The Cyberwar Is Here. Your Business Is a Combatant, and Phishing Is Cybercrime’s Main Weapon

The technology and tactics of phishing attacks are always evolving and you must be proactive to stay ahead of today’s threats

Phishing scams are the most common forms of cybercrime; research suggests that employees receive an average of 14 malicious emails per year. But phishing is common because it is effective; 20% of employees click on phishing links during simulated phishing attacks, and around 25% say they’ve clicked on a scam email during working hours.

In other words, it should be no surprise that phishing is used in one-third of all cyberattacks.

But as common and effective as phishing already is, it’s becoming virulent too.

In a standard phishing attack, hackers and cybercriminals want to prey on our unpreparedness, laziness, or distraction, hoping we’ll click that link and give them the information they need to steal our identities, hack our financials, or compromise our devices.

But there’s a new kid on the block that will make phishing attacks even more sophisticated, more plausible and more dangerous. It’s called a browser-in-the-browser (BitB) phishing attack, and it is capable of perfectly simulating a normal Google or Facebook log-in pop-up.

To the unsuspecting or untrained eye, the browser window simulated by this genre of phishing attack won’t raise any alarm bells. Ordinary web users will feel comfortable and safe as they type in their log-in credentials, unknowingly compromising their own accounts.

This kind of evolution in cybercrime technology should come as no surprise to people who’ve closely followed the space. Cybercriminals are always developing newer, better tools to circumnavigate security systems, outsmart IT teams, or dupe ever more wary web users. It happens with ransomware with alarming frequency; it’s happening with phishing too.

The problem is that many business leaders are surprised, and they’re surprised because they aren’t aware of just how directly these threats target their organizations. Phishing scammers aren’t going after moms and dads when they shop online or read their personal emails; they’re targeting your team leaders, your hiring recruiters, your project managers and your administrators.

You don’t have to be a big business to be a victim of cybercrime; small businesses are actually more likely to be a target. And it doesn’t matter if you feel your organization isn’t important enough for cybercriminals to go after it; every organization is a combatant in today’s cyberwar.

So, what can your organization do in response?

One of the biggest and most obvious steps is also one of the least common: simply have a cyber incident response plan, and be prepared to implement it. Seventy-seven percent of organizations either don’t have a formal crisis incident response plan or don’t have one that is applied consistently across their whole organization; when the worst happens, they’ll be left scrambling.

But you can also get ahead of these cyber threats by proactively addressing your cyber risks. The greatest vulnerability to any organization, especially when it comes to phishing attacks, is its employees. That’s because their data privacy is under near-constant assault by bad actors, and it only takes one piece of sensitive information to compromise a log-in credential and infiltrate an organization’s network.

As cyber threats evolve, employers and employees will need to forge new partnerships to ensure they both stay protected. Privacy protection must become a priority for everyone, or else privacy violations will become a problem for everyone.

These two steps aren’t everything, but they are a lot. Start getting ahead of today’s cyber threats, and you stand a chance against what cybercriminals may throw at you tomorrow.