Real World Phishing Attacks

If you’ve been thinking that phishing attacks only happen to someone else and that the employees of your company are relatively immune from such attacks, you might want to reconsider, because phishing attacks can and do happen in the real world to companies of all sizes, and in all industries.

In fact, criminals who carry out these phishing attacks have begun focusing more on small to medium-size businesses recently, simply because there are so many more of them, and because employees at small businesses may be more vulnerable to exploitation. Large corporations tend to have programs in place which indoctrinate their employees about the dangers of phishing and other social engineering attacks, and that training helps to minimize the number of successful phishing attempts.

Small businesses, on the other hand, tend to have the attitude that they are flying under the radar and that they are not suitable targets for cybercriminals. It’s this kind of indifference and unpreparedness which makes many small businesses ideal targets for phishing attempts.

What Exactly is Phishing?

Phishing is a form of social engineering in which emails are used most commonly to obtain personal information from employees, by some individual who is posing as a manager or other person known to the company and is considered to be a trustworthy source. By impersonating a known company employee or manager, or some other company which does business with your own company, some level of trust is established as a basis for extracting information.

The object of a phishing attack is to dupe the email recipient into taking some kind of action as directed by the attacker, for instance providing login information or passwords, and sometimes even sensitive information about the company. Once the desired information is obtained, it is then used by the attacker to carry out some other malicious attack on the company which results in a monetary gain.

A Typical Real-World Phishing Attack

In a typical real-world phishing attack, a cyber-criminal might send an email to a company employee which directs that employee to pay an invoice amount to a company which has recently done business with the original company. It looks completely legitimate because an invoice would be attached, and the invoice would include details of products or services that your company would legitimately deal in.

The email is also signed by a manager or other employee who actually does work for your company, and who might typically be expected to send such emails requesting payment of certain invoices. An unsuspecting employee would, of course, be drawn in by the legitimacy of having a real-world supervisor request this invoice payment, and would then open up the invoice attachment to begin the process of arranging a payment.

In the meantime, the act of opening up the attachment could very well trigger the release of some virus which infects the employee’s computer, and by virtue of that computer’s connection to the network, the virus then is released into a much wider area, where more important information can be obtained. Of course, it would be an added bonus if the employee actually does send out the payment requested to the bogus company listed on the invoice, and that check would then be cashed by the cyber attacker who organized the phishing attempt in the first place.

How to Avoid Phishing Attacks

As you can see from the above, there are some real-world dangers associated with phishing attacks, and the harm they cause can be more far-reaching than an embarrassment to a single employee. The fact that an entire company can be affected if a virus does get installed and becomes enabled, should be all the justification you need for implementing procedures to guard against phishing attacks to whatever extent is possible.

Here are some of the best ways to protect yourself and your company against phishing attacks by cybercriminals:

• don’t use departmental emails – it’s never a good idea to use departmental emails such as Payroll Dept, Human Resources, or Accounting Department. Using these email IDs allows the cyber-attacker or to know that the emails are being sent to the right person and that it’s much more likely the phishing attack will be successful.
• change payment language regularly – when requests for payment are issued between company personnel, the language used should be slightly altered periodically, with important keywords being subtracted out or added in. Department personnel can then be instructed to never carry out any fund transfers unless the expected keyword is contained within an email message. Since successful phishing attacks are all designed to catch an employee off guard, this kind of focus on keywords within the text will derail any phishing attempt.
• use anti-phishing software – there are a number of good anti-phishing tools available which you should consider implementing at your company. The way some of these tools work is that you can send fake phishing attempts to employees all around the company, so as to identify who is most vulnerable to falling prey to phishing attacks. This can let you know the scope of the problem you may have and can alert you to the necessity for conducting widespread training so that your employees are less susceptible to phishing attacks.

The Truth About Phishing

The unpleasant truths about phishing attacks are that they are successful far more often than they should be, and the reason for that is that the human element in any company is usually the weakest element. Businesses need to adapt to these real-world situations, and train employees to spot such phishing attacks, and to alert the appropriate personnel when one is identified. When company employees become aware of the possibility of phishing attacks, they are far less likely to be caught off guard and then become victims of those phishing attacks.