In the age of machine learning and artificial intelligence, some people might assume that the biggest security risks rely on technology. However, that’s only partly true. Phishing attacks still lead the pack when it comes to successful breaches, with up to 85% of breaches occurring due to humans falling prey to scammers (verizon.com/about/news/verizon-2021-data-breach-investigations-report). These attacks are mentioned in every annual security report.
While phishing scams wouldn’t be possible without technology, it’s not the technology that allows them to succeed. Scammers know this, which is why they target people with phishing attacks. These attacks once came only via email. However, they can now occur over text messaging too. When the victim clicks a link in the message, they are taken to an imitation of a real site. It might be a large site such as Amazon or Chase bank. If scammers have done their research, they can even infiltrate a company’s private websites with a phishing attack. When the victim attempts to log in, scammers get their information and then use it on the real site.
Phone phishing attacks have also increased with scammers pretending to be banks, government agencies, and other businesses in hopes of tricking people into giving up personal information such as their social security or bank account numbers. However, the lines blur between phishing and other types of scams when criminals threaten unsuspecting victims, too.
In fact, phishing attacks increased in the wake of COVID-19. With so many people working from home, some for the first time, without in-house IT, there were more potential victims than ever before. And scammers took note. They even impersonated organizations and tricked medical professionals into falling for their attacks.
Phishing Scams Have Real Consequences
Phishing attacks are one way that someone could fall prey to identity theft. By providing login or other identifying information on fake pages, many of which are very realistic, victims allow scammers to access their accounts. If victims fail to realize they have been phished, the cybercriminals may have days or even weeks wreak havoc on someone’s financial reputation and identity. Scammers are free to spend money, open new accounts and make large purchases, all of which could take years for the victim to remedy.
The risk is even greater when people use the same password and email combinations for multiple websites. A scammer only has to successfully replicate a single site. Once they have login credentials, criminals can attempt to log onto other websites. For example, even if scammers only target users of a gaming site, they might strike gold if users are clients of big-name financial institutions and do not use unique passwords. This is why users need to follow password and Internet security protocols at all times.
Phishing’s Impact on Businesses
However, the impact of phishing grows exponentially when users give up credentials that provide hackers access to business data, including clients’ private information or even intellectual property and company secrets. Whether scammers sell data on the dark web/black market or hold systems or data hostage, this represents a lucrative opportunity for them.
Because they only need to trick unsuspecting victims into providing login information, there is no need for hackers to actually program malicious software. The time and effort required to spam potential victims with phishing emails is just a fraction of that required to hack a device. Tools that allow scammers to build phishing websites on the fly further reduce the effort required to scam someone.
Even if most users are aware of phishing scams and follow protocols to the letter, which rarely happens, it only takes a single click for scammers to successfully phish someone. This is precisely why phishing and other social engineering scams are so effective. When it comes to security, people are the weakest element.
To Beat Phishing Scams, Understand Them
Still, there is hope. Education and training are crucial for reducing the risk of human error that leads to a successful phishing attack. Users need to know that phishing attacks are sophisticated enough to appear to come from known or trusted senders. Many people would trust “Internet safety emails” that appear to come from antivirus or other technology companies. More recently, scammers successfully phished victims by posing as Norton and Microsoft, demanding payment for antivirus software.
COVID alone offered new opportunities for scammers who imitated medical institutions such as the World Health Organization during the COVID-19 pandemic. Similarly, other scammers posed as state governments, luring victims into providing identifying information via fake unemployment insurance websites (consumer.ftc.gov/blog/2021/03/scammers-reportedly-using-fake-unemployment-benefits-websites-phishing-lures). These criminals wasted no time taking advantage of people who wanted to remain informed or physically and financially safe during the pandemic.
Additionally, fake emails may appear to come from known senders or be customized for the victim. Most scammers expend less time on their scams, focusing instead on quantity over quality. But those who do target specific high-value targets may take more time to customize their scams.
How Companies Combat Phishing Attacks
Technology isn’t useless in this endeavor, either. For example, advanced spam detection can block phishing emails before potential victims even see the messages. And browsers warn users of potentially unsafe websites. In addition, antivirus and other security software now target attempted phishing scams, but not every program protects against phishing attacks. Both business and personal users should consider this when choosing anti-malware software.
Businesses can also use technology to conduct their own phishing simulations to determine who in their organization might be the most likely to fall victim to these scams. Security consultants and software makers also offer various general phishing tests, some of which are free, if companies have a tight budget. Of course, the more customized the training, the better.
Organizations that are willing and able to expand their security budgets to include phishing education and testing may save a lot of time, money, and stress in the future. But it may not just be a case of saving money. According to one report, 60 percent of small businesses go out of business within six months after a breach (vox.com/sponsored/11196054/why-every-small-business-should-care-about-cyber-attacks-in-5-charts). Companies may think they cannot afford to pay for phishing simulations, but the truth is, they may not be able to afford to go without it.
By the time there’s enough information to write about cybersecurity threats, new threats are already on the horizon. That’s why companies should not waste time adopting the security software and services necessary to protect themselves and their clients.