Does your email smell Phishy?

As usual, puns make the world go round. This brings us to an important topic and once that must start with some form of infographic backed by research. That's right, we are official now. With stats and stuff.


Does your email smell Phishy | IT Support Singapore | IT Solutions | IT Services | ISP in Singapore | cybersecurity | server maintenance
Does your email smell Phishy?

Before you go researching into plagiarism accusations or what have you, let us list our sources for this particular blog. First source: The Ponemon Institute has presented the results of it’s study the Cost of Phishing and Value of Employee Training sponsored by Wombat Security, August 2015. And we also take some stuff from the report: "Human Factor in IT Security; How Employees are Making Businesses Vulnerable from Within", Kaspersky Lab and B2B International, June 2017. So what is phishing exactly? Is it the same as social engineering attacks? Well yes, to simplify it. Phishing is a form of social engineering attack, although not necessarily the only type. Phishing, just like it sounds, is a tactic employed by attackers who are trying to either steal your data or penetrate your security. Most commonly in the form of an email with an attachment or a link. In the hopes of convincing the recipient of this email to either open the attachment or click on the link. These links will look legitimate and redirect them to a website that may look familiar to the recipient. Recipient inputs their email and password to access the link. Now whoever gave them this fake link has gained the credentials to access the recipient's account and either hijack or manipulate the information or access to their advantage. So let's start the process in a way that is simple. From a social engineering perspective. What really is social engineering? It is as it says engineering of an environment that is designed to convince you it is a legitimate one. Say I want to gain access to your company's email account of particular staff. I would start doing research on social media such as Linkedin to determine the name of the person. I would go through the company's website to look at the full team of that company and maybe it would include the name and email of the IT head of your company. So I will register a domain that would seem really similar to your company's domain, say your company is abc.com and your IT department has an email of support@abc.com. All I have to do is register abc.co and create an email support@abc.co. And I would send you an email that looks awfully similar to an email that would be sent to you within your organization and ask you to change the password of your particular account for security. At one glance you would think this email to be from your IT department and you will key in your current credentials and change it to a new one. It will give you a successful message for your password change and you would think nothing of it.

So now whoever did this has full access to your account. Maybe even your email and is able to pull out every information from this email. Furthermore, they proceed to email your colleagues from your email address in an attempt to gather more credentials and information. So the process is repeated slowly throughout your organizations. Invoices, contracts, clients lists, leads and anything that you can think of have been gathered. These leads somehow make their way onto platforms that sell leads to companies and now you have a competition honing in on an account you have taken years to create. All of your prospects and projects can now be sold, the information you thought was secret is no longer secret. Your client who is getting a quote from you gets a quote from a competition that is cheaper. And you lose projects thinking your client lied about your company is the only company they had approached. Although it may seem that way, the leak came from within your organization.


Sounds like the stuff of spy novels and this is happening right now. Hundreds of thousands of accounts each minute of every hour are continually being compromised. Approximately 4-5 hours each year per employee are wasted as a direct result of phishing scams. Leading to a drastic reduction in employee productivity and to the organization itself. And as you can see from the first infographic the cost and impact is a lot. $400 per employee per year on average that we are aware of. Around $83,000 dollars per small to medium-sized businesses or enterprises. Money is constantly leaking at the seams and it is imperative to close up these leaks wherever it may be.


So what can you do? What is the solution to this problem? The most important thing is employee training.

linkedin | Does your email smell Phishy | IT Support Singapore | IT Solutions | IT Services | ISP in Singapore | cybersecurity | server maintenance