The theme at this year’s Singapore International Cyber Week for 2022 centres around the importance of shared responsibility in cybersecurity. Part of this responsibility must recognize the rising number of successful phishing emails that dupe people into clicking suspicious URLs, downloading malicious attachments, or performing other perilous acts.
This article highlights the threat of phishing attacks and offers some advice for fighting back against threat actors using the idea of shared responsibility.
Phishing: A Brief Primer
Phishing scams prey on psychological manipulation rather than technical exploits to help attackers achieve their nefarious aims. Typically, threat actors send an email or text message purporting to be from a trusted company or individual. The email directs the target to visit a fake website, download an attachment, or reveal certain information by exploiting human emotions, such as trust and fear.
The history of this type of social engineering stretches back to the 1990s when threat actors sent instant messages and emails to AOL users in an attempt to get login credentials for their accounts. Access to multiple accounts helped to conduct mass spam campaigns.
Until relatively recently, phishing attacks were not too difficult to identify. Grammatical errors were rife in the body of the emails. Attempts to masquerade as a legitimate person or company often appeared sloppy, especially to anyone aware of the threat. Still, a percentage of unprepared or unsuspecting users fell victim to these attacks.
In the last few years, phishing has evolved to become a more targeted, financially motivated, and professional threat. Threat actors perform reconnaissance about potential targets using company websites and social networking platforms to figure out who the employees are, and what positions they hold. Aside from building detailed profiles about targets to help their attacks succeed, modern phishing campaigns use professional, well-crafted emails and spoofed domains that appear exactly like the legitimate websites they’re copying.
A statistic that reflects the proliferation and success of phishing emails worldwide is that it was the second most costly attack vector in IBM’s Cost of a Data Breach Report 2021. Phishing emails scams will continue to rise as we become more digitally connected and increase reliance on e-commerce, e-banking and e-payment solutions. As the saying goes it takes two hands to clap. In order to counter these phishing scams everyone concerned have to be responsible and play their part by practicing good cybersecurity hygiene.
How to Fight Back Against Phishing
Circling back to the shared responsibility theme that is being promoted by the Singapore authorities following the rise in the number of phishing scams, it’s important to point out how government, businesses, and individuals have a pivotal role to play in combating the threat of phishing. Here’s how:
- At the government level, agencies such as The Cyber Security Agency of Singapore (SingCERT) can run awareness campaigns and events that disseminate important information for staying safe online and recognizing the tell-tale signs of phishing.
- Businesses should incorporate social engineering as a critical element of their cybersecurity training and awareness programs for employees. Simulated phishing attacks should complement traditional learning materials as a way to test employee preparedness.
- Individuals should exercise caution any time they receive unsolicited emails or texts claiming to be from a bank or other financial institution. It’s particularly important to remember that financial institutions will never send SMS messages containing links that ask customers to provide sensitive information such as login details.
- Companies can use domain monitoring tools to protect corporate websites and brand names from being spoofed.
- Another effective tactic for businesses is to educate not only internal employees about phishing, but also its customers. This education can leverage a company’s experience in previous phishing threats and communicate with customers the common ways that malicious actors try to scam them. Clear and thorough communication about phishing risks helps to minimize reputational damage if some customers fall victim.
- Individuals should report unsolicited and suspicious messages to either their employer in the case of an internal phishing attack at a company or to the business that they’re a customer of.
Don’t Neglect Strengthening your Identity Protection Approach
Technology also has a role to play in fighting back against phishing. Multifactor authentication (MFA), Transaction signing, risk-based authentication and mobile application protection are tools that can be deployed to mitigate phishing scams.
i-Sprint’s solution suite includes various modules for tokens that support transaction signing, contextual authentication that determines the risk associated with each login attempt, end-to-end encryption for login credentials and sensitive data along with mobile application shielding to protect against run-time attacks.
Combat phishing at your business – Talk to our specialist today.