Cyber threat: Avoiding the phishing net

By Pavan Kushwaha

Phishing is a social engineering tactic to trick victims into giving away their sensitive information. It is one of the most popular fraudulent attempts used by hackers to steal data like usernames and passwords, financial details, corporate data, etc.

In fact, this cyber-attack vector has been making rounds since the mid-1990s, and today it has evolved to a sophisticated level. Cybercriminals are now targeting a large number of individuals and organisations to steal and misuse their data.

Majorly, these cyber threat actors use phishing emails and phishing websites to defraud individuals and organisations. These malicious practices, of duping innocent users, have become a highly remunerative line of business for cybercriminals.

According to Verizon’s 2018 Data Breach Investigations Report, email is the number one vector used for 92.5% of malware distribution and 96% of phishing attacks.

Hackers spoof legitimate email addresses to trick email recipients. They attach malicious links or files as baits and entice victims with alarming content to click on the malicious attachments. Phishing emails can be disguised as emails from a bank or someone known, requesting the victim to respond with personal information, financial details, or wire transfer money.

Ever since the occurrence of the Covid-19, cybercriminals have been launching phishing email attacks to exploit the pandemic fear for their malicious gain. Within the span of the first four months of 2020, 18 million Covid-19 phishing emails were blocked by Gmail every day. In addition to that, in one week, 240 million Covid-19 spam emails were blocked on a daily basis.

According to a Threat Report, around 1.5 million new phishing websites are created every month. Even, amidst the pandemic, more than 60,000 phishing websites were reported in March 2020 itself.

Hackers create forged web pages or websites of the legitimate ones. They aim to divert users from the original website to the fake one. By doing this, they lure victims into handing over their personal information or download malware.

Shockingly, it is estimated that 58% of phishing campaigns have HTTPS. This tactic has become very prevalent today, and various users are fooled into thinking that all HTTPS websites are secure.

Security professionals like CISOs, CIOs, CEOs must at least institute the following cybersecurity guidelines:

• Educate employees on prevailing cybersecurity threats with a security awareness training tool which can offer to simulate cyber attacks to give employees a real-time experience.
• Implement a phishing incident response tool to report the suspicious email, in case it seems fraudulent in nature. With most of the employees working remotely now, such a tool is the need of the hour to empower them with the ability to recognise and report phishing emails.
• Maintain good cyber hygiene by keeping passwords complex and strong with multi-factor authentication on all accounts and devices.
• Ensure the use of VPNs and avoid unsecured Wi-Fi.
• Secure outbound mail flow with email authentication protocols like DMARC, SPF and DKIM. It further protects the email domain against spoofing and other email-based attacks.

Kushwaha is founder, Kartikal Technologies. Views are personal