91% of Cyber Attacks Start with a Phishing Email: Here's How to Protect against Phishing

A cybercriminal is just one phishing email away from gaining unfettered access to your device, network, and valuable data. Phishing emails hold the potential to bypass many of the cybersecurity defenses employed by organizations and wreak havoc on the sensitive data and resources they hold. As concluded by PhishMe research, 91% of the time, phishing emails are behind successful cyber attacks.

PhishMe came to this conclusion after sending 40 million simulated phishing emails to around 1000 organizations. PhishMe’s study also found the healthcare sector to be particularly at risk of compromise via phishing attacks, with a phishing email response rate of 31% amongst healthcare employees, despite having received security awareness training.

Cybercriminals have a wide variety of social engineering techniques at their disposal to lure the user into clicking on links, opening attachments, or disclosing sensitive information. From impersonating trusted brands or individuals in emails to creating spoofed websites or personalizing attacks using private details about their targets, phishing efforts continue to evolve and grow increasingly difficult to differentiate from legitimate communications. Phishing can come in the shape of phony confirmation emails for online purchases, job applications, failed delivery notifications, security updates, and even legal notices, each of which can be used to instill a sense of urgency or fear to further increase targets’ odds of taking the bait.

But it doesn’t take a highly targeted or nuanced phishing attack (often called “spear phishing”) to be successful. PhishMe also discovered that employees even respond to the most basic forms of phishing emails too, which are usually far more generic and contain harmful links and attachments.

Tech giant Google was recently in the crosshairs of a sophisticated phishing scheme which targeted the company’s approximately 1 billion Gmail users globally, in pursuit of acquiring access to users’ accounts and spreading to their contacts. The emails closely mimiced real emails from Google and appeared to be sent by targets’ trusted contacts, asking recipients to open a linked “Google Docs” file. Once clicked, the link redirected users to Google’s actual account management page, where users were requested to give permission for a fake app, posing as the actual Google Docs, to access and manage their accounts. Once granted access, the attackers would send the phishing email to the user's contact list, spreading the attack in an attempt to compromise as many users and as quickly as possible.

While similar Google Docs phishing scams have been taking place for years, this campaign proved highly successful due to its convincing use of Google’s branding and email format as well as its propagation techniques.

How to avoid phishing attacks

Here are a few tips to avoid falling trap to phishing attacks:

• Be vigilant when using email or other forms of electronic communication: Carefully examine the senders of unsolicited, unexpected, or otherwise suspicious communications, such as emails requesting financial transactions. There are many things you can look for that indicate a potential scam, such as spoofed sender addresses or links, impersonalized or poorly written messages, or messages referencing activities (such as orders, job applications, shipment notifications, etc.) that you didn’t take. Always take steps to verify the validity of a request for a wire transfer or sensitive information before acting upon it. Be vigilant about who is asking for what information and always cross check.
• Carefully check links: Don’t click on the link(s) provided by any emails, messages, or site notifications of which you are suspicious. Before clicking, hover over links to double check if the destination URL is what it's claiming to be. To be extra careful, type out URLs manually instead of clicking links.
• Do an online search: When in doubt, do an online search to further investigate the validity of communications you receive. If it really is a scam, you can often find ample results showing so. Do your part in spreading awareness of potential phishing scams by reporting them to the companies involved, your IT department, or the FBI’s Internet Crime Complaint Center.
• Use a VPN to secure your Internet connection: A VPN encrypts your Internet connection and keeps the sites you have visited and the information you share private from would-be attackers. Using a VPN means helps to prevent attackers from intercepting your Wi-Fi traffic over public networks, a common technique to glean details or credentials used in phishing attacks or even intercept sensitive data outright.
• Look out for typos: Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company that is laden with typos or poorly written, there’s a good chance that email is not from who it claims to be.
• Use multi-factor authentication: It is recommended to have two forms of verification, for example, a password and a security question, before logging into any sensitive accounts. Two- or multi-factor authentication can only help in making the job more difficult for cybercriminals seeking to gain access to your accounts. For example, even if your password is exposed to an attacker, your account will remain protected by a second or even third layer of authentication. For the best defense, use forms of authentication that consist of something you have physically (such as a token or device) or biometrics – these factors are considerably harder for attackers to obtain.

For more tips on protecting against phishing attacks, check out Digital Guardian's infographic, Don't Get Hooked: How to Recognize and Avoid Phishing Attacks.

Anas Baig is a cybersecurity journalist who covers cybersecurity and tech news. He is a computer science graduate specializing in internet security, science and technology. He is also a security professional with a passion for robots and IoT devices. Follow him on Twitter @anasbaigdm.