Phishing Attacks: Employees as Important Safeguard for the Security of Businesses

18. November 2022

Phishing attacks have increased dramatically in recent years and are very common. The reason is that they are very effective and efficient for cybercriminals, and most importantly, profitable. Phishing is a form of social engineering that usually works via fraudulent emails. In this way, hackers try to manipulate their victims and make them react in a certain way in order to obtain information or spread malware. In doing so, the cybercriminals try to bypass companies' email security measures by targeting specific employees in a personal way.

Many users and organizations have fallen victim to phishing attacks where their personal information, credentials, and sensitive data have been stolen, resulting in identity theft, financial damage, reputational damage, loss of intellectual property, as well as disruption of daily normal operations. All of this combined poses a great risk to both users, but especially to businesses: In most cases, irreversible damage is caused.

Phishing  –  Attack Tyes

There are various phishing methods that cybercriminals use - we have summarized some of the most common attack types for you here.

Email Phishing

Most phishing attacks are carried out via email and are therefore the main gateway for viruses, Trojans and other malware. However, they are also often used to obtain personal data of the recipients. If a phishing email is sent with the purpose of spreading malware, it can get onto the computer in two ways: Either via compromised attachments or links contained in the e-mail that are intended to lure the recipient to a compromised website. For example, the attackers register a domain that imitates a real organization and send thousands of generic emails asking users to visit the fake site. The fake domain often involves character substitution, such as using "r" and "n" next to each other to create "rn" instead of "m". In other cases, the cybercriminals create a unique domain that includes the name of the legitimate organization in the URL.

While phishing emails were mostly characterized by impersonal salutations or riddled with errors in the message text until a few years ago, criminals have become more professional in their approach. Typos or strange expressions in the text are only rarely a clear indication of a phishing attempt.

Spear Phishing

Spear Phishing is a method that targets specific individuals or groups within an organization. Cybercriminals do not send mass emails to random people, but focus on specific targets - this requires prior research. To do this, criminals gather publicly available information about the company and its employees, for example via social networks and the company website, and thus identify a potential victim or entire victim groups. For example, attackers can use the following information to carry out a spear phishing attack:

  • name
  • place of work
  • job title
  • email address; and
  • specific information about the victim's role within the company.

Using this information, attackers can send elaborate phishing messages that are difficult to identify as such, making it easier to manipulate recipients into taking a particular action.

Whaling / CEO Fraud

In a whaling attack, also known as CEO fraud, cybercriminals pose as high-ranking employees* in a company in order to directly attack executives or other important people. The goal of such an attack may be to steal money or confidential information, or to gain access to their computer systems for further criminal purposes.

These emails exploit employees' willingness to follow their manager's instructions while avoiding pressure and stress.  

Social Media Phishing / Angler Phishing

Social media is a relatively new attack vector and offers criminals multiple ways to trick people. Fake URLs, cloned websites, posts and tweets, and instant messaging can be used to trick people into revealing sensitive information or downloading malware.

Alternatively, criminals can use the data that people willingly post on social media to conduct highly targeted attacks.

Prevention of Phishing Attacks

As mentioned earlier, phishing attacks can have serious consequences and cause great losses for both companies and users. Companies can mitigate the risk of phishing with technical tools such as spam filters and firewalls, but ultimately malicious emails will get through them on a regular basis. In these cases, the only thing that will save your company from a security incident is the ability of your employees to recognize the fraudulent nature of these emails and respond appropriately.

Your Employees Are an Important Safeguard

A single click on a malicious phishing link by a single employee can have devastating consequences. Therefore, you should train your team to recognize phishing scams and techniques. The internet is constantly changing, and so are the methods of phishing attacks. However, most attacks still have some common warning signs that, with proper knowledge and experience, can be recognized through regular security awareness training for your team. This makes it more likely that your employees will be able to avoid a potential attack.

Simulated phishing attacks are an effective way to further raise your employees' awareness of such threats and to check the success of training measures that have already been carried out. Of course, these planned, simulated email attacks do not spread malware or read or misuse confidential data. Instead, we measure how many of your employees do not recognize the phishing attempt as such. This allows you to reliably assess the extent to which your awareness measures are already bearing fruit and the extent to which you should expand them with further awareness measures.

The usd Phishing Awareness Campaign

You would like to raise awareness about phishing among your employees?

Learn more about our usd Phishing Awareness Campaign

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories