The recent cyberattacks in the cities of Antwerp and Diest have once again emphasized the importance of IT security. The attackers used phishing to get inside the system and to steal personal data. But what is phishing and how can we help you preventing it?
What is phishing?
Firstly, what do we mean with it? Phishing is a method where someone contacts a target pretending to be someone else. For example, a close personal contact, a commercial company or a representative of a government institution. The objective is to get people to reveal sensitive information such as credentials, bank or credit card details. Such an attack can have devastating results going from ransomware attacks, revealing of sensitive data, identity theft, financial loss …
Its origin can be traced back to the 90s when hackers targeted members of American Online, a provider of internet access. By stealing user details, including username, password and other personal information, they were able to retrieve and misuse credit card information. Since then the practice has become widely spread. According to The Brussels Time, Belgium ranks fourth globally for cybercrime density, with phishing as the most common cybercrime.
Email seems to be the most popular medium. But scammers have become more creative and started using other methods. For example these ones:
- Vishing and smishing
Vishing is where scammers contact the target via phone, using their voice. Smishing is the use of text messages with deceptive content.
- Spear Phishing
An attack targeting a specific person or group of people. Generally, staff and IT managers with higher access levels.
- Clone Phishing
Related to spear phishing but instead of sending false mails, the scammer copies authentic mails and changes the link from the original mail with a new malicious link.
- Pop-up Phishing
Placing of code in a pop-up when visiting a website. For example, a message asking to allow notifications, when the user clicks ‘allow’, malware will be installed.
- Calendar Phishing
Fake calendar invitations with phishing links.
How to prevent phishing?
As it is becoming more widespread, it is key for companies to be protected against these practices. The best way to do so, is firstly to implement appropriate technical measures and secondly, to build a positive security culture among employees.
Some examples of technical measures are a well configured firewall, automatic filtering of phishing mails, multifactor authentication, monitoring, etc. Besides this, there is also the security culture to consider, the human factor. According to a study from Verizon in 2022, 82% of breaches involved a human element. This includes incidents in which employees expose information directly (for example, by misconfiguring databases) or when making a mistake that enables cyber criminals to access the organization’s systems.
Our security solution
At Brightest we focus on two things. On the one hand our security defense solutions (application, API, mobile, network). On the other hand, the phishing aspect and the awareness of users.
Since last year, we partnered with KnowBe4, a company co-founded by Kevin Mitnick. As ex-hacker he turned white-hat, in 1983 he was convicted for hacking the Pentagon. Mitnick is now active as Chief Hacking Officer of the company and knows the importance of security. In other words, the poacher turned gamekeeper. KnowBe4 is the world's largest integrated platform for security awareness training combined with simulated phishing attacks.
In a nutshell, we start with a simulated phishing attack to measure the phish-prone percentage. This means the percentage of how many employees click on phishing mail content. Which is the starting point to improve by awareness training and follow-up simulated attacks.