How phishing scams have changed and how to protect against them [Q&A]

Cyberattacks and data breaches come it many forms, but often at the root of them is a phishing scam.

Exploiting the fact that humans are the weakest link in the security chain, cybercriminals use phishing to trick employees into giving up credentials or other sensitive information that can be used to gain a foothold to carry out a later attack.

We spoke to Eric Sugar, president of ProServeIT, to find out about the risks of phishing and how businesses can protect themselves.

BN: Why has phishing remained such a major threat?

ES: Phishing remains a major threat due to its simple yet effective strategy: exploiting human psychology. People generally care and want to help. It targets the weakest link in any cybersecurity system -- the user. People tend to be trusting and unaware of the latest threats, which makes them susceptible to social engineering tactics like phishing.

BN: How have phishing tactics changed in recent years?

ES: Phishing tactics have evolved from broad, untargeted email scams to sophisticated, highly targeted operations. These include spear-phishing, where specific individuals are targeted, and whaling, targeting high-level executives. Additionally, attackers now utilize various platforms, such as social media and mobile applications, for their attacks. Phishing campaigns also now use trusted people or people in authority positions as part of their campaigns, which also makes it harder for people.

BN: What's the first step in strengthening your defenses?

ES: To me, the first step is creating an open culture where it is rewarded and 100 percent okay to question everyone. I'm grateful and excited when someone says, "Hey, Eric, did you send me that email or text?" A pretty close second and an action that can be taken right away to strengthen defenses is at least annually identifying vulnerabilities. This involves carrying out an annual security assessment of your network, systems, and processes, understanding where sensitive data resides and how it's protected, and identifying potential weaknesses that could be exploited by cyber attackers.

BN: How big a role does education have to play in combating the problem?

ES: Education plays the most critical role in combating phishing. Regular training and awareness programs help employees understand the nature of phishing threats, recognize suspicious emails or messages, and know what action to take when encountering potential phishing attempts. Start with easy simple campaigns and get progressively more difficult. If you’re working with an MSSP, they should have a program to help you with this.

BN: Does this mean we need to change the culture of the business?

ES: Combating phishing doesn't mean you need to change the culture of the business. Being cyber security aware and creating a culture of learning may change or may augment your current culture. We all need to foster a culture of security awareness where every employee understands their role in preventing cyber attacks. This shift ensures cybersecurity is everyone's responsibility and not just that of the IT department.

Image credit: weerapat/depositphotos.com