Phishing: The growing threat to your business

How clever cybercriminals can take advantage of your busy employees to steal credentials, money, and data – and what you can do to prevent it from happening.

It only takes a matter of minutes for cybercriminals to bait, hook, and catch a phishing victim among your employees and then leverage that success into a broader cyberattack on your business. Unfortunately, this was very much the case with the Waikato DHB cyberattack, with an attachment in a phishing email thought to be the entry point.

The general story goes like this:

1. Choosing victims: A cybercriminal launches a phishing campaign to either random email recipients (often obtained from a previous data breach) or targeted to a specific company or industry. In this case, an employee of a New Zealand business is randomly targeted with a phishing email.
    
2. Setting the bait: The employee opens the phishing email and sees a convincing message about a document to be downloaded from a well-known file-sharing application. It’s convincing because the employee uses the application to share documents both within the organisation and externally with company suppliers. The email includes the application’s branding to make it look legitimate. Furthermore, the sender appears to be her boss, which is a technique called ‘spear phishing’, a malicious email that impersonates an individual for the purpose of tricking a recipient into completing a desired action.
    
3. Hooking the target: The employee is incredibly busy on this day and clicks on the malicious link so they can deal with this latest interruption to their already overflowing schedule. The link takes them to a fake website where they are asked to enter login credentials. They enter them and open the document, which contains hidden malware.   
    
4. Taking malicious actions: The malware downloads to their device and then rapidly spreads across the business company’s network, allowing the cybercriminal to steal credentials and sensitive data along the way. At some point in the attack, ransom notes begin popping up on employees’ screens and operations come to a halt.

Phishing is a bigger threat than ever

According to CERT NZ the biggest cyber security incident category in New Zealand in 2020 was Phishing with reports up 76 percent on 2019, and Phishing and credential harvesting have remained the most reported incident category in from January to March this year.

Anti-Phishing Working Group (APWG) found that roughly 200,000 new phishing sites crop up each month, with campaigns impersonating more than 500 different brands and entities per month. The group’s Phishing Activity Trends Report reveals that the number of phishing attacks doubled throughout 2020. Attacks peaked in October 2020, with a record 225,304 new phishing sites appearing in that month alone.

Interestingly, according to consulting firm Deloitte, 91 percent of all cyberattacks begin with a phishing email to an unsuspecting victim. Phishing campaigns impersonate email and file-sharing service providers, pretend to be vendors or job seekers, pose as financial institutions, and much more to gain login credentials, steal money and data, and hold businesses and their systems and data hostage.   

Why phishing still works

We all know to never click on links or open attachments in sketchy emails. Yet, phishing remains a lucrative attack vector for bad actors. That’s because attackers have become more adept at impersonation and taking advantage of our busy work lives. As humans, we’re vulnerable to experiencing momentary lapses in judgment because we’re juggling various applications such as group chats, video conferences, emails, and other intrusions on our focus on normal work tasks. A phishing email that seems to fit within a busy workflow might just slip through in a moment of multitasking. 

Data loss is the top impact  

Once a phishing victim has taken the bait, then the malicious actor can do several things:

• Control the victim’s device using malware.
• Gain access to account credentials for data or financial theft.
• Access the victim’s email and contacts to further target company executives or other employees.
• Spread malware including ransomware to other devices on the same network.
• Gain access to other company systems, data, or intellectual property.

When a successful phishing campaign turns into a successful cyberattack, the impact to the business can be devastating, including data loss, compromised accounts or credentials, and ransomware attacks, which are rising exponentially across the world and in New Zealand.

Protection against phishing attacks 

To protect your business against damage from a successful phishing attack, it’s best to take a multi-pronged approach. First, provide employees with anti-phishing training and information on a regular basis to help them recognise phishing campaigns and avoid becoming victims.

Second, assume that mistakes will still happen and someone within the company will accidently click on a malicious link, open a malicious attachment, or provide login credentials to a fake website. To help limit the damage from a successful phishing attempt, make sure your anti-spam and antivirus software is up to date on employee devices.

Third, secure traffic on your network to further mitigate phishing risk with a Secure Web Gateway that blocks phishing attempts by analysing and blocking bad sites, as well as blocking malicious downloads and known malicious URLs from entering the network.

By following these steps, you and your business can avoid becoming the victim of a phishing campaign.

Story by Katherine Little, Business Security Expert at Avast, a global leader in digital security.