My last blog discussed the benefits of data encryption and application programming. This blog dives into the cybercrimes of phishing and the signs it’s happening.
Phishing is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss. In the financial sector, falling victim to a phishing attack will provide a hacker with a customer’s login credentials and the ability to compromise their accounts.
Of broader concern are phishing attacks that attempt to gain access to a firm’s internal resources by tricking an employee into clicking on a malicious link or attachment contained in a bogus email message. The link either will direct a web browser to a hacker’s site which will install malware on the employee’s workstation, or the attachment may install the malware directly. These phishing emails are forged to appear as they are originating from trusted senders. The malware installed attempts to enable the hacker to gain access to the firm’s data resources through the infected computer.
In a recent study, it was found that an attacker sending out 10 phishing emails has a 90% chance that one person will fall for it. While there are security products that can and should be deployed to screen email attachments and verify email links against a blacklist of known malware sites, employee education is also warranted. Employees should receive mandatory training in ways to identify and report potential phishing emails in order to decrease the likelihood that an attack will succeed in producing a compromised workstation as a hacker’s entry point.
Spear-phishing takes phishing attacks to the next level, increasing the likelihood that an employee will take the bait of a malicious email. Spear-phishing uses the information shared on social media and other online sources to populate bogus email messages with information pertinent to the recipient. A hacker might craft a malicious email message as if it were sent by an employee’s manager or a non-work-related contact, such as their child’s sports team coach. The malware payload attachment will often have a name aligned with the relationship of the sender to the employee, as to not raise suspicion (e.g., “meeting notes” if from a manager or “team schedule” if from a child’s coach).
Through repeated training, it is possible for employees to spot spear-phishing attempts, but increased vigilance is required.
To learn more about security measures financial services firms can implement in order to mitigate the risk of cyberattacks, you can fill out the form below or click here.