Increasing number of phishing campaigns. Cybercriminals target Internet users, businesses and organisations

According to the latest ESET Threat Report T1 2022, email threats increased by nearly 40% in the first four months of this year, compared to the last four months of 2021. Phishing campaigns are not limited only to Internet users, they concern governments, organisations and businesses as well. ESET Expert explains what affects the safety level.

Why is phishing so effective?

Where does the effectiveness of cybercriminals come from? They use a combination of spoofing tactics (impersonating the usual senders of messages) and social engineering, which aims to induce an unconscious victim to take unreflective action.

Both tactics include using fake IDs, domains, phone numbers of alleged senders, and accounts that are sometimes very difficult to verify as phishing attempts. Often, the content of fake messages contains official logos and other elements of the company's graphic identification, which attackers impersonate. This can effectively mislead the recipient. Another characteristic feature is creating a sense of urgency by fraudsters, which is to induce the unconscious user to act. Such messages are accompanied by attachments or links that lead to fake websites or malware

Kamil Sadkowski

senior cybersecurity specialist at ESET

The past years have been advantageous for fraudsters

Phishing attacks have become an even greater threat in the last two years. Due to the spread of remote work caused by the COVID-19 pandemic, many employees use devices with insufficient security features. Such a large influx of potential victims did not escape the attention of criminals. According to Google data from April 2020, the company blocked as many as 18 million malicious and phishing emails per day. Although many people have returned to offices in full or in hybrid mode, there is still a risk that they will be exposed to more SMS (smishing) and voice (vishing) attacks.

Inattentive users will be willing to click on links and open attachments in phishing messages and encounter various dangers. Opening an infected file attached to a message may result in the installation of malware, ransomware, banking trojan, or data theft. The financial consequences for the victim of the attack can be enormous, especially when the attack is directed at an employee of a company or organisation

Kamil Sadkowski

senior cybersecurity specialist at ESET

How do I protect the employees from phishing?

Training and raising employee safety awareness is a top priority for many organisations. Finding a training program that works in the company is essential to turning employees into a solid first line of defence against phishing attacks. The human factor is invariably the weakest link in the company's safety chain. As ESET's cybersecurity expert points out, an important aspect is creating an open culture in which potential phishing attempts are encouraged to be reported.

Providing adequate security solutions is crucial in creating a deep-rooted security culture. Organisations should create a simple, transparent incident reporting process and review all reports. The same applies to phishing recognition training, which plays a vital role in the fight against one of the greatest threats to corporate security. Of course, training in phishing recognition should be only one of the elements of a multi-layered strategy for dealing with cyber threats. More sophisticated scams can deceive even the best-trained staff. That's why security controls are also necessary – the use of multi-factor authentication, regular testing of incident response plans, and the implementation of security solutions that verify emails affecting business mailboxes for threats

Kamil Sadkowski

senior cybersecurity specialist at ESET