What is phishing?
Phishing is a type of cyberattack that uses fraudulent emails, text messages (smishing), phone calls (vishing) or websites to trick people into sharing sensitive data, downloading malware or otherwise exposing themselves to cybercrime. Phishing attacks are a form of social engineering. Attacks can range from very simple attempts all the way to very elaborate, researched and sophisticated targeted attempts.
Did you know that over 80% of cyberattacks are targeted at employees as cybercriminals know they are the weakest link in any organisations defences.
To effectively train all employees to recognize phishing emails, SMEs can adopt the following strategies:
- Regular Training Sessions: Conduct frequent workshops that cover phishing tactics, using real examples to illustrate risks and responses. In an email phishing scam, the attacker sends an email that looks legitimate, designed to trick the recipient into entering information in reply or on a site that the hacker can use to steal or sell their data.
Sony: Real Life Example of email phishing
Hackers used LinkedIn to grab contact information from employees at Sony and targeted them with an email phishing campaign. Once inside the networks they employed sophisticated malware. They got away with over 100 terabytes of data and the costs to Sony was in the region of $170 Million.
If it can happen to Sony it can happen to you!!
- Simulated Positive Phishing Exercises: Implement ongoing simulated positive phishing tests to provide hands-on experience, helping employees identify suspicious emails in a controlled environment. Resilience in the face of cyber threats is key. Companies that implement positive phishing foster a culture where staff are equipped to handle phishing attacks not just because they’ve been tested but because they’ve been taught. By regularly running these simulations in a non-punitive way, staff can build confidence in their abilities to recognise and respond to phishing attempts over time.
- Interactive Learning: Use gamified training methods to engage employees actively, making the learning process enjoyable and memorable. (look for our future blog on Gamified Cyber Security)
- Clear Reporting Procedures: Establish straightforward protocols for reporting suspected phishing attempts, encouraging a culture of vigilance without fear of punishment. Positive phishing is about more than just sending out simulated phishing emails; it’s about creating a culture of security awareness and collaboration within the organisation. When staff feel supported and educated rather than penalised, they are more likely to engage actively in cybersecurity efforts, making the organisation safer for everyone.
- Management Reports: Ability to create management reports on the training to identify gaps in knowledge and satisfy requirements for stakeholders, regulators and insurance companies.
Statistics show that Cybersecurity awareness training, when properly implemented, can reduce the risk of a successful cyberattack by 70%. However many awareness programs will fail if not properly effectively managed.
The most common phishing tactics used against SMEs include:
- Email Phishing: Fraudulent emails that mimic reputable sources, urging recipients to click on malicious links or download harmful attachments.
- Spear Phishing: Targeted attacks that use personal information to deceive specific individuals within an organization, often appearing as trusted contacts.
- Smishing: Phishing via SMS messages and txt platforms such as WhatsApp, tricking recipients into revealing sensitive information or clicking on malicious links.
- Vishing: Voice phishing, where attackers impersonate trusted entities over the phone to extract confidential information.
- Pharming: Redirecting users from legitimate websites to fraudulent ones through DNS manipulation or malware.
We will cover some of these in detail in future Blogs.
Archway Securities can provide fully managed be-spoke training and testing for your staff to ensure there is a culture of awareness on phishing and social engineering attempts.
Contact us today for a short consultation on out awareness and testing program.