What keeps you up at night? The World Economic Forum asked leading CEOs what keeps them up at night. Losing access to important goods and services and ransomware risks turn out to be the most concerning, together with financial or data loss. Emails, texts, instant messages are all routes for criminals to lure businesses into sharing security details in what’s known as phishing. Its the start point for 90% of online crime. Preventing these crimes is key. Your employees are your first line of defence.
Source: https://www3.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2024.pdf
Lupasafe constantly keeps on top of the latest phishing insights. In this blog, we´ll share the newest on phishing with you:
- How big a problem is phishing?
- Who’s being phished?
- Why do people click?
- What can I do?
1. How big is the phishing-problem?
Between the 20 and 40% of companies in the Netherlands and Germany have experienced at least one type of cyber attack in the last year, with phishing being one of the common methods. The German government reports that the risk of cyber threats is higher than ever, partly due to advances in generative AI that improves phishing and fraud.
Look and look again.
Data from the UK census says 3% of those who said they’d had a phishing attempt admit to clicking .
What people say isn’t always what they do
Lupasafe data from tests sees up to 40% of employees actually clicking and sharing confidential data within 24 hours. That means 2 out of every 5 employees is too busy or not aware enough to properly recognize a phishing scam. There is a discrepancy between people’s perception of their cyber awareness and the reality of their actual cyber awareness. The good news is that people who have experienced cyber attacks firsthand tend to have a more realistic understanding of the risks and their own cyber awareness levels. However, there’s a general trend of overestimating one’s cyber preparedness, leading to a false sense of security.
But more importantly: phishing rates can be reduced
Lupasafe’s training meant that 50% fewer people clicked in follow-up tests. Before a phishing test, more 60% of respondents could not differentiate between Microsofts’s real login page and a phishing site designed to imitate it. After training, this number significantly reduced.
2. Who’s being phished?
Almost a third (32%) of respondents to the UK census reported receiving a message via text or instant messaging, which may have been phishing, in the month before being asked.
Of those who replied to or clicked on a link in a phishing message, more than a third (35%) said they did so for financial or material gain, and 30% to pay an invoice or bill, according to the UK census.
Your sharp eyes are key – its not just IT!
Phishing and cyber attacks affect all types of modern business. Computers and finance are at the heart of most businesses, and especially professional services, who may not see themselves as tech companies e.g. 75% of legal firms have had cyber attacks , UK homebuyers can’t move for 3weeks after solicitors cyber attacked
3. Why do people click?
Financial desire is an obvious reason to click – or avoid, but there’s more to successful fishes. Social engineering – making people think they are getting or doing something else – is a key cause for clicking. By creating a level of personal trust, engagement, and urgency, that will personally gain money or status (an urgent request for the boss).
Reasons for people to fall for scams are various, from financial desperation to a lack of awareness, emotional triggers, reasons of trust and authority or a lack of vigilance.
Each and every phish is usually a little different, but learning to question and check before responding to every email is helpful to avoiding many scams, and can even help when not.
Team understanding and collaboration to watch out for phishing and cyber security is key.
This case study from the UK’s national cyber security centre shows how attackers ‘only need to be lucky once’ to get the instance of malware or credentials they are looking for.
Source: https://www.ncsc.gov.uk/files/multi-layered-phishing-mitigations-infographic.pdf
4. What can I do?
Lupasafe can help your business with phishing as part of a full spectrum view of cyber vulnerabilities. This will enhance your team’s knowledge and confidence in cyber security, by tackling phishing, and ensuring that the business has full visibility of its cyber risks.
• Lupasafe will draw up a tailored phishing plan for your business together with you.
• Your employees will be informed in advance about the test, so that they are in a safe learning environment. The ethos is to learn and protect together.
• We imitate a real phishing attack, responding to current events within your organization.
• Everybody then receives a short microlearning video on how to recognize phishing emails.
• We closely monitor how your employees respond and improve, with analysis of the results.
• Afterwards, we discuss the findings together and identify any vulnerabilities within your organization.
In addition to working with Lupasafe phishing training and awareness, and vulnerability analysis, businesses can report phishing attempts, and build up their overall cyber defences.
EU – Lupasafe are part of CYSSME – the European Cyber Security for SME’s programme. All EU businesses can review their phishing with Lupasafe and apply for further cyber security funding from the EU as part of the project to evaluate SME needs in cyber
UK – Report phishing – ensure that anytime you see a serious phish you report it. In the UK this is via the UK government website.
