The Phishing Insights 2021 Report found that worldwide phishing attacks on companies have increased significantly since the onset of the pandemic. According to estimates, the economic damage of such cybercrimes amounts to at least a double-digit million figure each year in countries the size of Germany alone.
This blog post lays out the most common cybersecurity threats that you should know about:
What is phishing, and how do you recognise it?
Why is ransomware on the rise?
How can you protect yourself against common cyberattacks?
The most common threats nowadays relate to social engineering, such as phishing or impersonation (e.g. CEO fraud). Another critical threat mostly spread via email is malware, such as the well-known ransomware. Let’s have a closer look at what these attacks look like.
Social Engineering is #1
Several statistics show that social engineering schemes make up more than 90% of overall cybersecurity attacks. With phishing and similar threats, attackers pretend to be a familiar personal contact or a commonly recognised company like the postal service, a bank, or even a public service institution. The method’s quite simple: you receive a genuine-looking email saying that your account is in danger, blocked or that it will be blocked soon if you don’t act immediately.
The message often prompts you to verify your account by following the link provided within the email. Once you click on that link, you’re forwarded to a malicious website rather than the one you may have originally expected. The goal is to make the person enter their credentials or any other sensitive data without realising it and then these credentials trigger a money transfer or are used for further attacks.
Imagine receiving such a message from someone pretending to be part of your internal IT support team or any other trusted source. The closer the relationship with the alleged sender is, the more likely these attacks are to succeed.
Similarly to phishing, there are also smishing and vishing schemes, whereby attackers try to reach out to people through texts or voice calls, pretending to be a member of a trustworthy organisation.
Ransomware on the rise
Apart from phishing, there are other dangers that can arise from these types of emails. The target website might induct malicious downloads that will try to install malware onto your computer. Once successfully installed, the malware will even start to spread across and infect more systems within your home or business network. Depending on the type of malware, attackers might either gain remote access by bypassing firewall settings, enabling remote access features or other methods of intrusion.
The most significant kind of malware within recent years is ransomware, which has experienced an alarming rise through the Covid-19 pandemic. Ransomware attacks are usually made through email. Once a person falls victim to the attack, their data is encrypted. If the ransomware can spread across the network, it can encrypt all data assets of an organisation, shutting down business for several days. The attacker then typically demands ransom, with the promise to restore access to the data upon payment.
There are several scenarios to have a computer system exposed to the risk of malware, e.g. by visiting infected websites, using unverified pen drives, and many more. So be careful when engaging with content you don’t trust or devices you don’t know.
How to protect yourself from cyberattacks
All of these scenarios require a human to either click on a link in an email, open an attachment or disclose sensitive data in some other way. So how can we reduce the risk of someone accidentally causing harm? The most effective way is to ensure that people are properly trained. And that goes for all companies and departments.
Employees who are poorly trained in cybersecurity make life significantly easier for criminals. The people within an organisation are the last line of defence. That’s why they need to be considered as part of the solution rather than part of the problem.
Employees need to think twice before clicking links or opening email attachments. They should know what to do with emails or files sent from unknown or untrustworthy sources. And they need to be educated on what reporting procedures are in place if they suspect an intrusion.
Training and awareness are crucial building blocks for the protection against cyberattacks.
But how exactly can you differentiate a phishing email from a genuine one? There are some typical characteristics to help you identify suspicious emails:
You’re not greeted correctly, e.g. “Dear Friend” or “Dear Customer”.
The sender email address only looks like a legitimate one at first but comes from another domain.
The text contains unusual phrasing, typos or other errors.
When you hover over the links, you can usually recognise an unexpected website.
It might have attachments in uncommon or unexpected file formats, such as ‘. pdf.exe.’
The following example highlights a few of these characteristics.
In addition to regular training, you need high levels of personal responsibility and caution when dealing with potentially harmful emails. The more you focus on the details, the easier it gets to recognise them. But stress and time pressure cause more errors, putting you at a higher risk. So, take your time and be as careful as possible. It’s much more difficult to recover from such an incident once it already occurred.
About the author
I’m Unite’s IT Operations Officer, responsible for the smooth and secure operation of our platform. I like working at Unite because I have a lot of creative freedom and get to contribute my own ideas. In addition, new and exciting challenges always ensure that I develop further.