Cybersecurity Email security

How to prevent your organisation from becoming a victim of phishing?

Erik Biemans
Placeholder for Erik biemansErik biemans

Erik Biemans , Head of Cybersecurity Services , Nomios Netherlands

9 min. read
Placeholder for Preventing phishing at organisationsPreventing phishing at organisations

Share

Being vigilant can save you from falling into the trap. However, all it takes is a moment of distraction to click on a phishing email. That's why knowing what to watch out for in phishing prevention is crucial for you and your colleagues. Make sure everyone is aware of how to distinguish a phishing email from a legitimate one and recognise a phishing website.

What is phishing?

Before we delve into preventing phishing attacks, it's essential to understand what phishing is. Phishing is a technique used by cybercriminals to obtain login credentials.

Phishing works with websites that imitate legitimate organisations, making them look very convincing. The URL of such a phishing site often resembles the real one. The tactics used to lure you to these pages are becoming increasingly sophisticated.

Phishing example

Various techniques are used to lure victims to phishing sites, usually through email, WhatsApp or SMS. In the example below, a criminal pretends to be a bank via email to plunder your bank account.

The phisher wants you to visit their page and sends an email stating that your bank card is about to expire, urging you to apply for a new one. To increase the urgency, they might say: "If you wait more than 48 hours to request a new bank card, your account will be blocked," or "After 48 hours, there's a €25 fee for requesting a new bank card, but it's free if you act now."

When you input your information on a phishing site, the criminal gains access to your login credentials. Many people think, "Nowadays, I need a second authentication method to log in, so they won't get access to my bank account." Unfortunately, that's not the case, as phishing sites are no longer static pages but interactive websites.

After submitting your details on such an interactive phishing site, you'll see a message asking you to wait. At that moment, the criminal immediately logs into your bank using the stolen login details. If the criminal is prompted for verification, they'll send you a message through the phishing site, asking you to confirm your login, for example, with your fingerprint in the mobile app of the bank.

By doing so, you unknowingly give the phisher permission to use your account. They can then purchase products, cryptocurrencies, or transfer money to another account.

Fortunately, most banks have fraud detection systems that can stop suspicious transactions. However, these systems are not foolproof, making it crucial to always remain vigilant to avoid falling victim to a phishing attack.

Hacking business email addresses

Cybersecurity experts refer to hacking business email addresses as Business Email Compromise (BEC). BEC often results from phishing attacks where the login credentials of a corporate email account are stolen.

BEC is considered the most significant financial threat to organisations in terms of cybersecurity, causing more financial damage than ransomware. Every year, the FBI releases a report on the total economic damage caused by various attacks. According to the 2021 report, BEC accounted for approximately $2.4 billion in damages. However, this is likely just the tip of the iceberg, as most organisations do not publicly disclose falling victim to such scams.

BEC typically operates as follows: once a phisher gains access to your inbox through phished credentials, they read the emails you send and receive. By monitoring conversations, they can identify when a customer will receive an invoice. The phisher will then send a fake invoice or an authentic one with altered bank details. Since the email comes from your inbox, the recipient believes it is you, the sender.

If a phisher discovers that the compromised mailbox lacks access to invoices or other valuable information, they will use the same phishing trick on a colleague. The criminal creates a phishing site and sends an email from the hacked employee's account to, for example, the department responsible for sending invoices. If an employee from that department falls for it, their email account is hacked, allowing the cybercriminal to send fraudulent invoices.

Remember to stay vigilant and educate your colleagues to protect your organisation from falling victim to phishing attacks and business email compromise.

Placeholder for Closeup young man holding smartphoneCloseup young man holding smartphone

Why are phishing and BEC a problem?

Phishing and BEC pose significant problems for several reasons. They often have substantial financial consequences for individuals and organisations, as well as potentially severe personal impacts.

Personal impacts

In 2014, over 200 well-known American film actresses had their Apple iCloud accounts hacked. This incident was known as 'The Fappening.' After receiving phishing emails, these actresses entered their iCloud credentials into a phishing website.

The criminal gained access to their accounts and stole nude photos and videos, which were then spread online. These explicit materials are now in the hands of people worldwide and are still accessible online.

In this case, the hacker responsible for stealing the images was sentenced to 8 months in prison, but the stolen photos and videos remain online, causing great shame to some victims.

Financial Consequences

When your personal bank account is emptied through phishing, the bank usually compensates for the damage in most cases. However, this is not always the case for business accounts.

BEC has the most significant financial impact because the money is genuinely gone. Banks often do not reimburse the losses since the bank account itself was not taken over.

Organisations frequently fall victim to BEC. For instance, in 2019 there was an incident at Nikkei. BEC scammers impersonated an executive from Nikkei and requested a large money transfer. The scammers used sophisticated tactics to make the request appear legitimate, and the finance department of Nikkei complied with the fraudulent request, transferring approximately $29 million to the scammers' account.

