The importance of phishing awareness

Cyberattacks underscore the critical need for strong cybersecurity practices. In many cases, phishing is the gateway through which attackers infiltrate systems, seeking to steal sensitive data. But what exactly is phishing, and how can businesses protect themselves from this growing threat?

What is phishing?

Phishing is a social engineering tactic where attackers disguise themselves as trusted entities to trick individuals into revealing confidential information. These impersonators may pose as familiar contacts, businesses, or government officials to convince targets to share credentials, bank details or other sensitive data. The outcomes of successful attacks can be severe, leading to ransomware infections, data breaches, identity theft, and significant financial losses.

History

Its origin can be traced back to the 90s when hackers targeted members of American Online, a provider of internet access. By stealing user details, including username, password and other personal information, they were able to retrieve and misuse credit card information. Since then the practice has become widely spread. According to The Brussels Time, Belgium ranks fourth globally for cybercrime density, with phishing as the most common cybercrime.

Different types of phishing

While email remains a popular phishing channel, attackers have diversified their methods. Here are some key variations:

• Vishing and smishing: Vishing involves phone calls to trick victims, while smishing uses deceptive text messages.
• Spear phishing: These attacks target specific individuals or groups, often people with higher access levels, like IT managers.
• Clone phishing: Attackers copy legitimate emails and swap out original links with malicious ones, tricking recipients into clicking harmful links.
• Pop-up phishing: Malicious pop-ups on websites ask users to perform seemingly innocent actions, such as allowing notifications, which then install malware.
• Calendar phishing: Attackers send fake calendar invites with phishing links embedded in them.
• Quishing: A lesser-known variant of phishing, quishing involves the use of QR codes. Attackers embed malicious links within QR codes, hoping to trick users into scanning them.

How to prevent it?

As it is becoming more widespread, it is key for companies to be protected against these practices. The best way to do so, is firstly to implement appropriate technical measures and secondly, to build a positive security culture among employees.

Technical measures

Some examples of technical measures are configured firewalls and multi-factor authentication. But also, automatic email filtering to block suspicious messages.

Security culture

A crucial component of defense is employer awareness. According to Verizon’s 2022 Data Breach Investigations Report, 82% of data breaches involved a human element, highlighting the importance of reducing human error.

To avoid becoming a victim, it is important to also pay attention to grammar, spelling errors and unusual language. Usually, we only look at the e-mail address or sender’s name. But even a formal e-mail from a usually informal colleague can be a sign that something is not right. Want to avoid quishing? Install a QR code reader that previews the embedded link, then you’ll know what you’re clicking on.

How can we help?

At Brightest we focus on three things – people (user awareness training), devices (zero-trust policy) and applications (pentesting).

To prevent phishing, it’s best to invest in user awareness training. Since last year, we’ve partnered with KnowBe4, co-founded by former hacker Kevin Mitnick. Mitnick’s experience as an ex-hacker (notably his conviction in 1983 for hacking the Pentagon) gave him unique insights into the importance of cybersecurity. KnowBe4 is currently the world’s largest platform for security awareness training, offering tools that combine training with simulated phishing attacks.

We start with a simulated attack to determine your organization’s “phish-prone percentage”—the number of employees likely to fall for phishing attempts. With this baseline, we develop tailored awareness training programs and run follow-up simulations to ensure your team is prepared for real-world phishing threats.