TechGuard Blog

Catch Email Phishing Attacks Before they Catch You

The million-dollar question is: Could you catch email phishing attacks before they catch you? Yes, it's true. A successful phishing attack costs a mid-sized company an average of 1.6 million dollars. Having the ability to recognize the signs of a phishing attack before you give out sensitive information or click on an unknown link is a vital step to securing your company.

Attacks and breaches are taking place every single day and no company is safe from an attack. For example, many of you may have heard about the recent Google breach. Therefore, every company and every employee needs to take extensive measures to secure their organization. According to the SANS Institute, 95% of enterprise network attacks involve spear phishing. In addition, according to the 2018 Verizon Report, 30% of phishing messages get opened by targeted users. The solution is simple. Train your employees to spot phishing emails. Test their knowledge about phishing attacks before a real attack is delivered.

Hear it From the Experts

TechGuard delivered a spear-phishing campaign as part of a penetration test for a university. Spear phishing is a more targeted type of phishing using knowledge gained about the victims before the attack. TechGuard decided to use the "failed package delivery notification" template. Furthermore, we included a link to "click here" to arrange delivery. In addition, a fake page was set up capturing the user's log-in information, which mimicked the university's logos. TechGuard used substantial reconnaissance to select the target employees with the hopes that they would have escalated privileges. As a result, we chose 14 users to target in an attempt to steal credentials and infiltrate the system.

Results of our Phishing

Within 5 minutes of sending the spear-phishing email, 2 employees clicked the link and provided login credentials to our fake page. Within 20 minutes we had access to all their student records. Ultimately the phishing was reported and a notification was sent informing employees not to click the email link. However, at this point, we already owned the user's machines. Also, we could have simply deleted the phishing notification and started sending phishing emails as that user.

Indicators

If the employees had been trained to know the signs of phishing emails, they would have noticed that the link looked similar to the college name but it was not a complete match. Also, they would have known to verify with shipping and receiving that there was actually a package before clicking the link. It only takes one user to compromise a system and the results can be catastrophic. Therefore, always question unexpected emails and unknown links. Verify the authenticity of the email.

Are you curious if your staff members would be able to detect a phishing email or would they fall victim to a phishing email? How many of your employees would fill out a form giving away their credentials? Often organizations go on thinking it will never happen to them, but if it did, could your company afford a loss of 1.6 million? Consider how often there's a new story about a cyberattack or a breach. Your employees can be either your greatest strength or your greatest vulnerability.

 

Learn more about how TechGuard Security can help your organization avoid a Phishing-related incident.