There was a time when talk of online security centred around which antivirus program you were using, and not much else.
Then, we were unfortunately introduced to the term (and associated problems) of malware and ransomware. Companies fortified their defences with firewalls. Colocation server farms employed armed guards. And yet, the hackers and cyber scammers have kept at it, getting increasingly sophisticated with their methods.
Nowadays, while viruses and malware haven’t gone away, the most likely security risk you and your business will come across will take the form of a phishing attack.
Phishing in simple terms
So, how do phishing attacks work? In simple terms, a phishing attack is an attempt to fool a user into thinking an email or link is from a trusted source, when it is in fact, not. The intended result of a phishing attack is to gain access to sensitive data (such as user names and passwords) or to deploy malicious software upon a user’s system or business network.
Anybody who has an email account has most likely come across a phishing attack at some point in their online life. Some are less credible than others, where poor grammar and odd-looking company logos tend to give away the legitimacy of the scam, but the cleverness of these attacks is getting far better with each passing year.
The reason phishing attacks are so popular within the cybercrime world, is that they are unfortunately very profitable. Because the attack relies on human interaction, the chances of a mistake being made by an employee are extremely high, especially if they haven’t been trained in what they should be looking out for.
Humans are fallible, and as such. we will always be the weakest link in the security chain when it comes to cybercrime.
A panicked user is an easy target
Often, the phishing attack will take the form of a call to action, where the sender will try to panic the recipient into acting quickly, not paying attention when they do. This is “social engineering” at its most vicious.
One example of this would be an “unauthorized login attempt” email, tricking the user into clicking a link purporting to be that of a bank or online service. Other attacks tend to rely on the familiarization a user has with a particular service. An example of that would be an email masquerading as a file-sharing service, telling the recipient than a file has been shared with them from another co-worker.
Both of these attacks will result in the user being sent to a site that looks authentic, but is in fact a spoof site set up by a cybercriminal.
Training to reduce the threat
Combatting this sort of attack is not as simple as updating an antivirus. While phishing filters within email clients will catch a number of attempts, training staff members to spot the signs of phishing attacks is by far the best option for companies looking to reduce the associated risks.
Once a team has been trained and new regimens implemented, it becomes second nature to, for example, check that the URL of a link is an official, legit one.
Another simple technique to thwart phishing attacks is to simply avoid clicking on links in emails, and go directly to web services by typing the address in the browser window. It can take a while to encourage this habit, but once it becomes routine, the security risk diminishes rapidly.
While phishing attacks are always likely to be a threat, reducing the risks is something all companies should be doing going forward. With these sorts of attacks on the rise, it would be foolish to either play the risks down, or expect every member of a team to intrinsically know what to look for.
Stay off the hook
With plenty of tools available to help mitigate other security threats in existence, the one area all businesses can help build their own defences is by training staff in how to detect phishing attacks.
When you consider that even giant corporations and institutions can fall at this hurdle, the SMBs of tomorrow will surely have to take the threat seriously, or prepare themselves to face the costly and time-consuming consequences.
