More and more scammers are trying phishing attacks on various companies and individuals. The form of attack is sophisticated, and many are unsure what a phishing attack is and how they can distinguish it in the mailbox. We have talked to Mark Stegelmann, in our partner company Watchcom, who works on this topic daily. Watchcom is a renowned provider of security services, with high expertise in security consulting, training, monitoring and testing.
Mark Stegelmann, PhD and department head for consulting at Watchcom
Scammers automate fake emails
- We all know how easy it is to write an email. What not everyone is equally aware of is how easy it is to fake an email, and the sender's address to an email, so it looks like it came from someone other than the one sending it. We call this a "phishing attack"; when criminals send fake emails to fraud recipients. Investigations show that there are no technical security holes, but phishing attacks, which have become the most common way for criminals to gain access to business information and IT systems, Stegelmann explains, and continues:
- The scammers use automated tools to send fake emails to victims. For "generic" phishing attacks, emails are typically sent to lists of thousands or millions of recipients. The scammers may, for example. pretend to represent a major mobile operator, a public authority, a bank, the police, or other authorities we usually trust.
Plays on emotions
- In the email itself, scammers often act on the trust of the sender and recipient's feelings such as curiosity, respect or fear. They may, among other things, speculate that we agree to enter our credit card number on a website that appears to be the website of a major streaming provider, for example, to "prevent the streaming account from being locked" or speculate that we "are looking at an outstanding invoice" before going to debt collection "or opening another attachment with" important information ". That the website to which the e-mail refers is false or that the attachment contains malicious software that gives the criminal access to the victim's PC and network, says the e-mail obviously nothing, says Stegelmann.
- Despite the fact that today we have advanced technical systems and security solutions, such as e-mail filters, to stop many generic phishing attacks, scammers are constantly working to penetrate the barriers. For targeted phishing attacks, they tailor the criminal message and send the email only to selected people. An example of this is "director fraud", where an accounting officer receives an email from the manager. In the email, the manager asks for a transfer of a significant amount to a vendor account. Typical of this type of scam is the impression that the case is urgent. Too often we unfortunately see that the employee does not notice that the email comes from the criminal before the payment is made and the money is sent to an account abroad, says Stegelmann.
Watchcom can help companies reduce the number of phishing attacks
Watchcom has understood that training and training of employees is very important in preventing attacks. At Watchcom, the advisors have extensive experience in conducting generic and targeted phishing exercises based on today's threat image, both for smaller and larger private and public Norwegian clients. The security experts assist clients in planning the target group, timing and content of the exercise, to ensure that the results of the exercise provide the customer with the best possible insight into how vulnerable the business is to phishing attacks.
Phishing drills not only provide insights into how employees relate to phishing attacks, but surveys Watchcom has done afterwards show that only a few drills contribute to raising awareness of employees and significantly reducing successful phishing attacks.
To enhance training and awareness, Watchcom is partnering with one of the world's leading phishing drills providers; KnowBe4. With KnowBe4's platform, we can offer our customers automated phishing exercises; a cost- and resource-efficient solution that reduces the need for coordination and follow-up of exercises and training measures. With a comprehensive platform, the customer will also be able to compare their own results against companies of the same size and industry over time, which will be an important tool for adjusting the security measures. With a well-established safety culture and a documented security solution that assists in the practical, the safety management of the business will be simplified and insured.
- We are committed to creating a positive safety culture for our customers, and believe that a strongly rooted and practiced safety culture pro-actively contributes to increased security. We have very good experience with this across industries and businesses, ”adds Stegelmann.
Together with Watchcom we deliver courses in security culture, and we can conduct a phishing test to see what it looks like for you. Fill in the form below so that we can contact you with more information.