In these modern times, cyber attacks in the form of phishing have become commonplace. And, studies suggest they’re on the rise. Let’s discuss the cyber security tips we give at ACP to help stop phishing and keep you and your organization safe.
“Someone said 30 years ago, and my mind went… ‘Ahhh yes, the 1970s!’ But they meant 1993 and now I need a moment.”
– Meme on my wife’s favorite coaster
Speaking of 1993, back then when someone said Phish, chances are they were talking about the jam band. These days there’s a better chance they’re talking about the type of cyber security attack where bad actors send messages pretending to be a trusted person or entity. And bro, that’s neither chill nor phat.
Phishing Among Most Common Cyber Security Threats
Fortinet recently released their 2023 Security Awareness and Training Global Research Brief, which highlights some top concerns and actions being taken by leaders around the world, based on survey findings from the annual Fortinet Cyber Security Skills Gap Global Research Report, and hang onto your bass (the fish) — because the report reveals that nearly all of the 1,800+ organizations Fortinet surveyed for the report had experienced at least one cyber security breach in the past 12 months. That’s why it’s important to understand the best cyber security tips to stop phishing.
“While malware was the most common type of attack used in the past 12 months, phishing might be the most insidious, often housing other kinds of attacks in the guise of friendly emails, text messages, and web links. Other reported types of attacks targeting employees included password attacks, spear phishing, and whale phishing (also known as whaling),” the report details.
With the cost of each successful breach exceeding $1 million for close to half of the responding organizations, and since many of these incidents originated as phishing attacks (81%), it pays to take a closer look at phishing in a fundamental sense.
Want to learn more about cyber savings? Check out: Five Cyber Insurance Considerations.
Types of Phishing
For starters, the most common phishing attacks fall into two categories. Furthering evidence to the fact that cyber security geeks have either a sense of humor or a love of Herman Melville, they are: spear phishing and whale phishing. (For a recap on last year’s cyber trends, here’s Cybersecurity Recap: 2022.)
Who Does Phishing Target?
The key difference between spear phishing and whale phishing is their intended target. Spear phishing attacks usually target a specific group of individuals, often with a lower profile or more limited access within an organization. Whale phishing attacks (also called “whaling attacks”) target high-ranking individuals within an organization.
Spear Phishing
With spear phishing attacks, quantity over quality is typically the attackers’ game plan. While the targets of spearfishing attacks may not have access to the same, mission critical data that higher profile targets, like the CFO, CEO or CHRO have, there are more targets in this category, and they’re potentially more accessible.
Successful spearfishing attacks are often the foothold from which the attacker will initially gather user credentials, then observe, wait, and harvest information in preparation for a whaling attack.
Whaling
Whaling attacks are more targeted and personalized than spear phishing attacks. The attacker will often take the time to select and research their “whale,” ultimately crafting a message that is specifically tailored and relevant to them. This makes it far more likely that the target will open the message and click on the malicious link or attachment. It’s quality over quantity in this case.
Phishing Examples
For example, in a whaling attack the bad actor’s strategy might involve sending an email to the CEO of a company that appears to be from the company’s IT department. The email might warn the CEO that their account has been compromised and that they need to click on a link to reset their password. If the CEO clicks on the link, they will be taken to a fake website that looks like the company’s website.
The attacker will then be able to steal the CEO’s login credentials and move within the organization’s data environment using the same extensive, privileged access to highly sensitive information, such as financial data, customer information, trade secrets and intellectual property.
This unauthorized, executive-level access may also provide the attacker with the latitude and ability to execute a ransomware attack, thereby encrypting the organization’s most important data. In many cases, ransomware will also threaten to publish the organization’s files if the ransom payment is not made.
Cyber Security Tips to Stop Phishing
In 2023, Fortinet reports that cybersecurity threats are on the rise, making it critical for organizations to be aware of the threat of spear phishing and whale phishing attacks and take the necessary steps to protect themselves. These cybersecurity tips to stop phishing include:
1. Train Employees to Stop Phishing
Train ALL employees to understand, identify, and report suspicious emails so that each employee recognizes their personal role as a critical line of defense in preventing cyberattacks.
2. Use a Spam Filter to Block Suspicious Emails
Use of a spam filter to ensure your employees won’t be tempted by convincing phishing scams because they’ll never arrive to their inbox in the first place.
3. Use a Firewall to Block Malicious Websites
Firewalls, including options from Fortigate and Cisco, can be used to block users from websites that are potentially malicious, thereby adding an additional line of defense.
4. Use Antivirus Software to Scan for Malware
Your antivirus software can automatically scan devices for malware, that way employees don’t have to harbor all the responsibility for scanning malware.
5. Keep Cyber Security Software Up to Date
Bad actors are continuously refining their nefarious tactics, so cybersecurity software must be kept to be as up to date as possible in order to ensure it’s protecting users from phishing and other internet scams. Automatic updates and help from your provider can make this more seamless.
Phishing Protection from ACP
With over 90% of all cyberattacks beginning as phishing attempts, according to the Cyber security and Infrastructure Security Agency (CISA), it’s incredibly important to understand and address your organization’s level of phishing vulnerability. ACP offers access to training programs which are designed to help your employees identify and report phishing emails, as well as other social engineering threats.
The training programs are highly engaging, providing real-world phishing simulations and reporting tools which help organizations improve their security posture and reduce the risk of phishing attacks.
Best of all, the security awareness training ACP can implement for you is highly effective, offering an 85% average improvement rate in employee phishing awareness and action within the first year, across all industries and organization sizes.
Cyber security awareness training is an investment in your organization’s security, helping to protect your data, your employees, and your bottom line.
Don’t wait. Start your cyber security awareness training with ACP today.
ACP CreativIT has a dedicated department for cyber security. Whether you are looking to start protecting your business, or you have a solid foundation and want to ensure you are protected for the future, ACP CreativIT can help. Contact us to talk to one of our security experts today or visit our cyber security page here.
By Chris Dean
Christopher Dean is the General Manager of ACP’s Eau Claire location. With a background in science education, he has over 25 years of experience in business development, operations and executive management in the technology industry. https://www.linkedin.com/in/crdean/