Clever cybercriminals take advantage of busy employees to steal credentials, money, and data
It only takes a matter of minutes for cybercriminals to bait, hook, and catch a phishing victim among your employees and then leverage that success into a broader cyberattack on your business. The story goes like this:
According to the Anti-Phishing Working Group (APWG), roughly 200,000 new phishing sites crop up each month, with campaigns impersonating more than 500 different brands and entities per month. The group’s Phishing Activity Trends Report reveals that the number of phishing attacks doubled throughout 2020. Attacks peaked in October 2020, with a record 225,304 new phishing sites appearing in that month alone.
According to consulting firm Deloitte, 91% of all cyberattacks begin with a phishing email to an unsuspecting victim. Phishing campaigns impersonate email and file-sharing service providers, pretend to be vendors or job seekers, pose as financial institutions, and much more to gain login credentials, steal money and data, and hold businesses and their systems and data hostage.
We all know to never click on links or open attachments in sketchy emails. Yet, phishing remains a lucrative attack vector for bad actors.
That’s because attackers have become more adept at impersonation and taking advantage of our busy work lives. As humans, we’re vulnerable to experiencing momentary lapses in judgment because we’re juggling various applications such as group chats, videoconferences, emails, and other intrusions on our focus on normal work tasks. A phishing email that seems to fit within a busy workflow might just slip through in a moment of multitasking.
Once a phishing victim has taken the bait, then the malicious actor can do several things:
When a successful phishing campaign turns into a successful cyberattack, the impact to the business can be devastating. A recent survey reports that data loss is the most frequent result of a successful phishing attack, cited by 60% of respondents. Compromised accounts or credentials was the second biggest impact, mentioned by 52%, with ransomware infections close behind with 47%.
To protect your business against damage from a successful phishing attack, it’s best to take a multi-pronged approach. First, provide employees with anti-phishing training and information on a regular basis to help them recognize phishing campaigns and avoid becoming victims.
Second, assume that mistakes will still happen and someone within the company will accidently click on a malicious link, open a malicious attachment, or provide login credentials to a fake website. To help limit the damage from a successful phishing attempt, make sure your anti-spam and antivirus software is up to date on employee devices.
Third, secure traffic on your network to further mitigate phishing risk. Avast Secure Web Gateway (SWG) blocks phishing attempts by analyzing and blocking bad sites, as well as blocking malicious downloads and known malicious URLs from entering the network.
To learn how to avoid becoming the victim of a phishing campaign, be sure to check out our latest infographic.
The new Avast Cybersecurity Basics Training Quiz provides training on Data Security, Identity Management, and Social Media Security
How SMBs can effectively protect their networks from cyberthreats – without breaking their security budgets