Phishing attacks utilize a wide range of ever-evolving techniques to steal data, from impersonating companies and executives to targeting and duping unsuspecting employees. This useful explainer breaks down commonly deployed schemes and provides solutions so your company won’t easily get scammed.

The Hard Facts: 

• Phishing scams, and other sophisticated data breaches, are on the rise. 
• According to a study sponsored by IBM Security, the average total cost of a breach in 2019 was $3.92 million.
• Phishing scams target entire organizations, including C-suite-level executives.
• Employee education is necessary, but more sophisticated technology, such as military-grade, file-level encryption, can help mitigate the damage following a breach. 

Phishing scams are among the most common and effective hacking attacks in the cyber-world. Masquerading as friendly communications, these deceptive intrusions have grown increasingly sophisticated, leading to billions of dollars in financial losses worldwide. 

Throughout the last several years, phishing attacks have spiked, posing a serious threat to companies and their security teams. In February, the global, nonprofit cybersecurity industry association Anti-Phishing Working Group (APWG) released its 2019 4th Quarter “Phishing Activity Trends Report,” revealing that Software-as-a-Service (SaaS) and webmail sites remained the most frequent targets of phishing.

Managing and understanding vulnerabilities and employing concrete strategies to mitigate risks are top-of-mind for cybersecurity professionals trying to outmaneuver their attackers.

As phishing schemes become more sinister, they manifest in different ways, making detection that much harder. However, to stay ahead of the evolving cyber landscape, businesses must frequently re-evaluate their existing security measures, upgrade strategies and tools that have lost effectiveness, and consider new tactics and technologies. 

Building awareness around the different types of phishing scams is paramount to protecting people within organizations from taking the bait. But that is not all: specific tools that can minimize the risks are also key. A comprehensive security strategy that includes threat mitigation, advanced security and monitoring, and object-level file encryption are necessary to combat rising threats.    

Phishing Scams & The Implications Of Security Breaches

Phishing attempts come in many forms, ranging from “deceptive phishing”—the most common of these breaches—to attacks on C-suite executives and “pharming,” a complex scheme that preys on vulnerable employees. 

Hackers utilize these duplicitous schemes to penetrate networks and steal volumes of sensitive data. Businesses without safeguards in place may not recognize an intrusion for weeks or months later—driving up the financial consequences of a breach. 

While most attacks are targeted at a company’s entire staff, other techniques, such as “Whaling Fraud,” are geared toward unsuspecting senior-level executives, often resulting in fraudulent financial transactions. 

If you’re worried about investing in prevention, consider the cost of inaction. Security protection research center Ponemon Institute’s “Cost of a Data Breach Report,” which was sponsored by IBM Security, discovered that the average total cost of a data breach in 2019 was $3.92 million—with organizations suffering financial implications for multiple years after attacks were initiated.  

The analysis, which assessed data breaches across 16 geographies and more than a dozen industries, found that the average time to identify and contain such intrusions was 279 days—suggesting intruders lurk and extract records for three-quarters of a year before the threat is stifled. Unfortunately, containment represents only the beginning for impacted organizations, as the financial repercussions persist and could drive a company out of business. 

Small businesses, which often lack the resources of larger institutions, are most prone to such attacks. Verizon’s “2019 Data Breach Investigations Report” found 43 percent of breaches involved such organizations. Yet another analysis revealed only 14 percent of these businesses have processes in place to protect themselves. 

Even for companies that are able to continue operations after a cyberattack, employees don’t always walk away unscathed, with nearly one-third of breaches leading to staff layoffs, and 32 percent of those C-suite executives, found a 2018 survey by cybersecurity provider Kaspersky Labs. 

Security Awareness Training Is One Part Of Your Defense

All phishing scams rely on human involvement as a necessary element to a successful attack. Hackers recognize that employees may not always be aware of phishing vulnerabilities and the devastating consequences of such attacks. An employee may accidentally click a malicious link or attachment, for example, unaware that they have just put their entire organization at risk. 

Training employees on the different types of phishing emails, and other social engineering attacks, is of prime importance. Ongoing training that includes simulated phishing campaigns can help educate employees on security monitoring, including how to identify and report suspicious emails, to minimize the dangers. However, this is but one measure of protection in an organization's overall cybersecurity plan. 

