Cybercrime is an industry worth US$600 million dollars each year with projections for 2021 of US$6 trillion according to The Cybersecurity Hub. Phishing is one of the most common forms of this type of crime, a seemingly innocuous threat that represents the first step in 91% of cyberattacks as per data from Digital Guardian.
Phishing is a social engineering method used to extract information through deception and the use of technology to obtain access to devices, networks or services. Frequently, it simulates elements that inspire trust or authority and provide credibility to hook the victim.
According to Stanford University, the criminals that employ phishing methods are usually looking for passwords, financial information, or stealing identities or money. This source also estimates that these messages have a 10% chance of success given that people are usually tricked by the illusion of urgency, desire to please, greed, curiosity, fear or complacency.
This is not a new threat as the first known attempts on financial services date back to 2001 and the modality was first recorded in 1987. Both institutions and individuals need to be aware of this reality and treat it as a risk because the threat is not only financial, but also reputational and even legal.
Individuals are prone to falling victims of phishing by being duped through phone calls or clicking on deceptive links that redirect to websites that have been cloned, contain falsified information, or redirect from a legitimate to a fraudulent site. This is part of the origin of the US$1.48 billion dollars of loss due to fraud that were reported to the US Federal Trade Commission (FTC) in 2018, with a 38% increase over the previous year.
Furthermore, institutions and some individuals are exposed to spearphishing, a modality that focuses on individuals or a company, pretends to come from an official source and includes specific information to increase the possibilities of success. TechRepublic reports that one of the most common types of spearphishing is “CEO Fraud”, where information or wire transfers are requested simulating legitimate messages from the organization’s CEO. McAfee Labs provides data that indicates that staff is twice as likely to be attacked compared to management, and also twice as likely to be deceived.
Institutions and individuals alike must create awareness in regard to this risk to diminish its possibilities of success. Some recommendations for institutions are:
Interest and involve leadership.
Begin employee security awareness from onboarding.
Draft a formal training plan.
Train staff with realistic scenarios.
Highlight the importance of security in work and personal spaces.
Periodical evaluation of results.
Share results and important information.
Train continuously based on current information.