From the equipment, the tactics, the risk and everything in between all are considered differently when fishing from deep versus shallow waters. A fishers ability to see into the water body they are fishing from is one of the factors that will determine their ability or inability to get a good catch.
Majority of the time, these attacks aim for breaching information. Being more than simply accessing a company's database, a breach is damaging to both a company’s reputation and financials, therefore regardless of the size of an organisation we are to be mindful of the measures put in place and their level of effectiveness, starting with awareness.
Phishing is an example that is sometimes underestimated, yet producing great damage. As of 2021, according to a Cyber Security Threat Trends report by CISCO, 90% of data breach came as a result of Phishing. With attackers not looking to large organisations alone, but SME’s (Small and Medium sized Enterprises) as well.
- Reputation damage - clients, customers, investors, those in affiliation loose trust and confidence in an organisation upon a phishing attack.
- Financial cost - it has been registered that organisations with even a couple hundred employees could have to incur no less than millions of dollars in tracking a breach, fines and costs associated with legal measures, just to name a few.
- Process delays - daily operations will have to be at a halt in the event of such circumstances. There is no planning on when an attack could take place and therefore no proper planning on how to combat such disruptions.
Not far from the case of cyber attackers phishing small versus big companies. Less effort is required with shallow waters, the fish are known to follow the fishermen; they stay in one place, they follow light. Why is this related you ask? In a nutshell, phishers use people when targeting organisations and so they use social engineering with the aid technological methods to access people.
Things to watch out for
1. Confirm that the email address matches the senders name.
2. The email address should make sense and match what the company does.
3. If is it for an organisation you know, then the branding in the should align with how it usually is.
4. Beware of small discrepancies, spelling mistakes, tones of urgency, incorrect grammar, and the like.
An attack occurrence could potentially look like, an email is received resembling a sender or company that the target is already in affiliation with in one way or another. A victim will essentially take the bait by pressing on a link, opening a file, and possibly inserting credentials or sending back company compromising information.
It has been found that out of the phishing attacks targeting organisations, 20% of employees are known to click on the emails, with a 67.5% of the 20% usually proceeding to enter credentials.
Luckily the socially engineered tactics used are combated with technological solutions
1. Create awareness of this to members of your organisation, irrespective of size.
2. Be cautious with the information shared via email.
3. Get in the habit of checking the email addresses linked to the emails you receive.
4. Cross check with team members, even seniors, before sharing sensitive information.
5. Build good relationships with the people you affiliate with that incase of something out of the blue they feel open to communicate back.
6. Avoid using work email addresses when registering on multiple sites.
A bulk of the aforementioned has been on the breach of information, yet some of the most damaging results from phishing especially when repetitive, is
1. Reputation damage - clients, customers, investors, those in affiliation loose trust and confidence in an organisation upon a phishing attack.
2. Financial cost - it has been registered that organisations with even a couple hundred employees could have to incur no less than millions of dollars in tracking a breach, fines and costs associated with legal measures, just to name a few.
3. Process delays - daily operations will have to be at a halt in the event of such circumstances. There is no planning when scheduled attacks could happen and therefore no proper planning in how to combat such disruptions.
All this to say, it all starts with awareness. Reminders can be embedded in different activities during team. building, retreats and so forth. The More You Know..