Smishing, a relatively new form of cyberattack, is threatening millions of small businesses and consumers worldwide. Smishing is a phishing attack that uses text messages instead of emails to entice the recipients to click on phony links. The links draw them to websites which either download malware or exchange personal information.
Some Eye-Opening Statistics
A security software firm reported that only 23% of users above 55 years could define Smishing correctly. In comparison, only 34% of people between 23-38 years of age demonstrated awareness of the term.
Upon the onset of the COVID-19 pandemic, authorities started using SMS to communicate about contact tracing, lockdowns, and vaccine options. It created a fertile ground for threat actors to launch smishing attacks. The next caller said that 44% of Americans reported increased scam text messages and phone calls during the first two weeks of the lockdown period.
In 2020, the Bank of Ireland paid out €800,000 (About $935,000) to 300+ bank customers whose information got compromised in a smishing scam.
The FBI’s cybercrime complaint division, the IC3 (Internet Crime Complaint Center), documented a steady growth of cyber scams globally in 2020. It reportedover 240,000 victims of phishing, Smishing, vishing (phishing over the phone), and pharming attacks, costing over $54 million in losses.
The Internationalized Domain Name (IDN) consists of a combined Unicode character set with similar Latin and Cyrillic alphabets, making the domain look identical to the Daily ASCII domain. Unicode domain names could be problematic from a security point of view, as many Unicode characters are hard to distinguish from regular ASCII characters. Phishing attacks with Internationalized Domain Names (IDNs) using Unicode characters and non-Latin character sets such as Cyrillic and Greek look like typical Latin characters.
Phishing is one of the oldest forms of social engineering, which malicious actors use to extract critical information from users. And online payments have their share of phishing threats to handle. While many businesses move to the virtual world to reach more customers and make transactions smoother, malicious actors find a massive opportunity in it to exploit associated data. As organizations use more sophisticated anti-phishing solutions, threat actors also develop bolder methods to take advantage of the payment systems.
With advancements in technology, crimes like cyber theft, phishing, and scamming have increased over the years. American citizens lost over US$50 million due to phishing attacks in 2020, and for businesses, the figure is in billions.
Spear-phishing is one of the most perilous cyber-attacks methods that many organizations face in today’s world. Although phishing awareness at large has increased, spear-phishing victims often don’t realize that they have been targeted till they notice some unusual activity in their bank accounts or anywhere else. Spear phishing is not a stagnant form of a cyber-attack; it keeps evolving from time to time. Hence, it is inevitable that one is aware of the latest trends of spear phishing and how to manage the menace.
According to a recent report, 85% of all organizations have been targets of phishing attacks. Like other phishing attacks, adversaries also use mobile phishing to trick users into sharing personal or critical organizational information. It is gradually becoming the most preferred mode of phishing by threat actors as there has been a significant increase in the use of mobile devices over the years.
Social engineering is the technique of employing psychological methods and communication skills, generally by competitors and adversaries, to gather information about their competition or potential targets. However, with the advent of technology, sophistication has increased too. Modern-day phishing exercises are elaborate and require a concerted effort by security teams to create a firewall against them. Falling into phishing traps often leads the organization to catastrophic consequences. These activities are generally directed towards disrupting the network by planting malware or stealing information for future misuse.
Domain squatting, also known as cybersquatting, can be understood as an intentional act of registering a domain in the name of an already existing organization that has a registered trademark but does not have a website in its name. The primary objective of doing so is to park the domain name of a reputable business with no website. When the business entity wants to use the domain name for its website in the future, the cybersquatters make a profit by selling the domain name to the organization. Some phishers also use similar-looking domain names to send phishing emails for fraudulently obtaining sensitive information about the user or organization. Therefore, it is helpful to learn how domain squatting and phishing works, their different types, and protective measures.
In this tech-advanced world where all information and communication has undergone a paradigm online shift, phishing remains the most common threat from adversaries to breach and exploit the digital assets of people and organizations. Over the last two years, with a global pandemic, the frequency of phishing incidents has increased significantly. Organizations with sophisticated cybersecurity protocols still face this challenge as it is not only a technical problem but one that also calls for human awareness. According to a report, industries have witnessed a 6000% increase in pandemic-related phishing attacks in March last year.
