The EU Cybersecurity Month (ECSM) is an annual awareness campaign held every October throughout Europe, orchestrated by European and national institutions. Its primary objective is to elevate awareness regarding cybersecurity threats, foster proactive mitigation measures, and facilitate the dissemination of best practices.
At CMS Belgium, we wholeheartedly endorse and actively engage in this vital initiative. The 2023 edition has chosen to spotlight the pervasive threat of phishing. Phishing attacks loom as a formidable peril to enterprises, capable of inflicting considerable financial setbacks and causing severe productivity disruptions. Crafting a well-composed email, social media post, or phone message is all it takes, coupled with an employee who may be negligent or unaware.
ECSM presents an excellent opportunity for your company to enance your cyber-hygiene practices. In this article, we offer valuable insights, tips, and techniques to help you discern and thwart phishing attempts effectively.
What is phishing?
Phishing is a type of cyberattack in which criminals attempt to steal personal and/or financial information, or infect computers and other devices with malicious software (i.e. malware). Phishing attacks can take many forms, but the most common are fraudulent emails and websites that are designed to look like they are from legitimate sources, such as a financial institution, delivery company, government agency, and/or any other entities we trust.
Phishers often use social engineering techniques (e.g. exploiting human emotions fears, urgency, and curiosity) to trick people into revealing their personal information or clicking on malicious links, executables, or attachments. Phishing email statistics suggest that nearly 3.4 billion phishing emails daily are sent daily. It only takes one employee to make a mistake for your company’s systems to be compromised.
According to INTERPOL: “Phishing is considered the most prevalent cyber threat in the world, and it is estimated that up to 90% of data breaches are linked to successful phishing attacks, making it a major source of stolen credentials and information”.
Impact and risk – why does it matter?
The evolution of phishing is marked by its perpetual adaptation and modernisation. While these fraudulent messages initially took the form of emails, they have now expanded their reach to include text messages, workplace messaging platforms, social media communications, and even phone calls. However, phishing attacks predominantly zero in on their victims through email correspondence.
Phishing matters because it is a serious threat to everyone.
Everyone is at risk of falling victim to a phishing attack, regardless of age, education, or technical expertise. Phishing attacks can have a devastating impact on your company and they are becoming increasingly sophisticated and targeted.
Phishing is a significant concern due to its multifaceted threat and dire consequences. It places financial stability, data security, reputation, and operational continuity at risk. This underscores the pivotal role of robust cybersecurity measures and user awareness in mitigating these risks. Here are a few illustrative examples:
- Financial Implications: Phishing attacks can inflict substantial financial harm on your organisation. Cybercriminals who gain access to sensitive financial data can conduct fraudulent transactions, steal funds, or engage in identity theft, leading to severe monetary repercussions.
- Operational disruption: Phishing attacks can disrupt daily operations. Malware and ransomware delivered through phishing can render systems and networks inoperable, resulting in downtime, decreased productivity, and costly recovery efforts.
- Data breaches: Phishing frequently serves as a precursor to data breaches. Successful phishing compromises can grant attackers access to and the ability to exfiltrate sensitive data, such as customer information, intellectual property, and confidential business data. These breaches can entail extensive legal, financial, and reputational repercussions.
Empower your staff through awareness
It is a well-recognised fact that employees often represent the most vulnerable aspect of any security framework. Investing in cybersecurity training or e-learning programmes for your staff can significantly enhance their skills and reduce the likelihood of inadvertently exposing sensitive information.
Tips for identifying and avoiding phishing
By following guidelines, you can bolster your defence against phishing attacks and help safeguard your data and systems:
- Exercise caution when clicking on links or downloading attachments from unfamiliar sources, whether in emails or short links on social media platforms.
- Don’t succumb to the pressure of “urgent requests”. Take a moment to scrutinise the email for potential phishing signs.
- Use a strong, unique password for your personal and professional online activities. This practice limits the potential impact of a security breach
- Activate multi-factor authentication (MFA) for your important accounts. MFA adds an extra layer of security to your accounts by requiring you to enter a code from your phone in addition to your password when logging in.
- Ask yourself key questions: Do you recognise the sender? Were you expecting an email from them? Does the content seem unusual or inappropriate? Is the email designed to pique your curiosity?
- Pay close attention to domain names in links. Verify where the link leads by examining the domain that precedes the “.com” (e.g. “CMS.phishing.com” redirects to “phishing.com”, not “CMS.com”).
- If you receive an unexpected email that raises suspicions, take the extra step to call and verify the sender's authenticity.
- If a message seems suspicious, do not click on the links it contains or open the attachments. Delete it immediately.
- Keep your operating system, browsers, and security software up to date to benefit from the latest protection against cyber-attacks.
If you think you may have been a victim of a phishing attack, it is important to take action immediately. Change your passwords for all of your online accounts and contact your IT department and/or CMS to let them know what happened.
For more information about these key trends and developments and CMS’s cybersecurity training programme, contact your usual CMS advisor or local CMS experts.