The short answer is yes, and your organization probably gets a few EVERY DAY! That doesn’t mean you have to be a victim.
First, we should answer the question, What is phishing?
Phishing is a form of social engineering in which cyber criminals entice a user into doing something that will allow the criminal into the system or otherwise harm the network or computer. They do this by tricking an employee or other user into opening an attachment or clicking on a link that goes to a fake site.
When a user opens an attachment, it will load malware (a harmful program) onto the device and then spread it to the entire network. The user may not even know that this happened.
The criminal will then be inside the network and be able to collect information to steal, launch a ransomware attack (a program that locks down the computer or network until a ransom is paid), create a back door (a secret way to access the computer/network whenever they want) to inflict more harm or a combination of all the above.
If the user clicks on a link sent by a cyber criminal, it takes the user to a fake site that looks legitimate but is intended to have the user enter their account information or login credentials.
It may take the user to a fake site that can load malware onto their device.
There are different types of phishing.
There are a number of types of phishing scams that criminals use to attack people and organizations. As technology changes and users become savvier, criminals become more creative in the ways they attempt to gain access to computers and networks.
Standard
This is the “casting a wide net” method. It does not target a specific individual but is sent out to many people.
It is usually not well-researched to ensure accuracy, but it depends on the fact that the more people who receive it, the greater the chance someone will open it and click on the link or open the attachment. Cyber security must defend against every single attack all the time, whereas a cyber attacker only needs one attempt to work to be in the system or launch their attack (i.e., only one user to click).
Spear Phishing
This is a more targeted approach to “catch the big one” instead of trying to “catch whatever phish will bite.” A cyber criminal will spend time and effort researching a specified high-value target, such as a particular person or group of people.
Whaling
When the Spear Phishing attempt targets a very high-level individual, it is called Whaling. This can be a company CEO or the County Judge Executive. The chances of successfully getting the target to open or click is less. However, the payoff can be much bigger.
Example of Whaling
FROM: Andy.Beshear@KYGovernor.com NOT FROM: Andy.Beshear@KY.gov
Smishing
When a cyber attacker sends phishing messages using SMS text messaging in order to deliver malicious links, it is known as Smishing (SMS + Phishing).
As more people use their smartphones or tablets to work or communicate, cyber attackers are going to where they are. Additionally, the open rate for an SMS is 98%, while the open rate for an email is only 20%. Therefore, a user is more likely to click the malicious link.
Vishing
When the criminal uses phone calls to contact a target, it is called Vishing (Voice + Phishing). The victim receives a phone call from someone pretending to be from a legitimate organization (IRS, Sheriff Department, Phone Company) asking for personal information (social security numbers, bank account information, credit card numbers, passwords).
So how do you prevent becoming a victim?
The greatest weakness in any organization’s cyber security is its employees. However, the greatest asset is also the employees.
The key is to turn this weakness into an asset, a “Human Firewall.”
A Human Firewall comprises an educated, proactive, security-minded staff that can identify potential threats, report suspicious activity, and be part of the cyber security solution. Training is a great first step!