Blogs Uncategorized

The Post-Pandemic War Against Sophisticated Phishing Attacks


Hacking is something we should all be wary of, unfortunately though, many organizations don’t give it a second thought until they’ve already had a security debacle and are actively trying to recover from it.

While there are many different ways that an attacker can infiltrate an IT system, most cyber-attacks adopt pretty similar techniques. Specifically, Phishing attacks are one of the most common security challenges that both individuals and companies continue to face trying to keep their information secure.

A survey done by Ivanti consulted over more than 1,000 IT professionals on the effects of phishing at their organizations, the results indicate that 74% of companies have been victims of phishing in the last year and 40% were attacked in the last month only. Staff shortages, a lack of security training, End Users’ misbehavior and an increase in mobile device usage for work are the main factors.

This study also shows that the success rate of phishing attacks has dramatically increased during the COVID-19 pandemic as it forced many companies to shift to remote work.

The past year’s data has shown that 80% of respondents reported the size of phishing attacks expanded, while 85% said the attempts are becoming more sophisticated and intricate, making them increasingly harder to detect. Ivanti reported that smishing (text-message phishing) and vishing (voice-call phishing) have also increased in the past year as more people are using mobile devices for remote work. The report also cites data from Aberdeen Strategy and Research that found a higher rate of successful phishing attacks against mobile devices, which Ivanti said is “a pattern that is trending dramatically worse.” 

As mentioned above, there are plenty of factors that contributed to the high success rate of phishing attacks in the last year, and this statistical study pointed many fingers. A general lack of insight seemed to be one of the root causes, where 37% of surveyors mentioned that a lack of technological understanding among End-Users amplified successful phishing attacks, while 34% directly blamed it on lack of employee understanding.

It’s also interesting to note that while 96% of surveyors stated their organizations offered cybersecurity training that teaches phishing recognition, only 30% confirmed that most employees at their organizations had actually completed their awareness training. 

In addition to the lack in phishing awareness, 52% of those surveyed also reported that their IT teams were understaffed, while 64% said those shortages have led to more time spent on incident remediation.

In short, phishing targets everyone. However, since human error is the main cause behind most cyber breaches faced by businesses, the lion’s share of the attacks starts by targeting End Users who don’t consider security precautions until it’s too late – and they have already compromised their companies’ data.

Below are various phishing techniques used by attackers:

  • Embedding a link in an email that redirects your employee to a dangerous website that extracts sensitive information.
  • Installing a Trojan via a malicious email attachment or ad which will allow intruders to exploit loopholes and obtain sensitive information.
  • Spoofing the sender’s address in an email to appear as a reputable source and requesting personal information.
  • Attempting to obtain company information over the phone by impersonating a known company vendor or IT department.

How can you prevent phishing attacks?

It’s a given that new security tools and more investment in awareness sessions and training are crucial to combat phishing attacks. Moreover, security principles and policies should be in place at companies so that employees understand how to protect their devices especially when working remotely.

Here are a few of the best practices for End Users to follow in order to prevent phishing attacks:

  • Try to recognize phishing emails by checking the following:
    • Sender’s address
    • Email’s subject
    • Embedded links and attachments
  • Use longer phrases for passwords rather than just a few characters, and change it regularly.
  • Never share your passwords with anyone.
  • Never click on email links, always type the address directly into the address bar.
  • Keep your desktop AV, anti-spam, etc. up to date

Moreover, here are a few steps companies can take to protect themselves against phishing:

  • Educate your employees and conduct training sessions with mock phishing scenarios.
  • Implement a zero-trust security model to prevent attackers from moving laterally in networks using stolen credentials.
  • Use artificial intelligence, machine learning and automation to identify and remediate threats. 
  • Eliminate passwords in favor of biometric identification, which removes the most common weak point used by phishing attackers.
  • Deploy a SPAM filter that detects viruses, blank senders, etc.
  • Keep all systems up to date with the latest security patches and updates.
  • Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment.
  • Develop a security policy that includes but isn’t limited to password expiration and complexity.
  • Deploy a web filter to block malicious websites.
  • Encrypt all sensitive company information.
  • Convert HTML email into text only email formats or disable HTML email messages.

BluGrass Technologies can help you protect your critical systems, network, and applications from cyber threats by deploying and maintaining the highest level of security across your infrastructure. From cloud to end-to-end systems, our Cyber Managed Services can identify risks and prevent future threats before they can disrupt your organization. We can provide your organization with a host of security services such as intrusion detection and prevention, incident management, managed vulnerability and identity and access solutions, to name a few. When your company’s data is at risk, we spare no effort in ensuring you have the best and most impenetrable network security system in place.

Get in touch with us to begin deploying the optimum cybersecurity for your enterprise today.