What is Phishing?
Phishing is a form of cybercrime in which a hacker impersonates a person or organization in order to persuade a victim to share sensitive information. A phishing attack often consists of several steps.
Firstly, the victim receives an email, phone call, or text message from the hacker impersonating a trusted organization or person (e.g., a colleague, employer, company, or bank). A hacker who imitates something or someone in this way is engaging in ‘spoofing’.
The hacker urges the victim to click on a link or go to a website through an alarming message. If/when the victim does what the hacker says, he or she is redirected to an imitation of the real website. Here, the victim enters sensitive information, such as login details, personal information or banking information. This gives the hacker access to accounts, information or capital.
This form of cyber-attack is common because the hacker not only finds and exploits weaknesses in online systems, but also manipulates people and uses social techniques. Thus, no technical vulnerabilities need to be found in order to be hacked.
Why is Phishing dangerous?
Through a phishing attack, hackers can retrieve sensitive information or (in extreme cases) collect money directly. For example, if login credentials are shared, the hacker can steal personal information and/or company information. In addition, we often see phishing that leads to a ransomware attack. Here, it is important that the hacker has access to an account with the necessary privileges, for example from an IT employee or admin. This allows data to be stolen and encrypted. The hacker may then ask you for money in exchange for your own data.
What can I do about phishing?
Because phishing involves people’s trust, the most important protection against a phishing attack is knowledge. Especially within companies with multiple employees, there is a good chance that the hacker can penetrate the system. If employees know how to recognize a phishing attack, and how to report it in the right place, the attack can be remedied quickly, without additional damage. Therefore, it is important for companies to test the knowledge level of the employees and to supplement it where necessary. One way of doing this is by means of a phishing test. Here, ethical hackers take on the role of malicious hackers. A phishing mail is sent, which leads to a page where employees fill out data, just like in a real hack. However, the ethical hackers do not collect personal data via this page, but data related to the effectiveness of the hack. For example, they can find out how many employees click on the link in the e-mail, how many people provide sensitive information and how people who do realize that it is a phishing attack act. Based on this, employees’ knowledge can be refreshed, for example through training.
BSM offers all of these services. Our phishing test gives you insight into your systems possible technical pitfalls, your employees’ knowledge on the topic of phishing, browser use and password policy. We also test how the organization handles a phishing attack. After the test you will receive a report with the risk level of your organization, results of the phishing test and recommendations for your company. We also offer several options for follow-up trainings. In consultation with you, we can adapt and customize these courses. This way you’ll always leave BSM safer than before!