Phishing attacks are the most common cyber threat to UK businesses.
This form of cyberattack can be remarkably unsophisticated. Yet, the disruption caused can be huge.
So why are phishing attacks such a problem? What can be done to limit their success?
Using human behaviour as a weapon
Phishing emails prey on human behaviour.
They will often claim to come from an authority figure. The message might foster a sense of urgency. Or offer some kind of reward to the recipient.
Each of these elements plays on the human psyche. Deference, anxiety, fear and/or excitement will prompt recipients to respond without due caution. That’s all it takes for the scam to work.
In times of crisis – during a pandemic, for example – emotions that lead people to act in this way are heightened. Criminals know this. And they act accordingly.
The UK’s HMRC detected a 73% increase in email phishing attacks in the first six months of the Covid-19 pandemic.
In September 2020, HMRC published examples of Covid-19-related phishing emails. One email, claiming to be from HMRC, told people they were eligible for a tax rebate because of Covid-19. The email contained a hyperlink entitled ‘Access your funds now’.
The arrival of a Covid-19 vaccine presented another opportunity for scammers. In early January 2021, scam text messages began circulating in Northern Ireland. The texts told people they were eligible for vaccination. Victims were directed to a fake NHS website where they were asked to provide bank details.
Covid-19-related phishing attacks demonstrate how cyber criminals exploit human vulnerabilities and anxieties. These types of scam can reach hundreds or even thousands of people.
But phishing scams can also target individuals.
It’s not difficult for a hacker to impersonate someone else. A few personal details and a targeted scam can become incredibly convincing. A targeted phishing attack is also less likely to be picked up by phishing filters.
Business Email Compromise (BEC) scams are one type of targeted phishing attack. In BEC scams, criminals impersonate company employees.
In 2019, auto part supplier Toyota lost $37 million dollars in a BEC scam. This type of scam also increased during the Covid-19 pandemic. In the second quarter of 2020, BEC wire transfer losses were up 48%.
The importance of phishing awareness training
For criminals, phishing attacks are relatively simple to execute. But for businesses and individuals, the effects can be catastrophic.
67% of businesses say their single most disruptive cyberattack in the last 12 months was a phishing attack. Phishing training is undoubtedly important. But it needs to move beyond the compliance-based training currently on offer. It needs to pay more attention to changing behaviour.
CybSafe’s Assist, Protect and Connect tools aim to do this. CybSafe Assist offers support and guidance on demand. It provides answers to cyber security questions when people need them most. CybSafe Protect is an interactive tool that helps improve security behaviour through goal setting. And CybSafe Connect is a mobile app that lets people access cyber security help wherever they are.
To reduce the impact of phishing attacks, we need to understand why they work. We need to understand people’s behaviour. And we need to understand how we can change behaviour.
CybSafe can help you do that.