Phishing Keeps Hooking Its Targets

Minimizing damage from phishing and its variants requires awareness and constant reminders and training.

By Laura Elan, MxD

Phishing continues to be one of the biggest cybersecurity threats that manufacturers face. How big? The “State of Phishing” report from SlashNext, Pleasanton, CA (slashnext.com), said there were more than 255-million phishing attacks in 2022, a 61% increase from 2021, a year that was labeled “the worst year on record for cybersecurity.” It was also the year manufacturing became the top target for cyberattackers. 

In phishing attacks, messages and their perilous hyperlinks often land in inboxes looking like they came from large and trusted companies. Today, companies must reckon with larger and more sophisticated phishing attacks, including:

• malware phishing, delivered through email and relying on attachments such as phony invoices to unleash malicious software

• spear phishing, in which criminals use personal or career information about a target in their message. Such information can lull the person into letting their guard down and clicking on a bad link. Spear phishing also can be aimed at groups within an organization, using a “spoofed” email address that resembles the company’s email format.

• whaling goes after big targets, including company executives

• smishing and vishing, which follow similar tactics using text messages (smishing) and phone calls (vishing).

Tactics to defend against these attacks include training, requiring employees to use multifactor authentication, and installing email filters to stop phishing messages from reaching inboxes.

Regular training programs are crucial. One easy way to do this is to use the “report phishing” button available on most email clients. Companies can send emails to employees that mimic phishing attacks and then see who correctly identifies the suspect email and reports it—and who opens it and clicks on the link. Those who click on a bad link get a popup box alerting them to their error and teaching them what to look for to avoid cyberattacks.

Companies should also teach workers to speak up when things don’t look right. Did they just get an email from “Human Resources,” but the company calls that department “Talent Acquisition and Development?” Training will remind them to pick up the phone to find out whether the email is legitimate.

Multifactor authentication is another defensive strategy in which employees must verify their identity with more than a password. With this in place, even if a bad actor gets an employee’s login credentials, they are unable to use that alone to access company networks.

Filters are an additional shield. With employees often quickly going through emails, or simply not paying careful attention, filters can be set up to recognize and block suspect domain names, preventing the phishing emails from ever reaching workers.

Above all, employers must recognize that cybercriminals are getting proficient at making their emails look authentic. They use design services and even repurpose legitimate email shells. 

While employees are getting smarter about what to avoid and filters are getting better at blocking, persistent training is the key to minimizing damage. EP

Laura Élan is Senior Director of Cybersecurity for MxD Cyber: The National Center for Cybersecurity in Manufacturing, Chicago (mxdusa.org). Elan supports MxD’s cybersecurity projects and initiatives and leads the company’s Cybersecurity Steering Committee.