Firstly, what do we mean with it? Phishing is a method where someone contacts a target pretending to be someone else. For example, a close personal contact, a commercial company or a representative of a government institution. The objective is to get people to reveal sensitive information such as credentials, bank or credit card details. Such an attack can have devastating results going from ransomware attacks, revealing of sensitive data, identity theft, financial loss …
Its origin can be traced back to the 90s when hackers targeted members of American Online, a provider of internet access. By stealing user details, including username, password and other personal information, they were able to retrieve and misuse credit card information. Since then the practice has become widely spread. According to The Brussels Time, Belgium ranks fourth globally for cybercrime density, with phishing as the most common cybercrime.
Email seems to be the most popular medium. But scammers have become more creative and started using other methods. For example these ones:
Vishing is where scammers contact the target via phone, using their voice. Smishing is the use of text messages with deceptive content.
An attack targeting a specific person or group of people. Generally, staff and IT managers with higher access levels.
Related to spear phishing but instead of sending false mails, the scammer copies authentic mails and changes the link from the original mail with a new malicious link.
Placing of code in a pop-up when visiting a website. For example, a message asking to allow notifications, when the user clicks ‘allow’, malware will be installed.
Fake calendar invitations with phishing links.
As it is becoming more widespread, it is key for companies to be protected against these practices. The best way to do so, is firstly to implement appropriate technical measures and secondly, to build a positive security culture among employees.
Some examples of technical measures are a well configured firewall, automatic filtering of phishing mails, multifactor authentication, monitoring, etc. Besides this, there is also the security culture to consider, the human factor. According to a study from Verizon in 2022, 82% of breaches involved a human element. This includes incidents in which employees expose information directly (for example, by misconfiguring databases) or when making a mistake that enables cyber criminals to access the organization’s systems.
At Brightest we focus on two things. On the one hand our security defense solutions (application, API, mobile, network). On the other hand, the phishing aspect and the awareness of users.
Since last year, we partnered with KnowBe4, a company co-founded by Kevin Mitnick. As ex-hacker he turned white-hat, in 1983 he was convicted for hacking the Pentagon. Mitnick is now active as Chief Hacking Officer of the company and knows the importance of security. In other words, the poacher turned gamekeeper. KnowBe4 is the world’s largest integrated platform for security awareness training combined with simulated phishing attacks.
In a nutshell, we start with a simulated phishing attack to measure the phish-prone percentage. This means the percentage of how many employees click on phishing mail content. Which is the starting point to improve by awareness training and follow-up simulated attacks. If you want to know more about our approach, please contact us.