In the digital sea, small businesses and their security teams need to stay vigilant against phishing attacks. Here's our quick take on phishing awareness, real-world examples, and how to create a culture of trust and suspicion to keep your organisation safe.
What is phishing?
Phishing is the sneaky practice of tricking individuals into revealing sensitive information like login credentials, financial details, or other personal data. Cyber criminals cast their nets wide, using deceptive emails, texts, or websites that impersonate legitimate organisations.
The bait: seemingly innocent requests or eye-catching offers that lure unsuspecting users into their trap.
Why phish your employees?
Now, you might be wondering, "Why on earth would I want to phish my own employees?" Relax – we're not suggesting corporate espionage. Phishing simulations are a valuable training tool to help your team recognise and avoid these digital angling attempts. By intentionally sending fake phishing emails, you'll keep everyone on their toes and assess your organisation's vulnerability.
Real-world examples include:
In July 2020, the GPS technology and wearables company Garmin fell victim to a ransomware attack that disrupted its services for several days. The attackers utilised phishing emails to gain access to Garmin's systems and deployed the WastedLocker ransomware. The company reportedly paid millions of dollars to regain access to its systems, and the outage affected millions of users worldwide, impacting GPS navigation services, customer support, and even aviation services.
In July 2020, Twitter experienced a high-profile security breach that targeted the accounts of high-profile individuals, including Elon Musk, Joe Biden, and Bill Gates. The attackers used a spear-phishing attack, targeting specific Twitter employees via phone calls to gain access to internal tools. Once they had access, they posted scam tweets soliciting Bitcoin from followers. This incident raised significant concerns about the security measures in place at Twitter, and the company faced public scrutiny and a loss of user trust.
Magellan Health, a Fortune 500 healthcare company, suffered a phishing attack in April 2020 that led to a ransomware infection. The attackers gained access to an employee's email account and breached the company's systems, exposing the personal data of approximately 365,000 patients. Magellan Health had to notify the affected patients, provide credit monitoring services, and enhance its cyber security measures, incurring significant losses.
How to create a culture of suspicion
To help employees spot phishing attempts, cultivate a healthy dose of suspicion:
Encourage them to question unexpected emails or requests.
Teach them to inspect URLs before clicking.
Remind them that if something seems too good to be true, it probably is.
How to create a culture of trust
While suspicion is key, trust is equally important. Establish an environment where employees feel comfortable reporting suspected phishing attempts without fear of judgement:
Create clear reporting channels.
Encourage open communication and support.
Recognise and reward employees who successfully identify phishing attempts.
Use effective phishing training methods:
Keep your phishing training engaging and up-to-date:
Regularly conduct phishing simulations with varying degrees of difficulty.
Include interactive and hands-on training elements.
Review real-world examples and lessons learned.
Provide ongoing education about new phishing trends and tactics.
Phishing awareness is crucial for small businesses and security teams. By understanding what phishing is, using real-world examples, and fostering a culture of suspicion and trust, you'll keep your organisation safe from cyber criminals angling for your data. Stay vigilant, and remember – you don't have to take the bait!
Get in touch for more information: firstname.lastname@example.org