Anyone who uses email, texting, or other forms of messaging is probably all too familiar with phishing. Phishing is when attackers create messages and websites mimicking their legitimate counterparts in order to trick people into taking some action as requested by the attacker.

Phishing attacks are launched at every organization and employee – and there are no signs of them slowing down. Our 2017 Global Threat Intelligence Report (GTIR), based on our analysis of trillions of security relevant logs over the past year, found that such attacks were responsible for 73% of malware delivered to organizations. Furthermore, over 60% of recent NTT Security incident response engagements were initiated to help organizations manage phishing attacks.

So why is this still happening? Most of today’s phishing attacks are highly sophisticated and it is therefore difficult for people to distinguish from legitimate messages. It is human nature to be trusting too. People see something which looks like messages or websites they have seen before, so they don’t question it. An attacker is taking advantage of this human nature to manipulate people into doing what the attacker wants. The most elaborate attacks may be preceded by extensive research so that the attacker can pose as an employee, contractor, or vendor with authorized access to sensitive facilities. It may sound like the stuff of movies, but it really does happen.

There are a number of recommendations for reducing an organization’s chances of being victimized by phishing attacks in general (and similarly) ransomware attacks.

Everyone in the business should:

  • Check emails, texts, and other messages for any signs of phishing before clicking on links or attachments. Visit the official website directly (by typing in the URL) instead of clicking on a link. For file attachments, avoid opening them until you can verify they are genuine. There is nothing wrong with calling the sender to ask if they emailed you an attachment.
  • Verify the legitimacy of any requests that seem unusual in any way. For example, if someone says they are calling from the help desk and need your password to resolve a problem, get their name and say you will call them back at your organization’s main help desk number.
  • Not give out any information that the person contacting you should already have. For example, if someone calls claiming to be from your credit card company, do not give them your credit card number.
  • Not download and install new software onto your corporate desktop or laptop unless specifically authorized to do so.

Managers in the business should:

  • Implement regular security awareness training for all users so they are up to speed on phishing, social engineering, and ransomware, especially on how to identify attacks, what to do if they need help, and how to report possible attacks.
  • Strengthen the organization’s business continuity capabilities to help ensure quick restoration of operations if a ransomware incident happens. This includes a comprehensive backup strategy, including secure storage of offline backups, as well as confirming the organization’s ability to rebuild systems and restore data.
  • Schedule and perform regular assessments in the form of phishing attack simulations emulating real world threats. This is a great way to determine if your training and awareness programs are effective and allow for opportunities to further enrich defensive capabilities.

For more information on phishing – and the steps that all employees, management and technical staff can take – download our 2017 Global Threat Intelligence Report (GTIR):