The incident came to light when the company realised the mistake and reported it to the authorities. It was later revealed that the scammers had used carefully crafted email communications to deceive Nikkei's employees into thinking they were dealing with a legitimate request from a high-ranking executive.

This example highlights the severity of BEC attacks and the potential financial damage they can cause to organisations, regardless of their size or reputation. It also emphasises the need for constant vigilance and robust cybersecurity measures to protect against such threats.

Phishing Prevention: What can your organisation do?

While it is impossible to entirely prevent your organisation from becoming a phishing victim, there are many steps you can take to reduce the risk and impact. We recommend focusing on education, implementing processes, and utilising technology.

1. Education

Education is crucial when it comes to the people in your organisation. Ensure that employees are aware of the existence of such attacks and educate them about both phishing and BEC.

Key points for education

Train individuals to recognise phishing emails and phishing websites. It is essential that they understand how these attacks work. For example, if the attacker slightly alters their tactics and sends a link via SMS (known as smishing), employees should still be able to recognise it as a form of phishing.

If employees receive invoices from suppliers that seem suspicious, they should be aware of BEC and know how to take appropriate action. Those with interesting profiles, such as financial department employees or executive assistants, are more likely to be targeted and must be extra vigilant.

Exploiting current events

Cybercriminals often exploit current events to increase the credibility of their messages. Less than a day after the outbreak of the war in Ukraine, phishing emails on this topic were already being sent. Similarly, pandemic-related measures and vaccinations have frequently been used in phishing emails.

This tactic is also applied at the company level. For instance, when companies announce the opening of a new branch in a foreign country, phishers may use this information to send emails requesting login credentials for the system to be used in the new branch.

Conduct a phishing test

A phishing test involves a legitimate hacker, also known as an ethical hacker, pretending to be a phisher and sending messages within the organisation. The goal is to identify who clicks on these messages. It is crucial to conduct this test to assess awareness, not to shame individuals. The focus should be on creating awareness.

2. Processes

Establish various processes within the organisation to prevent and mitigate phishing attacks.

Phishing prevention

Make it clear to recipients when they receive emails from outside the organisation, such as adding [external] to the subject line. This is a simple yet effective measure.

Phishing contact person

If someone suspects a phishing attempt, they need to know who to report it to. They should always be able to contact this person in the following situations:

  • When receiving a phishing email but not clicking on any links. When clicking on a phishing email but not submitting any information on the phishing website.
  • When clicking on a phishing email and submitting their information on a phishing website.
  • In the last scenario, employees must know what to do and whom to contact.

This designated contact person must also know the necessary steps to take upon receiving a report of a potential phishing incident, such as advising the employee to change their username and password.

Avoid punishing employees

When employees fall for a phishing website and submit their information, they often try to hide it due to feelings of shame. Thus, having a clear process in place is crucial. Proper education should emphasise that anyone can be a target and that individuals will not be punished.

Processes should be designed to ensure employees are not penalised. The longer people conceal that a phishing incident has occurred, the more damage it can cause to your organisation, which should be avoided at all costs.

3. Technology

Ensure that your organisation has the necessary technology to detect phishing emails and prevent them from reaching employees. Solutions for your mail server can be used to add a message to the subject line, such as [Warning! Possible Phishing]. This will raise awareness among employees that they need to be extra cautious when checking these emails.

Also, as mentioned above, indicate when someone receives an email from an external person by adding [external] to the email's subject line.

Managed Detection & Response

Consider utilising Managed Detection and Response (MDR) to protect your organisation against digital attacks, including phishing.

MDR can often (unfortunately not always) detect when an employee visits a phishing site. If a login occurs shortly after with an IP address from Nigeria, for example, proactive action can be taken by blocking that employee's account.

What to do if your organisation falls victim to phishing?

If your organisation becomes a victim of phishing or business email compromise, it is essential to determine exactly what happened. This is especially critical if BEC occurred with a fake invoice, and the customer claims to have paid it. In such cases, it becomes even more crucial to investigate how it happened. Which accounts were compromised? Which passwords need to be changed? What actions did the attacker take? Were any other fake invoices sent? This process is known as incident response.

Larger and more developed organisations may consider using threat intelligence. This involves understanding the activities of cybercriminals, and it is not limited to phishing or BEC but encompasses a broader range of activities. Sometimes, threat intelligence includes compromised login credentials obtained through phishing. If you discover that your employees' credentials are on such a list, you can take proactive action. However, before implementing threat intelligence

Let's talk about cybersecurity

If you want to learn more about preventing phishing or discuss the cybersecurity services and solutions we offer, please get in touch with us by sending a message or giving us a call.

Get in touch

Do you want to know more about this topic?

Our experts and sales teams are at your service. Leave your contact information and we will get back to you shortly.

Call now
Placeholder for Portrait of french manPortrait of french man