By Marc Mendez

Marc Mendez

As much as we wish for a cease and desist order, phishing attacks aren’t disappearing anytime soon. In fact, several experts are predicting that, not only are phishing attacks going to continue this year, but threat actors are likely to increase the number of phishing attempts because it’s such a simple form of attack that yields high results.

One of the reasons they’re so profitable is, unfortunately, us. Human nature. Threaten to freeze our accounts and we stop thinking rationally. Offer a bit of flattery and we’re likely to not perceive a threat. Threaten jail time, we panic. These are quite legitimate human vulnerabilities that threat actors prey upon to get us to abandon better judgment and click what they want us to click.

Is your organization prepared for such an attack? We’ll talk about the three most common types of phishing attacks that might hit your organization, three ways to make cybersecurity top of mind for your employees, and a tool that helps to prevent these kinds of attacks from crippling your business.

The 3 Most Common Types of Phishing Attacks You’re Likely to See

Wombat Security’s State of the Phish Report says that 76 percent of businesses were the victim of a phishing attack in 2018. This statistic shows that phishing attacks are viable and profitable, making it highly unlikely they will disappear.

So, let’s look at the 3 most common types of phishing attacks that you’re likely to come across:

1. Deceptive phishing attacks. Have you ever received an email from a bank that claims your account has been frozen and will remain inaccessible to you unless you click on the link provided and enter your account information? This type of email is a perfect example of a deceptive phishing attack. It’s the most common type of phishing attack out there, and it occurs when the threat actor impersonates a legitimate company in an attempt to steal your personal information or your login credentials.

2. Spear phishing attacks. Customizing their emails with your name, company, position or other personal information, spear phishers lull you into thinking that you’ve had previous contact with them to lure you into clicking on a malicious link or email attachment. These emails will often appear to be part of your normal, day-to-day activities, and ask you to perform actions that don’t appear to be out of the ordinary. For instance, the threat actor might masquerade as your HR department and ask you to verify your benefits policy information. Seems innocuous enough, right? But as soon as you click that link, they have access to your personal data.

3. Malware-based phishing attacks. You work in accounts receivable. Someone, presumably one of your vendors, sends you an email asking you to download an invoice. As soon as you click that file, you’ve become a victim of malware-based phishing; malicious software embedded in that file exploits the security vulnerabilities of your machine when it is triggered. Malware is intentionally designed to do several things:

End-Users Are First Line of Defense – Train Them!

A good way to protect your organization from phishing attacks such as the ones listed above is …

… training your employees to recognize when an attack is taking place. In fact, your end-users are your first line of defense against cybercriminals. Check out these three steps to follow to make security top-of-mind in your organization.

1. Document it.

Does your organization have a cybersecurity policies and procedures document in place? Regardless of the size of your organization, you need to have a detailed plan in case of a cybersecurity attack. It’s especially important to document action items, in case your end-users do encounter any compromises, either perceived or real.

2. Education, education, education.

It’s quite rare to see Hollywood’s version of breaching a company’s network: some person in a dark basement, staring intently at a screen, typing furiously on their glowing keyboard, intent on breaching a company’s firewall to steal secrets. Most of the time, it’s far easier for that threat actor to send a simple phishing email to your employees and wait for them to click on the malicious link instead. So, educating your employees is, quite literally, your first line of defense.

3. Accidents happen, so have a backup plan. As mentioned before, accidents do happen. These threat actors are getting quite crafty in their messaging. So, it’s inevitable that, regardless of how much education you give your end-users, or what documents are in place, your end-users still might fall victim to a phishing attack. When this happens, it’s important to make sure that you’ve got the proper tools in place to mitigate any potential threats.

Useful Tool to Protect from Phishing Attacks

Protecting your organization from phishing attacks doesn’t need to be complicated. In fact, there are several tools to help successfully detect and prevent phishing attacks. One such tool is Microsoft Office 365 Advanced Threat Protection (ATP), which uses multiple components to protect your inbox from various phishing attacks.

Office 365 ATP and other similar products can offer real-time protection for not only your mailboxes, but also any online storage, files or other applications you might be using. Plus, you can also gain valuable insights into who in your organization is being targeted, what kinds of attacks you’re facing, and who in your organization has actually clicked on malicious links or attachments. This can provide insight into which of your employees might need a little extra training.

Whether we like it or not, phishing attacks are here to stay. Protect your organization by investing in technology that can help you stay secure and train your employees on how to recognize threats. By following these two pieces of advice, you’re far less likely to become just another statistic.

Marc Mendez, a solutions architect at ProServeIT Corp., has a passion for cybersecurity. He is a Certified Information Security Systems Professional and is working on a certification in Digital Forensics. ProServeIT strives to help customers adopt cutting-edge technology that will help them manage their advanced cybersecurity risks and secure their identities, data and devices. ProServeIT can provide customized cybersecurity solutions that help you expect the best as you prepare for the worst. Follow @ProServeIT on Twitter and Marc on LinkedIn. Contact ProServeIT’s cybersecurity experts here.