Blog

Phishing Works - Here's Why It Works and Why You Should Care

Phishing Works - Here's Why It Works and Why You Should Care

03/06/2021

Your business runs on communication. Without digital communications, your processes grind to a halt, and your profits dry up.

But what if your communications – the very lifeblood of your company – could be turned into a weapon against you?

That’s phishing.

The word “phishing” was introduced around 1996 by hackers using email communications as a lure to hook unsuspecting AOL users into giving up their account credentials (usernames and passwords).

Today, phishing is still primarily an email-based attack method delivering malware and ransomware. But in recent years, cybercriminal syndicates and lone-wolf hackers have expanded the email phishing ploy into all forms of digital communications, including fraudulent websites, social media direct messaging (DM), and text messaging.

Criminals using a phishing tactic generally send out thousands of fraudulent messages at a time, casting a wide net. Their goal is to get unsuspecting recipients of their message (you and your employees) to open their message and provide confidential data (credit card details, banking information, usernames, passwords, passport numbers, etc.)

Free Report on Educating Your  Employees to Spot Threats

Why Do Cybercriminals Still Use Phishing?

Because it works!

A Proofpoint 2021 study determined that 75% of businesses worldwide were targeted by a phishing attack in 2020.

Verizon’s 2020 Data Breach Investigations Report noted that 22% of all successful data breaches in 2020 were related to phishing.

And…it’s a target-rich environment.

According to a study done by Cybersecurity Ventures and Thycotic, there are now more than 300 billion passwords in use worldwide.

Yes, billion with a “B”.

With the world population currently hovering around 7.8 billion, that’s an average of more than 38 passwords per person on earth. This figure doesn’t even account for bank account numbers, social security numbers, passport numbers, etc.

Why Does Phishing Work?

Phishing is effective as an attack method because it plays on human nature.

  • People are naturally curious.
  • People are naturally trusting of well-known companies and brands.
  • People want to please.
  • People want to do their work in the simplest and quickest way possible.
  • People overall are generally trusting.

That’s why phishing works.

Let’s examine how each of these very human tendencies can trap you or your employees in a phishing attack.

People are naturally curious.

Employees’ curiosity knows no bounds – especially when they are bored with their work. It’s easy for them to browse the internet, clicking on things that may interest them, even stumbling on a phishing site (a fake website used for gathering your data or getting you to download malware) along the way.

The other side of the “people are curious” angle comes in the form of email attachments. After all, who hasn’t opened an email with a title that says something like, “You gotta see this…”

Much of the browsing risk can be mitigated by a cybersecurity team like PTG through the use of internet traffic filtering at the firewall, and email security measures (such as spam filtering) help prevent phishing emails from landing in your inboxes.

People are naturally trusting of well-known companies and brands. 

Spoof emails and websites based on well-known companies and trusted brands is a common ploy of phishing. Often, the URLs of the phishing websites are just one letter off the brand name. “Goigle.com” instead of “Google.com” for instance.

The websites and emails intended to look like they are from a trusted corporation or brand look legit.

W2 Phishing Email

So how do you spot them?

Here’s some pointers.

  1. Check out the URL - Hover your mouse over the link to see if it is pointing to the correct URL.  Or go directly to the company’s homepage by typing in the URL yourself.
  2. Look for misspelled words or grammar - Although this is less common as phishing has become more sophisticated.  Carefully review the language for any signs that it may not be from the brand you trust.
  3. Check out the sender name and match it to the email address – "Display Name" attacks are often used to trick you into believing a message is legitimate.  The name of the sender may be someone you trust - but check the email address and make sure it matches.
  4. Look for non-personalization - Phishing emails will often be non-personal, meaning they may not address you my name.
  5. Look for "urgent" language - Phishing emails will often contain language that implies that you need to take urgent action, such as inputting your password to keep your emails from being blocked.

People want to please.

Often, phishing emails are sent out under the name of a company superior or a corporation that millions of people do business with every day. The cybercriminals depend on the fact that you naturally trust the person/company that the email is supposedly from and that you want to comply with the request made in the email.

Phishing emails can be as simple as an email that looks like it’s from your boss, asking for your network login credentials because, “I lost mine.”

Sure, you want to help…but you’re actually helping a criminal gain access to your confidential customer data and proprietary information.

People want to do their work in the simplest and quickest way possible.

The saying is, “Work smarter not harder.”

The problem with that saying is that many times we choose the shortcut…and the shortcut ends up putting us in the wrong place.

For example:

An employee runs into a workflow issue that they believe could be solved with a simple app – if they can find one. So, they search the web looking for “app that will do ____________.” It doesn’t take long for them to find five to ten “free” apps (on websites of varying credibility) claiming to do exactly what they want to do.

There are two problems with this approach.

  1. They haven’t talked over the problem – and potential solutions – with their IT support team. Running things by your IT consultant can often save you a ton of misery, downtime, and expense.
  2. There’s a reason the apps they are thinking about downloading onto their computer (with access to the company network) are “free.” Supposedly free software often has either built-in adware or malware. Adware slows you down and is distracting. Malware – and its more insidious cousin, ransomware – do severe damage to your data and company reputation.

Phishing – What to Do?

While the PTG team can install multiple layers of cybersecurity around your IT systems and mission-critical data, a simple keystroke from an employee can still put you at risk.

Your employees have to become cybersecure aware and begin to see themselves as your front line of defense against phishing attempts.

To help them understand phishing and other cybersecurity tactics that leverage human nature against us, PTG provides group training, online courses, and testing. Cybersecurity training is a critical weapon in your defense against phishing and the resulting malware and ransomware systems infections.

Want to know more about the PTG anti-phishing cybersecurity training? Give us a call or send an email.

 

Show Me How to Secure My Business

   
New Call-to-action

Posts by Topic

see all