Cybercrime is directly proportional to improving technology; technology is advancing by leaps and bounds, and so do the malicious tactics employed by threat actors. They are forever on the lookout for vulnerabilities to exploit and access network systems. While present-day cybersecurity strategies such as anti-ransomware solutions and anti-phishing solutions use AI to fight cybercrime, cyber adversaries use the same technology to turn the tables. Hence, it wouldn’t be wrong to say that AI is functioning like a double-edged sword. And here is how AI can be a boon and a bane simultaneously when it comes to phishing.
The recent pandemic-induced rush of small to medium businesses and large enterprises to get on the cloud has encouraged malicious actors to develop more creative phishing emails and other modes of cyberattacks to lure people into parting with sensitive data. Besides, the work-from-home scenario has pushed people to less secure environments. Cyber adversaries have also taken advantage of the relaxed mindset employees fall into when they are away from the secure network of the workplace.
Some of the world’s most audacious cyberattack attempts or incidents have happened due to the presence of backdoors. Though backdoors are of particular help for developers who create them for troubleshooting, they can be destructive when in the hands of cyber-attackers. Only up-to-date and robust cybersecurity practices can counter backdoor exercises. Most development teams create a customized backdoor that helps them maintain the software well.
Phishing has been one of the favorite modes of cyber-attacks employed by malicious actors for years now. COVID-19 has given them a fresh lease of life by providing these threat actors to ramp up their phishing efforts to an entirely new level. Here are some chilling statistics that drive home the point.
With technology improving by the hour, cybercrime is also steadily on the rise. Every other day, one hears about crimes like phishing, ransomware attacks, BEC (Business Email Compromise), and others affecting businesses globally. Unfortunately, despite organizations employing the latest anti-phishing and anti-ransomware solutions, these crimes are on the increase.
In a cyber-attack that will be remembered as one of the most significant phishing email attacks in decades to come, a Russian hacking group attackedmore than 3,000 email accounts belonging to individuals from more than 150 organizations across 24 countries. Nobelium, also known as APT29 to the cybersecurity community, has targeted government agencies, research institutions, consultants, think tanks, and non-governmental organizations this time.
Due to the ongoing pandemic, multitudes of people have been obligated to work remotely, making phishing attacks commonplace in the digital world. It has widened the doors to vulnerability as people move away from the more secure networks of their workplace. Businesses’ networks have not been entirely secure either, with reports showing that phishing attacks account for more than 80% of reported security incidents. According to Verizon, 94% of all malware was delivered via email as of 2019. At this juncture, what do organizations do to stay protected, and how to stop phishing emails?
Combating cyberattacks happen to be a top priority for global organizations. In 2020, phishing was among the most extensively deployed attack modes by malicious actors, as per FBI reports. Besides, phishing attacks are on the rise as attackers use various social engineering techniques. In 2019, around 114,702 phishing attacks were recorded, which jumped to 241,324 in 2020. The digital landscape brings several threats against which one needs to take serious guard. As a business or marketing head, one needs to know the value of anti-phishing tools. Most successful enterprises try to draw their line of defense against phishing attacks by collaborating with accomplished IT security teams and create the proper awareness among their employees.
With the pandemic raging across the world, many business networks and organizations have switched over to working from home to let themselves be operational and safe simultaneously. This paradigm shift requires over-reliance on cloud-based services like Google’s GSuite. Though it has its advantages, it also has its drawbacks in the form of increased phishing attacks.
Phishing is not something new to Google-based services. The threat has existed for years, but the pandemic has encouraged malicious actors to increase their attacks more than ever. Hence, Google Docs, Firebase, Google Forms, and other Google services increasingly become vulnerable targets.
If you oversee the information security services and administration of the networks in your organization, then it is your responsibility to safeguard the users in your system from phishing and other attacks that can disrupt the services. There is no need for complacency in the digital age, and you can never feel 100% protected as hackers keep inventing new techniques and innovative ways to exploit vulnerabilities of user’s information systems. So if you plan to combat one threat and are successful in protecting yourself, they will find another way to invade your security periphery. Hence, phishing protection is an ongoing job as you always need to keep an eye on your defense strategies and be on a lookout for any system vulnerabilities- human or technical.
