Can You Spot a Phishing Attack?

Depending upon whose surveys you consult you’ll find that 83% of cybersecurity attacks involve phishing and ransomware. The stats don’t stop there:

- Two-thirds of companies have experienced a phishing attack.

- 97% of users tested could not identify a sophisticated phishing email, but only 3% actually report one when they do detect it.

- 56% of decision-makers believe phishing attacks are their top security threat.

- A single phishing attack costs $1.6 million on average.

What is Social Engineering?

The lexicon of cybersecurity includes terms like Direct Denial of Service (DDoS), data injection, spoofing, masking, firewall, malware, encryption, and many others. All of these are involved in digital attacks.

But, phishing is not a digital attack. This category of attack is called “social engineering” and it simply means finding ways to convince users to click on a link or open an attachment, or take some other action that allows the bad-actor to enter their network and make mayhem.

The attack begins with the arrival of a phishing email in the user’s inbox. When opened it usually looks like it came from a familiar brand. Perhaps the user’s bank, or a retail company, or a known associate. The logos, typography, color palette and more all look genuine, but they’re not. A more careful look at the sender’s email address and you might catch Co1umbia or even C01umbia, instead of Columbia.com. Character substitutions, misspellings, and other tricks are used to render a domain name that looks authentic.

The email usually offers a great reward if you click on a link and follow instructions or open an attachment and respond to it. Often there are no instructions or forms to fill out. Instead, clicking the link or opening the attachment trigger an invasion by the actual sender who either steals, encrypts, or otherwise corrupts your data. Soon another email arrives inviting you to get your data back by paying a ransom. Recently, the ransom requests have actually been lowered to increase the likelihood of getting the victim to pay.

Is That What Makes the User Such a Threat?

Exactly. The attacker is depending upon the user to be deceived. This really cannot be considered the “fault” of the end-user. They don’t purposely do anything wrong. The good news is anyone can learn to spot suspicious threats. All users must be trained and constantly reminded to carefully inspect incoming emails to detect possible phishing frauds. The attackers are constantly becoming more sophisticated, so this training must constantly be updated.

Learn to Spot Threats to Stop Attacks

There are preventative actions that can be taken to prevent the majority of attacks happening in the threat landscape today. Training in the identification of phishing messages has proven to be very effective in reducing the number of ransomware activities dramatically. More and more users are becoming very attuned to spotting suspicious emails almost immediately and taking proper action. Get your team the knowledge they need to spot and stop attacks.