In 2020, 74 per cent of companies experienced a successful phishing attack, according to Black Kite’s latest blog post, entitled “What is phishing? Tips to identify and prevent cyber scams.”
Black Kite is a company that provides automated cyber risk monitoring. Its recent blog defines phishing, as per the NIST, as “a technique to acquire sensitive data” (such as bank numbers) through “fraudulent solicitation” (such as email or web sites). In these cases, the hacker masquerades as a reputable person or business.
“The average cost of a phishing attack is $4.65 million in 2021—a large price to pay for a single employee’s click on a fraudulent email,” said Black Kite in its blog, adding that the industries most at risk include financial institutions, social media, SaaS/webmail, and payment.
The company said human error accounts for 90 per cent of cyber breaches, and that 97 per cent of employees do not recognize a sophisticated phishing attempt when it comes their way.
“Awareness training on behalf of a company can be the initiative that saves a company from compromising confidential information through network phishing,” said Black Kite.
They also discussed smishing, which is when phishing goes mobile and hackers use SMS. The text messages are made to look like they were sent from a reliable source—such as a bank, government agency, delivery service, or utility company. Mobile phishing attacks were up 328 per cent in 2020, based on Black Kite.
“The message often asks to confirm information so the sender knows that the phone number is active,” said Black Kite. “They can then move forward with their attack.”
There is also a form of attack called vishing, which is short for voice phishing. For these, the company said vishers already have the personal information of 75 per cent of victims.
The good news is that Black Kite said 87 per cent of companies saw improvement in phishing attacks after implementing awareness training. According to Bob Maley, Chief Security Officer at Black Kite, one way to deal with these attacks is to “Stop, Suspect, Think, Orient, and Proceed.”
They suggest having “zero-trust” when it comes to phishing or anything that seems like it, even if the email you are looking at includes a link. Then, think it through, inspect the links (and email addresses), question any suspicious activity (does the message seem normal?), and stay alert.
The full blog is available here.
