In a global survey conducted in 2022 among working adults and IT professionals, findings disclosed that a staggering 85% of organisations encountered bulk phishing attacks as the most common cyber incidents. Following closely, spear phishing emerged as the second most prevalent, with three in four respondents reporting encounters with such incidents within the same year.
Keep reading to find out all about phishing and how cloud security assessments like a tabletop exercise can help.
What Is Phishing?
Phishing is the technique where a malicious actor lures a victim into revealing sensitive information. This can be through large “spray-and-pray” type campaigns involving multiple recipients or, a more targeted approach crafting attacks for specific individuals, known as Spear Phishing. Phishing has been around since the early days of the Internet as one of the oldest vectors of attack.
Some key facts about phishing:
- 15 billion spam/junk emails are sent every single day
- 214,345 phishing websites were recognised in 2021, which is 2x more than 2020.
- In organisations, around 30% of all phishing emails were opened
Security awareness is a crucial way to address this issue. This is nothing new, but we’re still not doing enough to help educate our colleagues, families, and friends. An organisation could confidently say they have met peak maturity when every employee is performing the duties of a security guard to identify when something isn’t right and report it. Achieving this is a journey that requires constant training and awareness.
Guarding Against Phishing: Effective Tips to Stay Secure
Equip yourself and your team with these crucial tips, often integrated into comprehensive tabletop exercises, to fortify your defences:
1. Never click on something you’re unsure of or not expecting
Phishing attacks often rely on the element of surprise or deception to trick individuals into clicking on malicious links. These links could lead to fraudulent websites, initiate downloads of malware, or prompt the disclosure of sensitive information. To safeguard yourself from falling victim to these deceptive tactics, it’s essential to adopt a cautious and discerning approach in your online activities.
Before clicking on any link, verify the source of the message or email. If the communication seems unexpected or comes from an unfamiliar sender, exercise caution. Contact the supposed sender through a separate, trusted channel to confirm the legitimacy of the message.
2. Never submit credentials by following a link — always go directly to the site
Phishing attacks frequently involve fraudulent emails or messages enticing recipients to click on links that lead to fake login pages. These pages are cunningly designed to mimic legitimate sites, aiming to capture login credentials. Bypassing these deceptive links ensures you don’t inadvertently fall victim to such schemes.
Going directly to the site, whether by typing the URL or using a bookmark, allows you to verify the authenticity of the web page. Legitimate websites use secure connections (HTTPS) and display familiar indicators such as padlock icons in the address bar.
3. If you have mistakenly submitted credentials or clicked on something that isn’t right, reset your password and report it
The moment you realise that you’ve shared your credentials or engaged with a questionable link, initiate a password reset for the affected account without delay. This rapid response significantly minimises the window of vulnerability and prevents unauthorised access.
If you’ve been reusing passwords across multiple accounts, seize this opportunity to enhance your overall security posture. Reset the compromised password not only for the affected account but also for any other accounts where you’ve used the same or similar credentials.
4. Use MFA — there’s no excuse to not use it in this day and age
In an age where cyber criminals constantly refine their tactics, relying solely on passwords is akin to leaving your front door ajar. MFA mitigates the risks associated with password compromise, ensuring that even if credentials are exposed, an extra layer of verification thwarts unauthorised entry.
For organizations dealing with sensitive data or confidential information, the use of MFA is non-negotiable. It adds an extra dimension of protection to critical systems, databases, and communication channels, reducing the likelihood of data breaches.
5. If you’re unsure or ever in doubt, send it to your cybersecurity team
When in doubt, consider your cybersecurity team as your steadfast allies as they are trained to swiftly assess and analyse potential threats. They can educate you on current threats, phishing techniques, and best practices for maintaining digital hygiene.
Learn more: Cyber Hygiene: Covering All Bases
They can also guide you on the necessary steps to take, ensuring a coordinated and efficient response in the event of a confirmed threat.
6. Schedule a tabletop exercise
A tabletop exercise focused on phishing provides a realistic simulation of diverse scenarios, from deceptive emails to cunning social engineering attempts.
As employees are the first line of defence against phishing attacks, a tabletop exercise evaluates and strengthens their ability to identify and respond to phishing attempts. By simulating realistic scenarios, organisations can gauge the effectiveness of their awareness training programmes and empower employees to be more vigilant in recognising and reporting phishing threats.
At Privasec, we conduct cloud security assessments and tabletop exercises including phishing simulations to help assess your current exposure level and provide security awareness training for your employees. We can even conduct complete red team engagements to identify vulnerabilities so you can remediate and work towards securing your assets.
Get in touch with us to prepare your team for phishing attacks.
Related Posts:
