By the time you finish singing that nursery rhyme, criminals would have sent 983,800 phishing emails. Phishing, to criminals, is easier than singing a nursery rhyme. It’s the number one attack vector they use the target businesses. On average they send 3.4 billion phishing attacks a day worldwide. Phishing is the biggest threat businesses face today. 18% of all phishing emails are opened and the links they contain clicked.
So what is phishing?
‘Phishing’ is when criminals use emails, text messages or phone calls to undermine your business’s security. The aim is often to make your staff change or reveal passwords giving the criminal access to your systems and data.
What can happen?
When criminals get access to your systems and data, they can carry out a ‘ransomware’ attack. This is when they encrypt your data and lock you out of your systems, holding the key for ransom.
What else can happen?
We traditionally think of phishing as an email problem. However, phishing attacks can take many forms, even using your social media presence. Criminals often pretend to be CEOs, finance directors, or other key members of your business to socially engineer your staff.
What is the answer?
The WFF team have created the best phishing testing system on the market. We use this in conjunction with the highest quality and impactful training, on our Virtual Information Security Academy platform (VISA), to help your staff become your best form of defence against phishing attacks.
“Phishing scams continue to pose a significant threat for both individuals and businesses. I would urge everyone to be vigilant of unexpected messages or calls that ask for your personal or financial information. Remember, your bank, or any official source, will never ask you to supply personal information via email or text message”
Detective Chief Superintendent Oliver Shaw, City of London Police
PHISHING IN NUMBERS
Ransomware cost the world $20 billion in 2021.
There were 236.1 million ransomware attacks in 2022
In 2021, 37 % of all businesses and organizations were hit by ransomware
Out of all ransomware victims, 32 % pay the ransom, but they only get 65 % of their data back.
Only 57 % of businesses are successful in recovering their data using a backup
TEST RESULTS
We have just shown you our phishing test. Could you tell which was the malicious email?
If you chose email A, this is the safe email. The domain is the correct one (based on ‘Kepsons’ being a UK based organisation). Whilst the email did have spelling mistakes, this is fairly common in genuine emails.
If you chose email B, well spotted, you picked the malicious phishing email. Although the email was well written and without spelling mistakes, we used the Cyrillic alphabet to spoof a domain name in order to deliver the email.
Contrary to popular belief, you cannot spot a phishing email based on spelling mistakes. That’s one myth busted for you! The only way to defend against phishing attacks is to train your staff using our Virtual Information Security Academy, VISA. Here we show the latest tactics used by criminals in our Netflix-quality drama ‘Crooks’, the story of an organised crime group. Alongside a dashboard containing a whole range of tools helping your staff keep your organisation safe.
Find out how you can get your VISA now!
PHISHING SOLUTIONS
DIFFERENT TYPES OF PHISHING
CEO fraud: The scammer impersonates a C-level executive’s email account, or hacks into it directly, and sends a message to a lower-level employee instructing them to transfer funds to a fraudulent account, make a purchase from a fraudulent vendor, or send files to an unauthorized party.
Email account compromise (EAC): Here the scammer gains access to the email account of a lower-level employee—e.g., a manager in finance, sales, R&D—and uses it to send fraudulent invoices to vendors, instruct other employees to make fraudulent payments or deposits, or request access to confidential data.
Voice phishing, or vishing, is phishing via phone call. Thanks to voice over IP (VoIP) technology, scammers can make millions of automated vishing calls per day; they often use caller ID spoofing to make their calls appear as if they’re made from legitimate organizations or local phone numbers.
SMS phishing, or smishing, is phishing using mobile or smartphone text messages. For example, recipients may receive a text message offering a gift as ‘thanks’ for paying a wireless bill, or asking them to update their credit card information in order to continue using a streaming media service.
Social media phishing employs various capabilities of a social media platform to phish for members’ sensitive information. Scammers use the platforms’ own messaging capabilities—e.g., Facebook Messenger, LinkedIn messaging or InMail, Twitter DMs—in much the same ways they use regular email and text messaging.
Spear phishing is a phishing attack that targets a specific individual—usually a person who has privileged access to sensitive data or network resources, or special authority that the scammer can exploit for fraudulent or nefarious purposes. A spear phisher studies the target to gather information needed to pose as a person or entity the target truly trusts—a friend, boss, co-worker, colleague, trusted vendor or financial institution—or to pose as the target individual.
Application or in-app messaging. Popular mobile device apps and web-based (software-as-a-service, or SaaS) applications email their users regularly. As a result, these users are ripe for phishing campaigns that spoof emails from app or software vendors. Again playing the numbers game, scammers will typically spoof emails from the most popular apps and web applications—e.g. PayPal, Microsoft Office 365 or Teams—to get the most bang for their phishing buck.