12 Cyber Threats of Christmas – Phishing
In our 12 threats of Christmas feature, we want to look at cyber threats and issues that can impact organisations.
Some may be known to you, whilst others, may seem a little more out of the box.
On the first day of Christmas, our cyber threat is:
Phishing remains the most used tactic by cyber criminals to con people into divulging their personal information including bank details, which they can then use for fraudulent purposes.
Research conducted by Bondgate IT, revealed that 68% of the public have been inundated with phishing emails from March to August 2019.
Criminals have become masters of impersonation and have shifted from the ‘Crown Prince needing help’ emails, to targeting organisations pretending to be suppliers, members of the senior management team and even the IT department.
Now work related emails are those most likely to convince people to part with their details, and cyber criminals know this and have adapted their technique accordingly.
The ‘Q3 2019 Top-Clicked Phishing Tests Report’, demonstrated that researchers at KnowBe4 sent out thousands of simulated phishing emails with various subject lines, then made notes of which ones attracted people to click on them.
The results found that simulated phishing test emails with the subject “Password Check Required Immediately” were the most clicked on, with 43% of users falling for this security-based ruse.
The next most clicked on subject titles, which each lured in 9% of users, were “A Delivery Attempt was made” and “Deactivation of [[email]] in Process.”
A further tactic that proved successful was using the universal lure of food. Researchers found that 8% of users opened a simulated phishing email with the subject line “New food trucks coming to [[company_name]].”
Phishing is still the main tactic deployed by cyber criminals and is one that pays extremely well. With cyber crime costing the UK £27billion a year, it’s no surprise that phishing is responsible for the lion’s share.
The different types of phishing
Phishing can take many forms, as cyber criminals know a one size fits all approach won’t work.
The different types of phishing emails are:
- Phishing – this is the most obvious form of phishing email and usually ask for money or offers prospects of romance. They’re what people refer to as ‘The Crown Prince’ emails. They usually have spelling mistakes and grammatical errors
- Spear phishing – uses personalised information to convince people these emails are from genuine senders. They may start the email with your name, so it looks like it’s from the genuine company
- Whaling (CEO Fraud) – This targets executives and senior leaders in organisations, usually asking for funds to be transferred quickly, as a result of a late paid invoice. This type of fraud is said to have had a total worldwide cost of £21bn since 2016
What should you do if you get a phishing email?
If you get a phishing email, it’s vital that you do the following:
- Ignore it
- Report it to your IT department
- Delete the email
Implementing a mixture of technical and cultural competencies is a sure-fire way of keeping fraudsters out. Having protocols such as DMARC combined with staff training will help your business become a cyber fortress.