Creating awareness – Phishing

Phishing techniques are evolving – don’t get hooked

In today’s age of technology and data, it’s important for all companies to take extraordinary cybersecurity measures. Regardless of industry, size and geography, all companies are targets for cybercriminals. Hackers use various techniques but there is one that stands out the most: phishing. Phishing exploits human error, is the least demanding to undertake and is the most successful.

Phishing can have an extensive negative impact on your business. That is why all companies should be able to secure themselves against phishing by testing and training its employees.

Phished logo

Testing and training

Increasing your companies resilience against phishing attacks is not a one-time effort. People need to be tested and trained on a regular basis. A one time test or training will typically only increase the awareness amongst employees for 2 weeks. Phishing awareness must be a continuous process.

At the Security Factory, we are partnering with Phished is a solution that automates the entire phishing awareness process by implementing:

  • Automated phishing simulations: tailor-made and on an individual level
  • Academy: provides microlearning on cyber security topics
  • Activation: provide your employees with the opportunity to report phishing attempts and contribute to the safety of your organization
  • Reporting: in depth analysis of the weak spots

The entire solution is based on AI-driven technology which greatly reduces the manual effort that needs to be allocated.

Read more about the vision of our partner Phished in our Q&A with their CEO.

Ready to put your company to the test?

What is phishing?

Phishing is a cyberattack used to steal user data such as login credentials, account information and credit card credentials. It mostly occurs when an attacker, masquerading as a trusted entity, lures a victim into opening an email, instant message, or text message. The victim is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or leading them to fraudulent websites to deceive them into giving away confidential and sensitive information. In other cases, targets are contacted by telephone or other communication channels, with the same intention.

Phishing is one of the oldest types of cyberattacks, going back to the 90s, and is still one of the most popular and successful techniques used. One of the reasons is that it is far easier to trick someone into clicking a malicious link in a phishing email than it is to break into a computer’s defense system. Phishing targets to exploit the inattentiveness and carelessness of individuals and is therefore widely considered as social engineering.

Phishers use social engineering and other public sources of information, such as social networks like LinkedIn, Facebook and Twitter, to gather background information about the victim’s personal and work history, interests and activities. These sources are usually used to uncover names, job titles and email addresses of potential victims, as well as other additional information. This information can then be used to craft a believable email or message.

Around the world, phishing attacks are evolving, increasing in number, and both the techniques and messages are becoming more sophisticated. Even the world’s largest corporations aren’t immune and experience more than 1000 phishing attacks a month. That’s why we train your employees to be aware of phishing and teach them about the possible consequences.

“When you are a victim of a phishing attack, a hacker can take over your system or account in less than 2 minutes on average.”

Types of phishing 

The are multiple types of phishing. These are:

  • Credential harvesting: the attacker impersonates a trusted entity, a well-known brand or service such as Amazon or Bpost in order to steal your log-in data. This is a technique that is mostly used on a larger scale without much research on the person. It targets both personal and business e-mail addresses.
  • Extortion: victims of extortion are told that the attacker has sexually oriented photos or videos of them. In exchange for payment(s), mostly via (untraceable) cryptocurrency accounts, they claim not not to publish or send these to their friends and families.
  • Malware: malware is software designed to cause damage to a computer, server or client. It can be attached to an e-mail and will be installed when the victim clicks on it. When infected, the attacker can steal personal, financial or business information or disrupt business operations, which can be used for financial gains. Spyware, ransomware and viruses are the most common types of malware.
  • Spear phishing: spear phishing targets a specific person or enterprise. It’s a more in-depth technique of phishing where information specific to the victim is gathered to more successfully represent the message as being authentic. Spear phishing emails might include references to co-workers or executives at the victim’s company, as well as the use of the victim’s name, location or other personal information.
  • Whaling: whaling attacks is a type of spear phishing attack that specifically targets senior executives within a company, often trying to steal large sums of money. As with spear phishing, attackers research their victims in detail. A typical whaling attack targets an employee with the ability to authorize payments. The phishing message often appears to be a request from an executive to authorize a large payment to a third party, a supplier for example, when, in fact, the payment would be made to the attacker.


Impact on your business

A business that falls victim of a phishing attack typically sustains severe financial losses, reputation damage, declining market share and the possibility of losing intellectual property. Depending on scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.

  • Financial losses: According to an IBM report, the average cost of a data breach can go up to $3.92 million (€3,62 million).
  • Reputation damage: one of the corner stones of any businesses is trust. Headlines like ‘Company becomes victim of cyber-attack’ can take years to fade from the public’s memory, no matter how good a company’s PR might be. As long as they linger, they influence the opinion.
  • Loss of company value: security breaches not only affect consumer confidence, they have an impact on investor confidence too. For public companies there is a clear pattern: after a breach the company value always (and mostly immediately) decreases.
  • Loss of intellectual property: one of the most damaging consequences of a data breach might be the loss of intellectual property. A phishing attack can bring out trade secrets, research, customer data, recipes, …  For companies in manufacturing, food, technology, or pharmaceuticals, a single stolen design or patent can lead to millions in wasted research investment.
  • Regulatory fines: the misuse or mishandling of data can lead to financial penalties. Under GDPR, the penalties can total €20 million or 4% of a company’s annual global turnover – whichever is higher.

Today, phishing remains one of the most popular and most used techniques used by hackers, targeting both small companies to huge enterprises. Phishing has become more sophisticated and the financial losses and reputation damage can be immense.

Test and train your employees and avoid financial losses