And how can you protect your business...
It’s thought that last year, at least 80,000 people across England and Wales provided phishing fraudsters with money or personal information. Phishing attacks are becoming increasingly frequent, clever, and targeted, with devastating effects on both individuals and businesses.
Cyber criminals frequently pose as those we trust most, such as existing clients, banks, delivery services, medical professionals, and family members. Attackers use leaked information and current events to target phishing. For example, schemes offering low-income households relief from the increased cost of living, or using what should be confidential information to gain the trust of victims. Their methods of disguising their phone numbers and sending addresses are also becoming more complex.
All of this can make it difficult for employees to tell the difference between genuine messages and emails, and those of fraudsters. Assessing your risk as a company and putting training and technical preventive measures in place are vital steps to protecting your businesses’ data and bank account. But who is at most risk? And what strategies are most likely to be used against those in your industry? Read on to find out
What is a Phishing Attack?
Phishing attacks are a type of online fraud where criminals attempt to obtain sensitive information such as login credentials, credit card numbers, and personal details by posing as a trustworthy entity.
This is usually done through fraudulent emails, WhatsApp or text messages (sometimes known as “smishing”), or websites that mimic legitimate ones, tricking the victim into providing their information. Phishing attacks often rely on social engineering tactics, such as urgency or fear, to make victims feel pressured to act quickly and not verify the authenticity of the request.
A phishing attack could look like a text message from your bank claiming that there has been unusual activity, a request from a supplier asking you to redirect your normal payment to a new account, or an email link from an often used website asking you to login through a new link for password security reasons.
Which Industries are Targeted the Most?
Since most scammers are in it for profit, it’s no real surprise that finance companies take the top spot as targets of phishing attacks. It’s thought that 96% of cyber attacks on insurance or finance businesses are financially motivated.
Logins for financial services systems are particularly valuable to hackers, as financial data can be used in a number of ways or sold on, so many targeted scams focus on these. They may also hope to breach the companies email or messaging system so they can use the trusted name to prompt clients to move funds to the scammer’s bank account.
Phishing attacks which trick employees into clicking links to download malware are also popular, and this malware may enable scammers to view users inputting passwords or even enable them to take control of the device.
An increased number of attacks on financial industries target mobile devices, seeking to install trojanised apps.
Unfortunately, there’s been a real rise in the last two years of phishing attackers using legitimate Software as a Service (SaaS) to avoid being screened as SPAM. This has been seen in website and form builders, writing and note-taking platforms, file sharing services and more.
As well as email, there are also an increased number of phishing attacks taking advantage of newer communication systems often used by these tech-savvy businesses. “Saas to Saas” attacks use fake invoices or PDFs hosted on the cloud using legitimate URLs to trick users into downloading malware alongside the documents.
Multi-stage cloud phishing is also being used to steal login information, set up rogue accounts, and carry out internal phishing against the initial victim’s colleagues.
Last year, an advanced phishing technique involving rogue QR codes, text messaging, AI chatbots, and social engineering techniques threatened some giants of the tech world including Dropbox and Uber.
Ecommerce and other merchant accounts are sadly also frequent targets of phishing. They’re an attractive prospect as companies which frequently process card payments. Some frequent attacks against this industry include:
- Fake messages from PayPal or other ecommerce payment platforms saying the merchant’s account has been suspended
- Phishing scams to gain access to web pages or email, which then direct clients to a fake checkout page
- Gaining client purchase information to use for making banking scams seem more legitimate
- Spear phishing to spread malware amongst colleagues
Which Organisations are Targeted the Most?
The percentages look a little different when we look at which large businesses are being targeted worldwide. Ecommerce and Banking still make the top three results, but delivery companies take the top spot in 2022 by a significant margin.
This may be due to the current popularity of scams which involve text messages about missed deliveries of cancelled orders, prompting targets to enter their payment information or addresses. Deliveries became a lifeline for many during the height of the covid pandemic, and online retail continues to be significantly more popular than it was prior to 2020, making it an attractive avenue for scammers.
For every industry and organisation, the concern with phishing isn’t only that sensitive data may be leaked or breached, but that trust in their organisation could be eroded by customers who fall victim to fake emails or web pages which are almost an exact copy of the real ones. This can lead to a loss of reputation or loosing returning custom.
What Can Businesses do to Prevent Phishing?
Firstly, it is crucial to educate employees about the dangers of phishing attacks and how to spot them. This can be achieved through regular training sessions and by providing clear guidelines on how to handle suspicious emails or messages. In addition, businesses can implement robust email filtering systems that can automatically detect and block phishing emails before they reach employees' inboxes.
Another effective way for businesses to avoid phishing attacks is to implement multi-factor authentication (MFA) for all user accounts. MFA requires users to provide more than one form of identification to access their accounts, such as a password and a unique code sent to their mobile phone.
This extra layer of security makes it much more difficult for cybercriminals to gain access to sensitive information. Robust password policies, password protection software, deleting unused accounts quickly, and using device management software can also all make it more difficult for scammers to succeed in phishing attacks.
Additionally, businesses should regularly update their software and security systems to ensure they are protected against the latest threats. By taking these proactive measures, businesses can significantly reduce their risk of falling victim to a phishing attack.
In conclusion, phishing attacks are becoming increasingly common and sophisticated, posing a significant threat to both businesses. Industries such as finance, SaaS, and ecommerce are particularly vulnerable to phishing scams.
If you’re concerned about cyber security in your business, the experts at SpiderGroup can help. Our tech specialists work across a range of industries, making recommendations and implementing secure technologies to help businesses get more cyber secure.