Hacking attacks are on the rise. In the era of the pandemic, there has been a large increase in phishing campaigns thematically related to COVID-19. The dangers of these can have serious implications for business operations, so it is a good idea to make employees aware of these types of threats. To better illustrate the scale of the phenomenon, I will present some statistics.

According to Verizon’s (DBIR) 2020 report on breaches in organizations, as many as 22 percent involved phishing. Of those, 96 percent of the attacks were via e-mail. Cybercriminals are getting more sophisticated in their operations. This is reflected in statistics. Nearly 97 percent of respondents are unaware of a well-constructed phishing e-mail, and only 3 percent report such breaches to their supervisors. It is worth looking at this phenomenon a little closer.

What is phishing?

Phishing is one of the most popular types of cyber-attacks using mostly e-mail or text messages. A social engineering technique is at work here – online criminals cause the attacked to take actions as they intend. Impersonating, among others, courier companies, government offices, telecommunication operators or even friends, they try to trick the user into providing login credentials to e.g. bank accounts, social networking accounts or business systems. Websites, e-mails and text messages are being falsified.

Ways to raise employee awareness of the risk of phishing attacks include training, providing reliable informational materials, implementing appropriate internal policies, frequent communication with employees, and conducting a phishing campaign, among others, which seems to outweigh the educational value of the other techniques.

What might a phishing campaign look like?
In an employee awareness campaign, the most common technique used is what might be called “trusted e-mail”. This technique exploits the tendency to trust what is close and familiar, but also fatigue and lack of perceptiveness. This action is carried out by the company’s employees who usually deal with cyber security. A phishing campaign resembles a real attack by a criminal except that it has no negative consequences. From such an action, statistical data is collected about the number of people in the company who “got caught” in the attack. The overall results of such campaigns are then announced within the company and employees are made aware of the dangers they should pay attention to in such situations. Simulating a real attack raises awareness among employees and therefore the security of the entire organization. Campaigns, to be effective, should be repeated several times a year.

Imagine a situation: you work in a big company, it’s Friday and you would like to close your laptop and go home. You get an e-mail. One of many on that day. This is your organization’s internal message. The e-mail has a short description and includes a link to your company website, where you think you’ll probably find a broader description of the topic being discussed. You click on the link involuntarily because why not? After all, it’s an e-mail from your company where you’ve worked for several years.

The description of this situation is an everyday occurrence in many companies around the world. This is what an attack can look like. A prepared internal phishing campaign can also look like this.

Clicking on links without thinking can have very bad consequences for an organization. The link often takes you to a fake website that confusingly resembles the site you know. The data entered there, including passwords, are intercepted by criminals. This data can later be used to hack into a company’s network and steal very valuable information. A seemingly innocent e-mail can result in an avalanche of unpleasant consequences. Is there then nothing that can be done? Fortunately, not. The key is to be threat aware and vigilant. These types of messages have their weaknesses that you can look out for to check their credibility.

What is worth sensitizing employees to?

Verify that the e-mail is from the organization referenced by the sender. Often the sender’s e-mail address is completely unreliable or is not the same as, for example, the signature under the body of the e-mail.

Evaluate whether the appearance and overall quality of the e-mail can be traced back to an organization/company from which such an e-mail would be expected, e.g. logos used, footer with sender information, etc.

A look at the sender’s name to see if it looks real or if it just mimics a known name. Often an e-mail can differ by one letter. For example: xyzz@123.pl instead of xyz@123.pl (there is an extra letter “z” in the first example).

Ignore the links provided in e-mails, check the URL, paste the address into a new browser window and check that it contains the correct company/institution name (may differ by one letter from the original, such as http://rnbank.pl) and that its address forces encrypted communication with the server (https://).

Awareness and education

The world of modern technology and computers is changing at an alarming rate. It is hard to keep up with it. Until recently, a criminal who wanted to steal something was associated with a person who breaks into a home under the cover of darkness. Many people do not know that a laptop, which is used for such things as checking e-mail every day or watching videos on YouTube, can be a place where fraud or theft occurs. Unfortunately, this is the case. The number of cybercrimes is increasing every year. Criminals today only need a laptop, an Internet connection and often not so much IT knowledge to do serious damage. As with many things, however, the most important thing is awareness and education. You do not need to have a deep knowledge of what a cybercriminal attack is all about. However, it is worth being vigilant – watch the e-mails, check the sender and do not click on links you are not sure of. Every company has a department that deals with IT security. If any concerns arise, these individuals should be contacted. I am sure they will be happy to help.

At Onwelo, we run such phishing campaigns both internally and for external clients. We believe that safety especially in this day and age is paramount.

Sebastian Ciszek, Safety Engineer at Onwelo. He works on application penetration testing and network audits. He is a fan of technological innovations in the security industry. Privately, he is passionate about Eastern martial arts and rock music.