Cybersecurity
That delivery address request is probably a scam
Phishing emails are more believable than ever. Here’s what to do about it, write DEREK MANKY and ROB RASHOTTE of Fortinet.
Phishing isn’t new. This social engineering tactic has existed in attackers’ toolboxes for decades, with threat actors posing as trusted contacts and then targeting unsuspecting victims through email or text messages to steal sensitive data.
There are plenty of data points that illustrate the effectiveness of this attack method. According to the Fortinet 2023 Global Ransomware Report, phishing is the top tactic (56%) malicious actors use to infiltrate a network and launch ransomware successfully.
While malicious actors always attempt to craft legitimate-looking phishing communications, some cybercriminals excel at this more than others. Historically, phishing communications have often been easy to spot because of careless drafting, with a lot of spelling errors and incorrect grammar.
Yet as AI-driven content tools become more broadly available at low or no cost, cybercriminals are turning to these technologies to advance their operations. One way they’re doing this is by using AI to make their phishing emails and text messages appear more realistic than ever before, increasing the chances they’ll succeed at getting their unsuspecting victims to click on a malicious link.
Derek Manky, Chief Security Strategist & Global VP Threat Intelligence at FortiGuard Lab
As we usher in a new era of AI-crafted communications, employees have an even more critical role in defending their organisations against attempted breaches. However, simply advising employees to look for “traditional “attributes of phishing is no longer enough to keep organisations safe.
Beyond investing in the right technologies, such as enabling spam filters and implementing multi-factor authentication, employee education can make or break efforts to safeguard organisations from phishing and ransomware.
Phishing remains the number 1 delivery method for ransomware
According to recent research, phishing remains the number one attack vector associated with ransomware delivery. And it’s easy to see why it’s the vector of choice, as attackers continue having success with this tactic. According to data from phishing assessments conducted by the Cybersecurity and Infrastructure Security Agency, 80% of organisations had at least one employee who fell victim to a simulated phishing attempt.
Ransomware continues to impact organisations of all sizes across all industries and geographies. And while most business leaders believe they’re ready to defend against ransomware (78% say they’re “very” or “extremely” prepared to mitigate the threat), half fell victim to a ransomware attack in the past 12 months.
Employee education efforts to protect the enterprise against phishing
Because most ransomware is delivered through phishing, employee education is essential to protecting organisations from these threats. That said, there’s no single one-size-fits-all education program. These training efforts should be tailored to the enterprise’s unique needs. Below are several types of services and programs that are designed to help users understand and detect phishing and other cyberthreats, all of which can serve as a great starting point for building a comprehensive employee security awareness program.
- Security awareness training: Employees are high-value targets for threat actors. Implementing an ongoing cyber-awareness education program—one that is assessed and updated frequently to reflect the changing nature of the threat landscape—is a critical part of keeping an organisation safe. The Fortinet Security Awareness and Training Service is a SaaS-based offering that delivers timely and current awareness training on the most timely and relevant security threats. The service helps IT, security, and compliance leaders build a cyber-aware culture where employees are more likely to recognise and avoid falling victim to attacks. As a bonus for those organisations with compliance needs, the service also helps satisfy regulatory or industry compliance training requirements.
- Phishing simulation services: Delivering simulated phishing emails to an organisation’s employees allows them to practise identifying malicious communications so that they know what to do when a threat actor strikes. The FortiPhish Phishing Simulation Service uses real-world simulations to help organisations test user awareness and vigilance to phishing threats and to train users on what steps to take when they suspect they might be a target of a phishing attack.
- Free Fortinet Network Security Expert (NSE) training: The Fortinet Training Institute offers free, online, self-paced NSE training modules to help users learn how to identify and protect themselves from various types of threats, including phishing attacks. These modules can easily be added to existing internal training programs to reinforce critical concepts. Additionally, Fortinet Authorised Training Centres (ATCs) provide instructor-led training to increase access to the NSE curriculum worldwide.
Security awareness programs help organisations stay ahead of threat actors
As with the introduction of any new technology, cybercriminals will continually find ways to use these tools for nefarious purposes. This requires security teams and every employee in organisations to become even more diligent in guarding against threats. That’s why it’s vital for organisations to evaluate and evolve their current cyber-awareness program, ensuring learners and employees have the most updated and relevant knowledge to keep them (and the organisation’s data) safe.
* Derek Manky is Chief Security Strategist & Global VP Threat Intelligence at FortiGuard Lab and Rob Rashotte is Vice President, Global Training & Technical Field Enablement at Fortinet