The OED definition of phishing is “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information”.
In order to be effective, phishers go to great lengths to look like a legitimate and trustworthy source in order to fool people into sharing passwords, their financial details or other damaging information about themselves. Human error is the phisher’s greatest weapon, and this is why we always have to remain alert and mindful about phishing mails.
If a phishing email looks legitimate, people who are not on their guard, or have a momentary lapse in concentration, will simply follow instructions – and the phishers will have gone to a lot of trouble to make themselves look authoritative, as users of Netflix have recently discovered.
It is sadly very easy to fall victim to a phishing attack
One of our clients recently received an email with a link that appeared to have been sent by a legitimate law firm. The staff member concerned opened the email but became suspicious about the content of it, and forwarded it to another member of staff to ask their advice. Unfortunately, the second staff member only saw that a colleague had forwarded an email, assumed it was from a trusted source and clicked on the link which took her to a logon page that looked like Office 365. She proceeded to enter her username and password which gave the phishers her credentials, which afforded them access to her mailbox and other services. What made things worse was that the hack occurred on a Friday afternoon and was not discovered until the following Monday, meaning the phishers had access to her account for the whole weekend.
Our client asked us why our security systems had not stopped the attack. Whilst every company has a list of blocked websites staff will be unable to access at work, no company, at a practical level, is willing to block all websites other than approved ones. It would not make commercial sense. Whilst our client wanted to put the phishing email address and website on its blocked list, it is like shutting the stable door after the horse has bolted – phishing attacks come from addresses that are generally only ever used once; by their very nature they have to be on the move all the time or risk discovery.
So this particular breach occurred because the member of staff clicked on the link and voluntarily entered her details; the human factor is not something IT can control.
How might such a phishing breach have been prevented?
The first thing our client then implemented was staff awareness training to make people aware of phishing and encourage them to look out for attack. In order to be effective, this kind of training needs to be mandatory and repeated on a regular basis, preferably every six months, or annually at most. It was only after this company was affected that it instigated this kind of training, which unfortunately is a typical response, even though the cost, potential reputational damage and inconvenience of putting things right can be very high.
With fraudulent emails being sent out every day, phishing affects every business and every individual. By making sure your staff training addresses the problem, you will be stacking the odds in your favour, rather than crossing your fingers and hoping for the best. Hope is not a strategy!
If you would like advice about the prevention of phishing attacks or any aspect of cybersecurity, please contact us to book an appointment.