By this point, the dangers presented by phishing attacks are becoming increasingly well known. Business leaders recognize that information security awareness is critical for organizations of all kinds, and these programs need to focus heavily on phishing if firms want to remain protected in the current cybersecurity landscape.
Phishing attacks have become among the most dangerous forms of cyberthreats in recent years. These attacks effectively circumvent the most common cybersecurity defenses – such as firewalls and antimalware programs – and instead target the end-users directly. And, unfortunately, many users lack the awareness or training to resist these tactics.
The sheer scope of phishing attacks can be seen in a number of recent incidents. Taken together, these examples demonstrate that phishing is becoming a ubiquitous problem, one which companies of all sizes, sectors and locations need to address as soon as possible.
“Hackers established a PayPal phishing page on the World Bank website.”
An attack on the World Bank
Perhaps the most significant example of phishing’s potency to emerge in recent months was an attack on the World Bank. As security services firm Netcraft recently revealed, the World Bank previously took the lead on the Climate-Smart Planning Platform project, which is intended to help organizations in developing countries prepare for the effects of climate change. However, Netcraft discovered that the project’s website had been infiltrated by hackers who established a PayPal phishing page.
Netcraft explained that the PayPal page was intended to tricks users into revealing a range of personal information, including names, passwords, credit card numbers and more. Only after they provided this information were site visitors directed to the CSPP’s actual PayPal page.
The source noted that this particular scam was particularly dangerous because it took advantage of the World Bank’s Extended Validation SSL certificate. These certificates are not achieved easily, and they seen as strong evidence that the site in question has thorough security measures in place. By compromising such a website, the phishing attackers were able to prey on users’ trust to obtain sensitive, valuable information.
This highlights one of the key reasons why phishing attacks in general are so dangerous: They often take advantage of trusted organizations’ reputations to fool their targets into revealing private data. This holds true whether the phishing attackers are focusing their attention on employees at a given business or consumers at large.
Consumer worries
As an example of consumer-focused phishing, the Internal Revenue Service recently issued an alert warning tax preparers about a current scam of this sort, Accounting Today contributor Michael Cohn reported. In this case, hackers sent out messages claiming to originate with the IRS, asking recipients to update their IRS e-Services information.
Phishing attackers are now imitating the IRS.
“The links provided in the email to access e-Services appear to be a phishing scam to capture e-Services usernames and passwords,” the IRS warned. “If you receive an email like this, do not click on the links or take any other action. There is no need to call us. Just disregard the email.”
Cohn noted that tax-related identity theft is a growing problem. In light of this, the IRS has initiated a new public awareness campaign to help consumers protect themselves from these threats. Phishing will naturally play a role in these efforts.
Company efforts
As mentioned previously, many phishing attacks specifically target employees at a specific organization, presenting an obvious risk to those companies. However, even broader consumer-aimed phishing attacks are seriously dangerous for business entities. After all, the phishing attackers can subsequently use the identifying information gained to impersonate their victims and potentially infiltrate those individuals’ employers. Such attacks are difficult to detect or prevent.
In light of all of this, it’s clear that businesses should make phishing prevention a priority. To this end, firms should both look for well-regarded security awareness solution providers to partner with and emphasize the value that this training will deliver to the participating workers. Only a dedicated approach to phishing can keep companies safe in this increasingly dangerous environment.