“Phishing”, remains one of the most frequent methods of cyberattack. It represents one of the main cybersecurity challenges for companies, as the modus operandi to steal personal information or corporate funds has been perfected over time.
In order to properly protect your structure, it is necessary to go beyond the popular imagery of phishing email: a poorly written email with grotesque promises. Hackers have been improving their medium and technique, which makes their phishing attempts more and more difficult to spot. It is important to know them in order to train your employees and limit the risks.
The word “phishing” is a portmanteau of “fishing” and “phreak”, which is itself a portmanteau of “phone” and “freak” and historically designates people who elaborated phone calling tricks to avoid paying charges during the twentieth century.
The National Cyber Security Centre defines phishing as follows: “Phishing is when attackers attempt to trick users into doing 'the wrong thing', such as clicking a bad link that will download malware, or direct them to a dodgy website. [...] it could be the first step in a targeted attack against your company, where the aim could be something much more specific, like the theft of sensitive data.”
The three components that qualify a cyberattack as “phishing” are:
Protecting yourself well from cyber attacks first of all implies knowing how to recognise them. A phishing attempt can take various forms. You could receive a call from your bank, a message on social networks, a text message, an email.
Those messages might seem to come from a recently visited ecommerce site, your phone company, public service, or your energy company. In any case, the hacker is using the logos you already know to gain your trust.
Usually, phishing scams are based on two main types of content:
There are also other trends in phishing emails:
Fortunately, a phishing attempt can be identified through a few criteria which are recurrent in this kind of emails:
1 / The offer seems too tempting, or the demand too urgent. Public services always leave several opportunities for their users to regularise their procedures, no need to pay urgently.
2 / The object of the email is rather vague, or is the same as your email address username. Also, on some occasions, the message is not directly addressed to the recipient.
3 / Spelling, grammar or syntax errors.
4 / Shortened or misspelled links, due to spoofing of legitimate websites. So mouse over the links to check them, without ever clicking on them.
5 / Attachments you were not expecting.
6 / Any request concerning the confirmation or communication of your personal data and sensitive information.
7 / A request issued by a company that is not one of your suppliers, or which you have no specific interaction with.
8 / An unusual website address (domain name), you must always check the address of the organisation that is supposed to contact you.
Finally, what is the difference between spam and phishing? The distinction between spam and phishing emails lies in the intent of the senders. Spammers flood with unwanted advertisements, but without any other harmful consequence. Phishers, on the other hand, use fraudulent techniques to steal sensitive data from you.
In France a 2020 study conducted by the Experts Club on Digital and Information Security (CESIN) found that phishing constitutes the most frequent way of carrying out the cyber attacks CISOs from French corporate companies have to deal with.
All companies are therefore directly concerned by fraud attempts, be they SMEs or large groups listed on the stock exchange.
However, large groups are better prepared for them than SMEs. The latter ones tend to think they are less targeted than the former ones, and as a result, suffer attacks more often.
The European Union Agency for Cybersecurity (ENISA) indeed reports that 70% of European SMEs use basic security controls only. Furthermore, phishing constitutes the most common method of cyberattack for these companies (41% of the reported incidents).
Additionally, European banking information is often targeted by cybercriminals, a known breach is via European PSD2 regulation which often constitutes a good way in.
Phishing mainly jeopardises the security of confidential data of a company, as well as its finances:
From a legal perspective, phishing falls under different types of offenses:
Regardless of the medium, the phishing process remains the same. It is about conveying a message that relies on social engineering to convince the victim to click on a link or an attachment. The end goal is gaining access to their personal data. This strategy is based on different media, but fortunately you can learn how to recognise the various techniques that might be used.
Phishers most often send emails, but it is not their only means to get to you:
Social media phishing involves hacking into your accounts to send malicious links to your contacts. This method also relies on creating fake user accounts. This type of phishing particularly affects companies for which “social engineering” is key to business. In this case, phishers collect information about the company to plan their future cyber attacks better.
There are also phishing attempts through Linkedin accounts. Hackers send links to their victims, who provide their usernames and passwords. The criminals then use it to take control of the Linkedin account and send fraudulent messages to their contacts.
As detailed above, hackers use different methods to pass as reliable interlocutors. When they target companies, they use more specific methods:
Among the phishing attacks that everyone has been talking about, one may remark that databases of partner hotels of Booking.com are particularly affected. The users of this website all had been the target of fraudulent attacks via Whatsapp or text messages.
Much has also been said about the phishing attack experienced by Target stores in 2013. It had resulted in a data breach for 110 million consumers. That event has had a lasting impact on the reputation of this American brand.
The first step in protecting your business from phishing scams is to train your employees on the communication situations they should be wary of. You should also invest in the right anti-phishing software. Once an attack has been carried out, however, there are a few good practices that can help mitigate negative consequences.
Here are some essential preventive measures against phishing attempts, you may want to communicate them to your staff:
If the above recommendations lead your employees to spot one or more phishing attempts during their professional activities, here are a few steps you should follow:
In the event of a successful phishing cyber attack, by which hackers have obtained confidential data or money from you:
In the case of bank phishing, will your business be compensated for its financial losses? The courts do not have a universal decision on that matter. The possible compensation depends on the appearance of the fraudulent message: indeed, considering whether the email looked illegitimate, whether the demanded amount of money was delusional, or whether the request seemed illogical, your behavior could be deemed negligent or not .
This is what happened in a legal case between Crédit Mutuel Nord Europe and one of its clients. The local jurisdiction had recognised the fraud, arguing that the hackers had stolen her bank details. The highest French court (Cour de Cassation) preferred to agree with the bank, suspecting the client of gross negligence in handling her bank details.
Phishing is a form of cyber attack that grants the hacker access to confidential data: personal file or banking credentials. The hacker usually resorts to emails, text messages, or phone calls, pretending to be a legitimate interlocutor.
If you come across a questionable email, mouse over the URLs to make sure they correspond to legitimate websites. If in doubt, end the communication (text, call, email) and contact the official sender yourself to make sure that it is indeed a message on their behalf.
You can report spam and other phishing emails to Google via certain extensions.
related to Cybersecurity and Cyber Risk Quantification