Phishing Is the More Dangerous Hacking.

Hacking is not always hacking - even if cyberattacks are almost always referred to as such in the headlines. Attempts to get into IT systems through phishing emails are happening far more frequently because software and antivirus programs are virtually powerless against such attacks. Phishing targets individual employees because they can serve as a gateway to penetrate IT assets.

  #Cloud Security   #Security Awareness   #Security Risk Assessment   #Security Strategy Architecture   #SIEM   #Cyber Defense Center   #Vulnerability Management  
Markus Kaegi
+41 58 510 16 98

Phishing is indeed the most popular way to launch cyberattacks, according to a new study on cyber security in the UK[1]. According to the study, phishing emails were the most common cyberattack weapon last year, followed by other attacks with viruses or other malware. Phishing falls under the umbrella of "social engineering" because criminals use the human relationships of their victims and their social skills to attack computer systems.


The recipient becomes a gateway for attackers

Phishing e-mails are very easy to falsify and send - but very difficult to filter out. The weak point is the recipient, who has to judge whether the message is real or not. It is very difficult for people to identify criminal e-mails. The task becomes all the more challenging because attackers often pose as trusted colleagues or acquaintances to obtain passwords or other details. Many of the biggest hacking scandals of recent years, such as the theft and publication of e-mails around Hillary Clinton's election campaign[2], but also the attack on Sony Pictures[3], can be attributed to phishing e-mails. In the case of Hillary Clinton's campaign manager John Podesta, it was an email message from 'Google' that led to thousands of emails being made public that were never meant to be. Had Podesta made the right decisions to protect his Google account at the time, hackers would not have been able to find out his email password with a simple phishing message, and world history might have taken a different turn.


Training is the most effective remedy against phishing

Therefore, organizations actually only have one option to get a better grip on the problem: They need to train their employees thoroughly and make them aware of the dangers of being careless and trusting in the digital age.

Phishing emails usually look very serious and official. The recipient is often asked to confirm his access information because of a 'problem'. Whoever provides the requested information actually gives the attackers exactly what they are looking for - causing even bigger problems for themselves. But if some basic rules are followed, the risk of phishing can be minimized.


Be mistrustful

Trust is good, mistrust is better: Be wary of unexpected messages from people asking for colleagues' names or other internal information. If a person claims to be part of a legitimate organization, make sure that this is true and check with the appropriate company.

Avoid sharing internal information: Details about your company, its structure and networks, but also personal information should only be provided if you are absolutely sure about the recipient. This applies especially to e-mails - but not only. If you are not sure whether an e-mail message is legitimate, contact the company directly. To do this, find your own contact information. Don't use contact information or links provided on a website associated with a request.

Pay attention to the URL: Do not send important information over the Internet without checking the security of the corresponding website. Counterfeit websites can look just like a legitimate website. But their URLs often use a different domain or spelling.


If you think you have fallen for a phishing attack, don't wait, report it immediately to the people in charge within your company. If the report is made in good time, you may still be able to avert major damage.

Please contact me if you have any questions about phishing. UMB Security Intelligence as a Service.


[1]Cyber Security Breaches Survey 2019

[2]HowJohn Podesta’s E-Mail got hacked

[3]Sony hackers targeted employees with fake Apple ID emails