Employee education is an important part of a security strategy, but it is not enough. Understanding even the most basic elements of a potential phishing attack, such as the most commonly clicked email subject lines, will only get you so far. Phishing attempts range from simple to complex, and continue to be an effective way for hackers to gain unauthorized access. These attacks will continue to evolve, and humans will continue to fall victim—therefore it’s vital for companies to adopt a multi-pronged defensive approach.

With threats increasing in frequency, more sophisticated protection is necessary to prevent the harm posed by these attacks.

File-Level Encryption Is A Game Changer

Attackers have proven relentless in their pursuit to gain access to non-public information. While the aforementioned strategies can help an organization thwart attacks, other state-of-the-art tools are necessary to bolster defenses. This is where multi-factor encryption technology comes in. 

Conventional encryption solutions rely on preliminary user authentication systems or bulk-encryption with a single key, and depend on user credentials for decryption—exposing a business to new vulnerabilities and damages if attacked. 

Protecting high-value assets with file-level encryption that doesn’t require credentials or central key storage is superior in mitigating phishing attacks. Even in the instance of a phishing attempt, the attacker would not be able to access data. 

New regulations, such as from the New York State Department of Financial Services mandate companies to have all their non-public data encrypted—a costly and agonizing ordeal for those unprepared. Working with a trusted company that provides file-level, granular encryption technology is a critical step in safeguarding your network and restoring peace of mind.

Understanding The Most Common Phishing Schemes

1. Deceptive Phishing is the most common, and involves an adversary impersonating a legitimate company and pilfering someone’s personal information, login credentials, or other data via a fake website.

• Target: Anyone
• Indicators: generic salutations, grammar mistakes, spelling errors, and suspicious URLs.

2. Spear Phishing: A more customized attack prevalent on social media sites aimed at a specific person or group using publicly available information.

• Target: Anyone in an organization
• Indicators: The sender uses personal information they've gleaned from sites such as Facebook, Twitter, and LinkedIn—employers, education, interests, for example—to identify a common thread and trick the person into thinking they have a connection.

3. CEO Fraud: Also known as “Whaling Fraud,” this technique compromises the legitimate email account of a senior-level executive.

• Target: CEOs, CFOs and other C-suite executives
• Indicators: Cybercriminals disguise themselves as a company executive authorizing a wire transfer payment to a bank account they’ve created. Another ploy is to request W-2 information for all employees for tax-filing purposes.

4. Vishing: A phone call replaces an email in this attempt. The perpetrator sets up a voice over internet protocol (VoIP) server to mimic various entities and steal sensitive data and funds.

• Target: VoIP users 
• Indicators: Calls from unknown phone numbers requesting personal information. Duplicitous scammers may also use a local area code or falsely claim they represent a familiar organization or association.

5. Smishing: Similar to email phishing, this attack is carried out using Short Message Services (SMS) on cell phones to obtain sensitive data. The texts are usually an enticement, or a threat, encouraging a user to click or call a number.

• Target: Anyone 
• Indicators: A text appears familiar or is presented in the form of a question, asking you to click on a link or download software that is malware.

6. Pharming is a complicated scheme that redirects a user from one website to another that is fake, leading to the seizure of sensitive data. A Domain Name System (DNS) cache poisoning attack, also known as DNS spoofing, converts a website name to a numerical IP address to obtain sensitive information. This type of attack is continuously evolving as cybercriminals prey on the weakest link of an organization's cybersecurity program—human behavior.

• Target: Banking and financial industries
• Indicators: These are difficult to detect because users don't realize they are getting redirected to a fraudulent website.

Atakama: Your Information Security Solution

Atakama is a cutting-edge information security technology offering impenetrable, military-grade encryption. Our advanced threshold cryptography protects files instantly, and our features are easy to use, compatible with different systems and devices, and enables protection of files whether stored in the cloud or on a network. This next-level technology eliminates the need for passwords, login credentials, or one-time codes. 

When a file is added to Atakama, it's instantly encrypted using AES-256, the largest key size of the Advanced Encryption Standard (AES). The software then splits up the unique key generated for the file, encrypts those smaller pieces, known as key shards, and distributes the shards to physical devices controlled by the user. It is so airtight that an intruder will instantly know they've been defeated. 

To learn more about our unique encryption software and how it can be used to protect your data, contact us today.