How Complacency Puts You at Risk of Phishing

How Complacency Puts You at Risk of Phishing

Author: Joey Stanford, VP of Privacy & Security at

Businesses cannot afford to underestimate the threat of phishing and must have the proper protections to protect their data because they’re legally required to do so.

A quick scan of your email junk folder—or maybe even your inbox—reveals the extent of the problem: employees at all company levels are targeted by phishing. Usually notable for their bad spelling and grammar, they look to fool you into clicking a dodgy link, demanding a password, or propositioning you with an offer that is “too good to refuse.” We’ve all seen them; we all know to ignore them. Yet phishing is one of the most successful tactics for deploying ransomware and scamming people for personal information. How can this be?

JoeyStanford_complacenceAccording to data from AAG IT, of those U.K. businesses that suffered a cyber attack in 2022, 83% say the attack resulted from phishing. While many phishing attempts look easy to avoid, these spray-and-pray tactics are used to identify and pick out individuals who could be vulnerable to social engineering.

But this approach also has another effect: the many phishing attempts are obvious; they serve as a decoy for more convincing and targeted spear-phishing attempts. If senior business leaders (SBLs) are not aware of these developments in phishing, they put themselves and their businesses at risk.

Why do organizations ignore the risks of phishing?

There are two main types of phishing: phishing and spear-phishing[AM1]. The former consists of spam emails sent to emails obtained online or purchased on the dark web, including fake business propositions or threats. Most organizations will have some form of anti-virus and anti-spam protection in place, making the threat of phishing mostly invisible—either it’s obvious to the target or dumped in a junk folder and ignored. Phishing can be seen as a “solved problem” and is easily ignored. Those dumb emails surely won’t catch anyone out.

Spear-phishing is a more sophisticated approach involving a greater understanding of the targeted individual and organization. As opposed to a ‘spray and pray’ approach, spear phishing usually involves a dedicated criminal with skills in social engineering and patience in playing the long con to infiltrate a business. As this method requires an investment in time and human resources, organizations don’t encounter this as often; however, this leaves them unaware of the sophistication of these attempts making them vulnerable.

Businesses can develop a “stick-with-what-we-know” mentality, leaving them unprotected against future threats. What they forget to consider is how sophisticated phishing emails can be. With the advent of generative A.I., spear-phishing attacks will become less reliant on people managing the attack process.

Earlier this year, Apple’s co-founder, Steve Wozniak, warned that A.I. would make scams harder to spot. In addition to writing the initial outreach, A.I. will let attackers automate the research process to identify victims, find what motivates them, and steal their data. With some chatbots reportedly passing the Turing Test, social engineers will likely be able to run hundreds of spear-phishing attacks simultaneously.   

They’re not cybercriminals; they’re malicious marketers.

The biggest mistake businesses can make is underestimating the scale and sophistication at which cybercriminals operate. When we think of cyber criminals, we often conjure images of hooded figures alone in a basement. Instead, we should consider cybercriminals akin to professional email marketers, using many of the same tools legitimate businesses use to send out mass mailers. But instead of selling services, they’re stealing personal information.

Not every phishing email is a baited trap. Like marketers, cybercriminals use their tools to do market research and will use A/B testing to see what people best respond to. Some scam emails use pixel-tracking, which can scam if you so much as open it, and let the sender know:

  • The number of times you open an email.
  • The time you opened the email.
  • Your I.P. address.
  • What type of device you used to open the email.
  • The operating system you use.

All this data is fed back into the criminal business so malicious marketers can craft more effective spear phishing campaigns designed to target specific individuals rather than “spray-and-pray.”

They also look to exploit human psychology and behavior, aka “social engineering.” This manipulates emotions, such as fear, curiosity, greed, or urgency, to influence users’ actions. It’s not so different from marketers influencing you to buy the next smartphone or sneaker. But marketers have codes and laws they need to stick to, unlike the professional cybercriminal.

Also Read: The Evolution of the CISO’s Role and Responsibilities

Organizations have a responsibility to ensure data security.

The ICO also has the power to fine organizations that do not properly report any breaches within 72 hours. In 2022, it fined British Airways £20 million for failing to implement appropriate security measures to prevent a cyber attack that compromised the personal and financial details of over 400,000 customers and staff. More recently, it reprimanded University Hospitals Dorset for failing to prevent a phishing attack that enabled hackers to access the personal data of up to 113,000 employees.

This is not a problem solved just by buying ever-more-expensive security. Following a few steps, they can remain compliant with industry standards and ensure business continuity-

  • Conduct regular employee training: Train employees to recognize phishing attacks, avoid clicking on malicious links or attachments, and report suspicious emails or texts.
  • Utilise anti-phishing software: Use security software to detect and block phishing emails and websites.
  • Use multi-factor authentication: Add an extra layer of security to your online accounts by requiring a code or device and your password.
  • Verify requests for information: Before giving out any sensitive information, contact the sender directly using a trusted phone number or email address, and never reply to the original message.

Organizations can’t bury their heads in the sand as the phishing threat grows. Phishing organizations are professional and comparable to a major cloud or security vendor rather than a criminal gang. If businesses have been lucky enough to avoid an attack, they can’t rely on chance to be their only defense for long.

For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.