How phishing attacks are exploiting businesses

August 23, 2022

Cybercriminals seek to exploit genuine sites and services in their phishing schemes, not only to deceive naive victims but also to evade security scanners that would normally block traffic from a malicious site. This form of fraud often succeeds because the perpetrator is able to circumvent standard security measures. Analyzing the connected URL, traditional email security systems utilize static Allow and Block lists to assess whether the content is valid. Businesses, at most times, will always be on the Allow list, allowing phishing emails to reach the user’s mailbox.

“Phishing” refers to the attempt to get personal information via deception. For instance, my company receives many emails each day from individuals “claiming” to be workers and requests that our HR department provides them with the bank account information they have on file to ensure that their paycheck is deposited in the correct account. Or providing them a new account number and requesting that future checks be sent to the new account.

Such example informing you that you’ve won the lottery and requesting your banking details in order to deliver the reward. Or stating you will get a large inheritance, but they need to verify your social security number and mother’s maiden name to ensure you are the intended recipient.

The majority of phishing assaults will arrive through email. Although we have seen similar tactics in phone calls. It derives its name from the method of “fishing” in which bait is cast in the hopes that something would bite. They send out hundreds of emails every day with the expectation that someone would fall for one of them.

Email phishing is a game of numbers. Even if just a tiny number of receivers fall for the ruse, an attacker who sends thousands of fake communications may get considerable information and quantities of money. As stated in the preceding section, attackers use several methods to boost their success rates. First, they will go to considerable measures to create phishing communications that seem to originate from a legitimate firm. Using the same language, fonts, logos, and signatures lends legitimacy to the messaging.

To protect your business and workers against phishing attempts of various types:

• Before clicking on any link in an email, hover over it to see the destination URL.
• Always examine the email’s content prior to taking action.
• Encourage workers who doubt the veracity of an email to call the help desk or IT assistance.
• Scan all hyperlinks in incoming email messages for harmful content at delivery and upon click.
• Do not rely only on Block or Allow lists, since attackers continue to use legal websites and services to circumvent these lists.
• Utilize AI that analyzes various elements to decide if an email is harmful or not.
• Implement sophisticated email security that can determine the genuine aim of communication by analyzing its nature.

IT companies caution that they would never send unsolicited emails or make unwanted phone calls to acquire personal or financial information or to service your computer. They recommend that anybody who gets such a message deletes the email or hangs up the phone. If more assurance is required, people may immediately contact the business using the phone numbers included in their contract or other reliable sources.

Register for our next intake of cybersecurity courses. Call us on +1 416-415-4545 to receive a 25% discount on all October courses.

Sam Fareed

Lead Instructor qualified in CISSP, CCIE, and MCT with 25 years of training experience in Toronto.