Phishing Attacks - What Are They and How Can They Be Prevented?
Phishing attacks are among the greatest security threats to small businesses today.
Accessing the digital world has become risky from a security standpoint. There is little you can do that won’t put your digital life at risk of a data breach or worse. One of the more common types of digital violations is from phishing attacks. Phishing preys on the familiar, the known, and are our lack of attention to details from businesses we think we know.
What is a phishing attack?
Phishing is an effective, but often low-tech, form of a cybersecurity attack. Phishing attacks do not require any sophisticated technology to break through your computer or phone’s security. Phishing often comes in the form of a simple email or text. It doesn't require a weakness in your computer security. And it doesn't matter what type of phone or computer you have. Every computing device is vulnerable.
Phishing attacks prey on the familiar, impersonating familiar service providers, online stores, utility companies, banks and any other credit card or financial entities. What the phishing attack is designed to do is to send you a notification that requires your immediate action. It could be from your credit card company saying they’ve identified suspicious activity and you need to log in to your account by clicking a link. The communication will certainly seem authentic. It will usually have the entity logo and the look and feel of any legit communication you have ever received from them. The request will seem reasonable and safe. The reply address is certainly from the company. Or is it?
More sophisticated phishing attacks will seem to be from companies you do business with. The attack will be in a form that looks authentic, down to the legal text that you usually see at the bottom of such notices. It too will seem legit. Even the reply address will seem legit. But it won't be.
Once you click that link you will be taken to a fake or spoofed site that will look exactly like your bank or vendor site. It may ask you to log in by entering your login information including username, password and maybe even a security keyword if that is used by the institution. Frankly, if you have gone this far, you may have already been compromised.
Is a small business a target for a phishing attack?
Yes, small businesses are very much targets for phishing attacks. In fact, according to Expert Insights, phishing attacks are the number one cybersecurity risk for these businesses. And they are on the rise. According to a 2021 Security Intelligence research report, the Anti-Phishing Working Group (APWG) reports that January 2021 marked an unprecedented high in the APWG’s records, with over 245,771 phishing attacks in one month. And a 2020 CNBC Report stated more than half of all small businesses suffered a breach within the last year. And 43 percent of all cyberattacks are aimed at small businesses, but only 14% of SMBs are prepared to defend themselves.
If phishing attacks are becoming so sophisticated, how can I protect my company and employees from these threats?
Following safe internet practices helps you protect your home or business..
1. Network based security or the human watchdog approach
So, how can a business protect itself from these types of attacks? Unless you have a comprehensive security system, you will have to rely on manual processes. Phishing attacks can be thwarted by educating employees to not click links inside an email or text unless they are certain of the source. It is those links that will compromise you by taking you to malicious sites or landing pages.
If you receive what you believe is a genuine communication from a known institution that requires you to log in to your account, don’t click the link in the communication to go to the site. Instead, go to the site by opening a web browser and typing in the institution’s name directly, or open it from a saved bookmark. This places you in control of where you are going without the chance of being tricked into clicking an embedded link that takes you instead to a malicious or look-alike site.
2. Using 2-Factor authentication
Another method that improves security is to use 2-factor authentication. This is where you login using the typical username and password and the system requires an additional one-time unique code for verification. The code can be texted to your phone, generated by an app on your phone, or generated by a piece of hardware (like a USB key or token). While this approach can seem tiresome or overkill at times, it is a solid way to avoid security breaches. Even if t your password has been guessed, stolen, or hacked, to log into your account will require the additional unique code for verification, something the hacker wouldn’t have. It's definitely worth the extra effort.
3. Education and awareness
Educating employees regarding the threat of phishing attacks is the one of the best security actions that you can control. Vigilance will protect you. Also, understanding the frequency of these attacks can help sensitize your employees to be on the lookout. As it relates to phishing, it is better to assume that all communication is a potential threat. And treat all communication that is requiring you to login to a client business or account as a risk. Remember, phishing attacks are on the rise. They are no longer the occasional attack.
Are there different types of phishing attacks?
Phishing attacks vary greatly in approach. The sophistication of these attacks will vary, with some being obvious and easy to spot, while others are more difficult.
Low sophistication attacks will be a simple email or text that lacks any unique data that relates to your business and probably will have grammar mistakes or easy to spot sender identity mistakes. A text message is often the path for these attacks and they usually contain a simple click here for “action” in a one or two line text message from an obscure phone number.
Moderate sophistication attacks will usually come in email. They will have the branding and formatting that will be very believable. And a compelling request that is usually tied to account security or some other message that would normally require immediate attention. The biggest giveaway here is that this type of attack won’t contain personal data about you or your business. It will be very general because it’s usually sent to a wide audience with no change in content, hoping to snare a few victims.
Complex sophistication attacks will certainly have the proper format and messages. But the primary difference will be the data it contains about you or your business. This data will be gained from public records or in some cases through a breach of a vendor’s data. These attacks can be very hard to tell if they are valid communications. The key in all these attacks is to not click on any link or attachment, and not to reply to the email or correspondence directly. Instead, start a manual communication with the vendor by logging directly into their secure site or by contacting your vendor (by another method) to confirm that they actually sent the communication.
Does my flexible (hybrid/remote) work environment increase my security risk of phishing attacks?
Unfortunately, the trend of work from home has exacerbated the threat of phishing attacks on business. In addition to the general increase in phishing, remote workers are often not protected by the policies and tools that are used in the office, because they are either not adhered to or are not available to remote employees. At Palo Alto Networks Unit 42, we did a study on the impact of remote work behavior. In early 2020, just when employees were starting to shift to work from home, phishing attacks spiked when employees were no longer being protected by their corporate firewalls.
Protect your business from phishing with advanced cybersecurity
With phishing attacks continuing to rise globally, it’s now more important than ever that all employees are able to safely and securely browse the web, regardless of whether they are working in the office or from home. An advanced and comprehensive cybersecurity solution — built specifically for use in the home or small business — can help shield remote and/or hybrid employees from cyber threats like phishing by blocking all links and attempts to communicate with the malicious servers and sites behind these attacks.
Cybersecurity protection from Okyo Garde
Thwart the activities of cybercriminals by protecting your home or business network with powerful, advanced, and automated 360-degree cybersecurity. Okyo Garde by Palo Alto Networks can protect your network from cyberattacks, including malware and phishing. Okyo Garde is built on industry-leading threat intelligence technology by Palo Alto networks that is trusted by 96% of Fortune 100 companies for their enterprise cybersecurity.
Between an educated workforce and a solution like Okyo Garde, you can stay ahead of the phishing attacks and secure your home or small business from outside threats. To learn more about Okyo Garde, visit www.okyo.com.
Editorial note: Our articles provide educational information to help keep you protected. Our products may not secure you against every type of cyberthreat, crime, or fraud. Our goal is to increase awareness and raise attention to cyber safety. If you choose to use Okyo Garde, please review the complete terms during purchase and setup.