Phishing is a technique that fraudsters employ to discover sensitive information they can use for financial gain. The word has its origins, as you might guess, in fishing. Scammers are effectively fishing in an internet sea of users, trying to lure their prey onto their hooks.
As with most scams, it has evolved and become more sophisticated since the first phishing messages were sent in the 1990s. Variants include spear-phishing, vishing and whaling and companies need to know how to protect themselves from all types of phishing attacks.
The Data Breach Investigations Report (DBIR) 2021 found that 36% of breaches involved phishing, which was 11% more than in 2020. IBM’s Cost of a Data Breach Report 2021 found that the average cost resulting from a data breach was USD 4.24 million.
What is phishing?
Phishing is a type of business email compromise (BEC) attack. Scammers send emails that seemingly from a legitimate source. They are designed to extract useful information or deploy malicious software such as ransomware. In businesses, scammers often use phishing as a starting point to take over accounts and divert funds. It is often used to facilitate spear-phishing.
The US company Ubiquiti Networks was a victim of phishing in 2016 and described the attack as “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department.” Ubiquiti transferred USD 46.7 million to fake accounts.
How is spear-phishing different from phishing?
Spear-phishing is more targeted than phishing and uses social engineering techniques. Scammers use personal information that they have discovered to create highly convincing emails due to their ‘inside’ knowledge of a person or organisation. They find this information online, either on company websites or on social media platforms, or through taking over email accounts.
Spear-phishing and vishing – voice phishing on a phone call – enabled hackers to get into Twitter’s system in 2020 and access celebrity accounts.
What is whaling?
Whaling is phishing but the target offers much greater potential. Whaling targets email accounts of CEOs and senior executives.
Once a fraudster takes over a senior executive’s account, they can intercept emails and provide their account details to divert funds. They can also request payments they claim they need done as a favour or that are last minute and vital to a deal going ahead, and so on. This is known as CEO fraud and plays on the fact that employees are unlikely to question their superiors and want to be seen as helpful and useful.
The Austrian company FACC fell victim to this scam in 2016 and lost EUR 42 million when an employee transferred money to a fraudulent account after receiving an email they believed to be from the company CEO.
How to prevent phishing attacks
There are various ways an organisation can safeguard against phishing attacks. Educating employees of the risk, ensuring internal processes are robust, and installing the right software will make it harder for fraudsters.
Employees should undergo regular training about the risks of phishing attacks and the methods used by scammers. They should be able to spot potential attacks before any damage is done and know how to protect themselves online.
The IBM Cost of a Data Breach Report 2021 found that “the average cost of a breach was USD 1.76 million less at organizations with a mature zero trust approach, compared to organizations without zero trust”.
- Email security and rules
Web-based emails should be avoided as these are easier to access. Multifactor authentication and intrusion detection rules will also help. Messages relating to payments and accounts should be forwarded to addresses held on file rather than via the ‘reply’ function.
- Know your suppliers
Unusual behaviour will be easier to spot if you know your suppliers well. Always verify that account or payment changes have come from the real counterparty and not an impersonator.
- Payment approvals and confirmation requests
Limiting the number of people who can access payments will make phishing fraud harder. However, dual approval should be used for manual payments. Verify bank account details and amounts on emails with file details or a confirmation call or email before making payments.
The right software will reduce your phishing risk
Trustpair software will take care of many of the above processes for you, saving you time and money and reducing your risk of phishing attacks. If the solution does not filter your mailbox directly, it allows you to check the bank details of your third party before making any payments. False invoices or rush payments, with degraded controls, are thus proscribed. Trustpair’s system runs an automatic check of payment files, detects suspicious behaviour and makes third party data more reliable over time. Our Payment Security software will run an automatic check of your payment files to detect suspicious behaviour.
Please contact us to find out more about how our software can transform your company’s risk of phishing attacks. Request a demo now: let us show you how we help protect your business from cybercriminals.
- Phishing fraud is used to extract useful information or deploy malicious software for financial gain
- Know the scams to watch out for and how to prevent them
- Use Trustpair software as an added layer of security