing message often appears to be a request from an executive to authorize a large payment to a third party, a supplier for example, when, in fact, the payment would be made to the attacker.

Put your employees to the test

Impact on your business

A business that falls victim of a phishing attack typically sustains severe financial losses, reputation damage, declining market share and the possibility of losing intellectual property. Depending on scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.

Financial losses: According to an IBM report, the average cost of a data breach can go up to $3.92 million (€3,62 million).
Reputation damage: one of the corner stones of any businesses is trust. Headlines like ‘Company becomes victim of cyber-attack’ can take years to fade from the public’s memory, no matter how good a company’s PR might be. As long as they linger, they influence the opinion.
Loss of company value: security breaches not only affect consumer confidence, they have an impact on investor confidence too. For public companies there is a clear pattern: after a breach the company value always (and mostly immediately) decreases.
Loss of intellectual property: one of the most damaging consequences of a data breach might be the loss of intellectual property. A phishing attack can bring out trade secrets, research, customer data, recipes, … For companies in manufacturing, food, technology, or pharmaceuticals, a single stolen design or patent can lead to millions in wasted research investment.
Regulatory fines: the misuse or mishandling of data can lead to financial penalties. Under GDPR, the penalties can total €20 million or 4% of a company’s annual global turnover – whichever is higher.

Today, phishing remains one of the most popular and most used techniques used by hackers, targeting both small companies to huge enterprises. Phishing has become more sophisticated and the financial losses and reputation damage can be immense.

Test and train your employees and avoid financial losses

Email us

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-51190277-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
li_gc	5 months 27 days	No description