EU Cybersecurity Month: When a simple phishing click can severely harm your company
The EU Cybersecurity Month (“ECSM”) is the EU’s annual awareness campaign that takes place each year, in October, across Europe. Through this initiative, European institutions aim to raise awareness about cybersecurity threats, promote mitigation action and share good practice.
CMS Belgium fully supports this campaign. We are a proud partner of the Centre for Cyber Security and Cyber Security Coalition for Belgium’s national campaign on phishing this year. This type of cyberattack is a great threat for enterprises, in terms of both financial impact and productivity loss.
The ECSM represents a good opportunity for practising your cyber-hygiene. This article provides you with tips and tricks on how to identify and avoid phishing.
What is phishing?
Phishing is an attempt to steal personal and/or financial information or to infect computers and other work devices with malicious software (malware) and viruses.
Its most known forms are fraudulent e-mails and websites which are designed to trick you into providing confidential and/or sensitive data (e.g. an order receipt from Amazon, a failed payment from PayPal, holiday and travel scams such as promises of cheap accommodation and flights, etc.). Cybercriminals will try to fool you by simply delivering a fake link, an attachment, which when clicked infects your company’s main computer system with, for example, malware.
This type of cyberattack will often appear modern and contemporary, its forms changing and adapting so that phishing appears more and more real. For example, a recent trend entails taking advantage of recruitment periods by incorporating malware in résumés in order to infect the main system.
It is important for each of us to be cautious and aware that cybercriminals knowingly use methods based on fundamental and basic human emotions and characteristics such as fear, trust, curiosity, habits, secrecy, urgency and flattery in order to obtain our data.
Impact and risk – why does it matter?
Phishing is the number one threat for companies and can be extremely expensive. Some 91% of successful cyberattacks on the internet today use phishing methods.
Phishing attacks have grown exponentially over recent years (a 250% jump between 2018 and 2019 according to Microsoft Security Intelligence Report) and more than 50,000 unique phishing sites are identified each month. In addition, many successful phishing attacks lead to substantial losses in productivity for the target organisation which, in turn, may impact the organisation’s reputation.
Moreover, phishing is a tool used to exploit networks, resorting to blackmail and identity theft, extortion, obtention, selling and trading sensitive data and secret information, benefiting from undue payments, etc.
Make your staff aware
Employees are frequently acknowledged as the weakest link in any security system. Enrolling your staff on cybersecurity training or e-learning courses will lead to more highly skilled employees who are unlikely to expose sensitive information. Campaign posters are also great supplements to training courses. Simulating a phishing attack, and monitoring how your staff respond, is also a good test.
Tips and tricks to identify and avoid phishing
The overall and most important advice (apart from installing anti-virus and other computer defence software) is to “Relax! And think twice before clicking on a link” (this is the slogan of the Belgian national campaign on phishing).
Here are some tips and tricks to identify and avoid phishing:
- Do not click on links or download attachments if you are not confident about the source of the email (the same applies for short links on social media).
- Resist the urge to click and see “urgent request”. Re-read the email and look for signs that it’s a phishing email.
- Never send passwords, bank account numbers or other private information in an email.
- Ask yourself these questions: Do I know the sender and am I expecting an e-mail from him/her? Does it seem strange or inappropriate? Does it feel like the sender is trying to spark my curiosity?
- Use different passwords in your personal and professional online activities.
- Pay attention to the domain name. Where does the link lead? (A domain name is what precedes the “.com”, for example: “CMS.phishing.com” will lead you to “phishing.com” and not “CMS.com”.)
- Always look for spelling mistakes and bad grammar.
- Never enter private or personal information in a pop-up window.
- Keep your computer and browser updated.
- If the e-mail is not expected, call and ask the sender.
For more information on cybersecurity and phishing (training), feel free to contact local CMS experts Thomas Dubuisson or Tom De Cordier, or your usual data protection contact at CMS.