In July 2020, Twitter suffered its worst cyberattack, with hackers targeting 130 users and taking control of several high-profile accounts, including those of Joe Biden and Jeff Bezos, as part of a bitcoin scam that stole more than $100,000 before being shut down.
The incident, which caused massive disruption across the network and was one of the largest social media data breaches in history, has experts and policymakers concerned that it may just be the tip of the cyberattack iceberg. Or, rather, the tip of the spear.
Spear phishing is a specifically targeted form of phishing, where criminals use electronic communication to impersonate a trustworthy entity and induce victims to divulge sensitive information. Twitter said its breach was a phone-spear phishing attack, with hackers calling company employees and deceiving them into revealing access credentials. Others have referred to it as “vishing,” or voice phishing. Whatever its name, this new social engineering attack vector is growing fast and becoming more sophisticated.
In recent years, phishing has evolved and expanded dramatically from a single technique into many different tactics that are adapted to specific targets and technologies. The FBI estimates that more than $12 billion has been stolen in the past five years by phishing, with attacks and losses continuing to rise.
Types of phishing
In order for businesses and individuals to prepare for, protect against and even try to prevent damaging cyberattacks, it helps to understand the different types of phishing types that exist. Some of the more common types include:
Standard phishing: a basic fraud scheme that is not specifically targeted but rather casts a wide net and is done on a large scale, usually through mass email
Malware phishing: the most widespread form of attack, which uses standard techniques to prompt users to click a link or download an attachment that installs malicious software
Spear phishing: highly targeted and relying on research and information to create a more convincing con, this type is often specifically aimed at catching big-game “whales”
Vishing: a method of impersonation and deception over the phone, where an imposter attempts to extract personal information from a victim, usually using an unknown number
Business email compromise: one of the costliest threats companies face, wherein a fake business email urgently requests payment from someone involved in the company
Phishing is a serious issue and one that companies need to address. According to cybercrime reports, 96% of surveyed organizations say email phishing is their top security risk and 85% have experienced phishing scams and social engineering attacks, with those numbers increasing in the last couple of years.
Cybercrime already costs the global economy around $3 million every minute, generating at least $1.5 trillion in revenue in 2018. With security breaches anticipated to increase nearly 70% by 2024 and cybercrime damages expected to cost $6 trillion per year by 2021 it’s clear phishing is an enormous threat. Its effects are potentially devastating to the bottom line of every business in the world.
While cybercrime impacts all companies, small and medium-sized organizations, which have fewer resources to spend on data security, suffer more from a successful phishing attack. In fact, 60% of SMBs are out of business within six months of a breach.
It’s an especially dangerous time in the wake of the coronavirus pandemic. An influx of employees working from home on personal devices, non-essential businesses going unprotected and IT teams’ reduced resources have led to a surge in cybercrime, including numerous COVID-19 phishing scams.
The human element
More than 90% of cyberattacks begin with a spear-phishing email, which then infects systems with malware. According to The Psychology of Human Error, 88% of data breaches are caused by human error, with one-third of employees saying they rarely or never think about cybersecurity and one-quarter reporting they’ve clicked on a phishing email at work.
In information security, organizations are only as strong as their weakest link, and humans are the weakest link. However, people are also every organization’s most important asset, and businesses must take a more human approach to prevent ordinary mistakes from becoming major security breaches.
“Good security awareness training programs transform people from the weakest link into a human firewall,” says Jatin Chugh, senior security manager at Calance. “The idea is to build a culture at organizations where security-conscious behavior is engrained in employees.”
It’s vital that companies provide education and training, so employees can recognize and protect against cyberattacks. Combining these instructional efforts – in particular, phishing simulations – with machine learning that alerts workers to possible threats can optimize defense effectiveness.
A phishing simulation is a way to test your workforce’s response to suspicious emails by luring them into interacting with harmless emails in a controlled environment. They might be asked to open an attachment, click a link or give personal information; evaluating their actions shows you how much of your staff is at risk and who, specifically, needs to correct their behavior.
Hackers have gotten smarter and email filters sometimes fail, so phishing simulations help your personnel make better security decisions and become an internal defense system. These tests make workers more vigilant, open lines of communication between IT and employees regarding potential threats and reduce the nearly 30% rate of repeat data-breach offenders.
Calance’s integrated platform trains and phishes your users, reveals their Phish-prone percentage and Risk Score and improves results over time. You’ll receive on-demand, interactive education, unlimited simulated social engineering attacks and a range of security awareness programs and reporting features.
Utilizing an educational framework that explains the cybersecurity environment so you can understand it, Calance offers a robust range of managed defense systems and solutions, which can help identify threats and shield your company from the crippling consequences of phishing.