Online Bait Crime

Although many may be aware of the threat, 30% of phishing messages were recorded as being opened, according to the 'Verizon 2016 Data Breach Investigations Report'.  Phishing is the method cybercriminals use to obtain sensitive information by prompting action to an apparently credible, yet malicious email.  Created to resemble an address belonging to a recognised contact, phishing emails are personalised to gain the trust of its recipient, who may unwittingly click a link or toxic attachment which can grant hackers access to an organisation’s system.  The criminals will then either divert funds from accounts, steal data, or hold it to ransom. Unfortunately, all it takes is for one person to open the wrong email.

DON’T FALL FOR THE BAIT

All it takes is one click of the wrong email so vigilance is key. Always look out for:

• The sender - Make sure you recognise the sender and that the email address is the correct one.
• Subject - Email subjects should always correspond to the body of the email. Be suspicious where subject lines include spelling mistakes or excessive use of punctuation.
• Content - Fraudulent emails usually invite the recipient to carry out actions such as re-entering pin numbers or banking details, visiting a website, etc. 
• Links - Unless you were expecting the email, refrain from clicking on any links as they can easily be disguised and may direct you to malicious websites.
• Attachments - Check the format of any email attachments and be wary if any attachment is not mentioned within the body of the email. Attachments can contain malware or transmit viruses so open them only when necessary.

GO PHISHING

Providing regular training can minimise the risk but it only takes the complacency of one person to cause real damage. To prevent mistakes, specialist service providers can test employee reactions by conducting simulated phishing attacks. They will create seemingly trustworthy emails which replicate real phishing emails, using ‘toxic’ links or attachments.  The organisation can target specific groups or everyone, with recipients unaware of the tests.

PHISHING LOG

The response to each ‘fake’ phishing email is recorded, detailing the actions taken by employees; links clicked, attachments opened, etc.  Anyone who interacts with the email will receive an email informing them that they have been caught out and will be reminded to be more vigilant.  Most employees are keen to be involved in the security process and it allows organisations to identify the individuals who need more support and concentrate training on those that need it most.  The failure rate usually begins at around 33% but should fall to approximately 5% after training. Unfortunately, no organisation is ever likely to achieve 0% as we are dealing with humans who make mistakes.  No matter the size of the business, the consequences of a successful phishing attack could be catastrophic. Therefore, finding the weakest points by phishing employees should be considered - but not for long... the real criminals might get in there first!