What is phishing and how to avoid costly mistakes

Phishing scams cost businesses billions of pounds each year as cyber criminals become more organised.

IT and security teams now spend a third of their working week dealing with the threat of phishing. However, as IT teams get more savvy so too do the hackers, finding new ways to target your employees.

Russell Johnson, IT Business Partner at Brother International Europe said: “Focusing on the user is critically important. We have technical end point protection systems which are great but if a sophisticated attack gets through then it is down to the user to protect themselves and the business.”

By learning the latest phishing trends and preventative measures it will save time, resource, and money.

Latest phishing trends

There has been a rise in Business Email Compromise (BEC) attacks across Europe, specifically with criminals impersonating a company CEO. This impersonation attack tricks employees into taking action and is proving to be one of the most expensive types of phishing attacks.

After researching their target – usually, finance managers – cyber criminals create a convincing spoof email address requesting a transaction.

Austrian aerospace parts maker FACC lost €42m in a BEC attack after a hoax email asked an employee to transfer money to an account for a fake acquisition project.

Italian football club Lazio also reportedly lost €2m in a similar phishing scam. The Serie A team released funds for a player transfer after receiving an email appearing to be from Dutch club Feyenoord.

Spoofed pages aimed at harvesting company credentials are also on the rise.

Phishing emails take users to a fake log-in page for a corporate service like Microsoft Office 365 or Amazon Web Services (AWS). This can be disastrous for organisations as hackers access sensitive data stored on the account.

For example, attackers recently impersonated Amazon Web Services using an automated email notification. Despite the hyperlinks looking credible an anomaly in the URL re-directed users to a fake log-in page.

Cybersecurity consultant Rob Mukherjee advises businesses to use Computer Vision. This is a field of software which enables computers to replicate the human visual system, using algorithms. It is also a subset of artificial intelligence.

Rob said: “The software looks at every single pixel and prevents emails from accessing the inbox if it spots an anomaly.”

Elsewhere, there has been a huge spike in phishing emails impersonating LinkedIn. Researchers saw a 232% increase in emails claiming to be from the social media site in 2022.

Cyber criminals use display name spoofing and stylised HTML templates to trick Microsoft Outlook users into clicking on phishing links and entering their details.

LinkedIn is also being used to scout for potential spear phishing targets. Hackers used the social media site to identify system engineers and network administrators at Sony Pictures Entertainment. Targeted phishing emails resulted in over 100 terabytes of company data being stolen and the attack cost Sony more than $100m.

The true cost of phishing

Phishing attacks are expensive and difficult to deal with. According to IBM, they were the costliest form of attack in 2022, with the average data breach costing $4.91m.

Yet it remains the most common entry point for criminals. In fact, 82% of data breaches across Europe involved a human element in 2022.

This constant phishing threat is not only expensive for businesses, but it has a direct impact on IT leaders who are dedicating more time and resource to it. IT and Security teams report that one email now takes an average of 27.5 minutes to resolve.

How to protect your business against phishing?

A combination of IT tools and behavioural change is the best way to protect your business.

Dan Giannasi, Head of Cyber and Innovation at the Cyber Resilience Centre, said: “Companies must take steps to protect their organisation by making it difficult for attackers to reach users.

“This includes implementing robust email protocols which prevent known phishing emails from getting to users and stop criminals from mimicking their email domain in other attacks.”

By implementing a rule-based, business grade, email filter it will detect spoofed domain names and identities, which staff may miss easily. Advanced filters can also detect malware, such as port scanners and keyloggers.

Turning to behavioural change, Joshua Ashton, Director of Symposium IT, advises that your team treat any request for sensitive information with caution and try to verify the authenticity of the source before acting.

It is also vital to educate teams about the common red flags of phishing and test their skills because, as Russell Jonson points out, ‘human resilience can always be improved’. Russell heads up an in-house Cyber Security Programme for Brother International Europe which is delivered to 1,500 users.

With a focus on creating ‘a human firewall’, the mandatory training is supported by remedial and optional guidance and articles on the latest trends. Each user is phished once a month using KnowBe4, a system which uses artificial intelligence to rate users across four different risk criteria. The programme has been well received by staff and the business is now on course to achieve the industry standard for its phish-prone percentage.

Looking for further insight? Here are 5 key steps to building a strong IT resilience plan.