Phishing attacks are the most prevalent form of security breach haunting the Internet. Businesses of all sizes are subject to phishing, as these attacks are often customized – specifically with the intent to trick employees into taking immediate action.
Phishing attacks allows cyber-criminals to steal and monetize the theft of personably identify about information. The attacks come in a variety of customizable forms, across a range of channels.
Explaining Phishing Attacks to a Non-Technical Client
Phishing is cyber-attack used to steal sensitive information from individuals and businesses.
These attacks occur when an individual receives an email or a link to a website from a “trusted organization”. The email or website may seem so normal that the individual clicks a link, opens an attachment or takes a digital action and… renders their computer a vehicle for identity theft.
For example, a recipient receives an email seemingly from their bank requesting the verification of critical personal information. The email directs the recipient to an online form that mimics the bank’s website. That form captures the recipient’s banking information. Or, the link in the email may contain malicious code that compromises the recipient’s computer.
Not only can phishing attacks steal personal information and infect a recipient’s computer, they can highjack address books. Once one computer has been compromised, the attackers can use the address book to send emails. Those emails will look like they’ve been sent by a familiar, trusted source.
What Do the Attackers Gain?
While ransomware attacks lock down data, phishing attacks cause more wide-ranging damage. Phishing attacks provide the attacker with access to confidential personal or business data. When this information is inadvertently revealed, it can then be used for identify theft and other fraudulent activity.
That’s why phishing isn’t immediately as profitable as ransomware. These attacks are about the long-term effect. A collection of social security numbers, banking credentials, and other passwords can be sold for a handsome price to the highest bidder.
Examples of High-Profile Phishing Attacks
Target, the popular US-based retailer, experienced a phishing attack that exposed credit card and personal data on more than 110 million consumer accounts. The attack started when a third-party partner vendor experienced a malware attack. This attack stole network access credentials that gave attackers access to electronic billing, contract submission and project management tools. A little over two months later, the attackers found a way into Target’s point-of-sale systems. Access to thousands of Target cash registers allowed attackers to steal millions of credit card numbers and email addresses.
In 2018, attackers gained access to Home Depot’s computer network and point-of-sale systems. By altering admin rights on the corporate network, the attackers identified 7500 self-checkout terminals and collected user data (including email address, home address and credit card information) for five months. The company admitted the payment terminals were named for easy identification by network administrators, a key reason attackers could identify the payment terminals so easily. Evidentially, the retailer was not running breach detection software prior to the attack.
4 Common Phishing Tactics
Educating your clients on the most common form of phishing attacks goes a long way toward preventing the attacks from taking a toll on the business.
Four common phishing tactics prevail in 2019.
The attacker fakes the ‘from’ address in an email. The email looks like it is from a reputable and trusted source. The email requests sensitive information, which, if given up, compromises the user’s data.
The attacker sends an email with a link that redirects the recipient to an unsecure website. That website then requests sensitive information.
The attacker sends an email containing a malicious attachment. Once opened, the attachment will allow the attacker to take control of a computer or network, and obtain sensitive information.
The attacker obtains confidential company information over the phone by impersonating a known company vendor or IT department.
Preparing for Business Continuing After Phishing Attacks
In 2018, the Federal Bureau of Investigation reported email-based data compromise cost global businesses $12.0 billion.
Should your client experience a security breach as a result of a phishing attack, you’ll need to take tactical steps to lock down data ASAP. These steps will include notifying service providers, changing passwords and immediate systems updates.
These immediate systems updates may include:
- Scanning for viruses and malware across the network
- Updating security software, including anti-virus and malware detection
- Retrieving data from back-up copies to ensure the corporate network is operating at an optimal rate
- Implementing a two-factor authentication approach to network security. If the client’s network is compromised, the attacker will need a second security key to access an account from an unknown device or location.
HostedBizz offers a range marketing tools that can help MSPs explain the dangers of phishing attacks on business productivity.