What is phishing (pronounced 'fishing')? The short and succinct answer is: an attempt to trick a user to give out credentials and other valuable information. The long answer is more nuanced.
You are certainly have been acquainted with some sort of phishing attempt in the past. The emails that you get, that mostly get automatically sent to your 'Junk' folder are email phishing attempts. In those emails, usually, you are persuaded to click on a link or to transfer money in order to get a lot more. The scam attempts have bad grammar, strange addresses, weird text formatting, a start with a generic term instead of your actual name and surname, when institutions that deal with money should have. Those phishing scams are most widely used attempts and usually quite obvious.
Or you might have received a phone call from a supposed 'Windows technician', who wants to refund you money, because their software support has ended, or so you are told. This is the classic phone scam, that requires you to download remote control software, for you to buy gift cards and supply them to the caller. When reading the situation in text form, it is obvious that something is really off. But once you pick up the phone, you might get caught in their manipulating talks.
Phishing in corporate environments is a lot more sophisticated and not so obvious as the likes of those mentioned in the previous paragraph. Imagine, that you receive an email from your colleague's email. Most likely you wouldn't think twice if it is sent not by your actual colleague. This can happen, if, for example, your said colleague leaked their login credentials to a bad actor, who logged in to the email account on his behalf. This leads us to the most commonly used security architecture called 'Zero Trust'.
In this blog post, we will be looking at cyber security from the social side. There are a lot more rules and regulations for such implementations at the technical level.
As the name implies, Zero Trust requires all of your users to have zero trust inside and outside of your environment in regards to digital identity. Of course, if you use digital signatures and cryptographically signed email, the trust can somewhat be upheld. But most people do not know how or even why to use these more secure forms of communicating. Which brings us back to Zero Trust instead.
To start with, if you receive a high-stakes request, you need to confirm that request via multiple forms of communication. In order for this to work, your corporate policy should dictate that it is required to do so. Otherwise the person who requested will be annoyed that his request is not done immediately. This is how psychological manipulation works - you get pressured into doing something that you should have thought twice before going through with it.
The story of a CEO getting scammed
There a numerous articles written on this incident (e.g.: Wall Street Journal, Forbes). Bad actors managed to use AI and deepfake the voice of a superior, who pressured into making a transaction of €220,000 as soon as possible. This was in 2019. With the exponential progression of technology, you can be certain that it will be a lot easier to use these AI tools for less savvy scammers.
This incident was an example of a successful and a sophisticated phone phishing attempt. These bad actors do a lot of research on your company and on individuals who work at the company. Probing and trying to see what happens, how do people respond to certain situations. Any method of espionage is allowed. You need to watch out what you and your colleagues post on social media. Anything can be used against you. A classical example is for an employee to take a photo at work and post it online. They didn't think twice, that post-it notes in the background reveal inside information that can be used to gain trust from other employees later.
How to tackle Phishing?
It all boils down to corporate policy. Every employee should be aware that these kind of attacks exist and educate them on how they might look like, what shouldn't be done inside and outside of office.
This raises a question - if an employee leaked something and is unaware that they might have caused serious damage, should he be fired? In some circumstances they probably should. But we propose, that most times it is best to leave them in the company. Why? Because they now have experience on how these kind of operations play out. They might even notice this kind of activity with other colleagues.
How did the bad actors get access to your colleague's email account? There are numerous ways, one of them are brute-force or dictionary attacks. They basically go through any combination or a known set of login credentials and try them out.
The first method is a brute-force attack, where bad actors try to get your password by trying out any combination of your password. This means that, if you have a short password, it will be easily found and used against you and/or your company. To fight this attack, you have to have a long password, preferably with a lot of variations of upper and lower case letters, numbers and symbols.
The second method is a dictionary attack, where hackers use a known set of login credentials. They are usually obtained from other sites that have been hacked. If you reuse your password, you are most likely vulnerable, just that nobody tried to attack you or your company yet. The fastest way to check if you are vulnerable is to go to https://haveibeenpwned.com and try out all emails that you are using or have been using in the past. This is a known site that, contrary to what you might think now, does not store the information that you put in. For more information you can go to their about page or (preferably) do your own research online. This will tell you if your email was seen on any of the leaks that the site has managed to index. If you do find your email is on a list, your password that you used on a particular site is most likely known.
This is why you should not reuse passwords. This is a hard thing for any company to ask their employees to do. Which is why there's a rise of password manager services, that create different strong passwords for you.
Another security measure is two-factor authentication (2FA), which makes your accounts secure even if a hacker guesses your login credentials correctly. 2FA is relatively unobtrusive, which means more people are willing to use it without a lot of pain.