Best Practices for Phishing Protection by Organizations
Always Stay Away from Suspicious Emails, Links and Attachments
Almost 80-90% of attacks from cybercriminals start from a phishing email. Yes, if you are not sure about the sender of an email or if you are suspicious of an email, it is always good to not open that email or better still, delete the email. Attackers know precisely how to lure you into opening an infected email by using an attractive email subject.
Most of these emails say that you have won some prize or you have a discount coupon waiting for some ‘X’ amount of dollars etc. If you get hooked to the subject and by any chance, open the email and click the links in the email, you are inviting yourself to an imminent phishing attack. Sometimes you never know that your computer is infected and it may even start acting as a bot to carry out espionage or cyber warfare activities hidden beneath the surface.
Use a Trusted Antivirus
The importance of an efficient Anti-virus cannot be under-estimated when it comes to protecting your company from cyber espionage. The anti-virus must be a trusted one like Kaspersky, MacAfee, etc. and should have e-mail scanning feature. Also, don’t go for free ones. A small investment in a good anti-virus will go a long way in protecting you from phishing attacks.
Employ SPF protection
SPF (Senders Policy Framework) is an email authentication methodology that helps in detecting forged email addresses and block spoofed emails. Through the implementations of SPF policies, enterprises can ensure that phishing is contained to some extent.
Every email is filtered and only if it received from an authorized list of domain names, is it allowed into the system. An SPF system is employed in two parts:
SPF Checking: Allows the organizations to determine the legitimacy of an e-mail.
SPF Publishing: Assists in determining the optimum e-mail server for sending enterprise e-mails.
Report Suspicious Activities
Whenever you spot a suspicious email or an attachment, it is vital to report it to the concerned authorities so that immediate action is taken. The quicker you inform, the quicker will be the preventive measure taken to contain the attack and prevent those emails from infecting your organization’s computers.
Frequent Update of Company Security Policies
It is imperative to have all your policies and procedures related to the security and protection of confidential data, maintained properly in your organization. Ensure you follow stringent backup policies so that you can quickly recover any data lost due to a phishing attack. It is also essential to follow dual-control techniques when it comes to protecting critical data assets of your organization.
Avoid the use of Removable Media
You are free to use all kinds of removable media like SD cards and USB drives for your personal use, but when it comes to enterprise security, network administrators must prevent the use of such removable media. Because these media are highly prone to malware attacks and if you are in an urgent situation to use it, better have them completely scanned before using and after using them.
Prevention is better than cure, and hence, every organization should implement some corporate training to increase the awareness of phishing attacks amongst their employees. Even though it is not the best phishing protection as all it takes is a single click of an infected link from one employee, and your whole network gets busted. But still, training helps in making the employees aware of the threats posed by these cybercriminals and how to safeguard yourself from these phishing attacks.
The global information-age brings with itself, many advantages. Increasing use of digital media by businesses is in vogue these days. However, it also poses a few risks where cybercriminals are always trying to invade your systems and steal your private information. Use the safeguards mentioned above to prevent these attacks from affecting your business operations.
Today, merely knowing how to stop phishing emails cannot guarantee cybersecurity. Besides the traditional threats such as phishing and malware, new forms such as supply chain attacks also continue to target large, medium, and small businesses daily. A 2020 report by ID Agent states that supply chain attacks have increased by 78%. It further says that around 58% of all breach victims are small/new businesses. Such attacks are the most dangerous ones because the vulnerability isn’t necessarily with the business’s systems, and yet it suffers. While large corporations can afford to use various solutions and hire cybersecurity experts, small or new businesses often fail to recover from a cyber attack. Hence, a new business owner must ensure that the third-party software and service providers do not expose their critical data to cyber threats.
Not a day goes by without phishing scams occurring somewhere in the world. The internet brings with it many conveniences but can also be dangerous at times, especially if the users do not observe due diligence.