• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Privacy / Plenty of phishing going on

By Christina Catenacci, BA, LLB, LLM, PhD | 4 Minutes Read September 7, 2021

Plenty of phishing going on

phishing

IBM Security’s “Cost of a Data Breach 2021” tells a sad tale: data breaches costed companies $4.24 million per incident on average–the highest cost in the 17-year history of the report. It turns out that security incidents became more costly (10 percent more than last year) and more difficult to contain due to drastic operational shifts during the pandemic. In fact, when remote workers were involved, data breaches ended up costing companies $4.96 million (nearly 15 percent more than the average breach). There is more: the average time to detect and contain a data breach was 287 days (212 to detect, 75 to contain), which was one week longer than what was discovered last year. One more thing: compromised user credentials were the most common method used as an entry point by attackers. And according to Verizon’s “2020 Data Breach Investigations Report“, credentials were by far the most common attribute compromised in phishing breaches. Things did not improve in 2021, seen in Verizon’s “2021 Data Breach Investigation Report“, where phishing attacks increased by 11 percent from last year due to increased remote working. But what exactly is phishing? What can organizations do to address the issue?

What is phishing?

Phishing is a cybercrime where scammers try to lure sensitive information or data from people by disguising themselves as a trustworthy source. For example, an email may appear to be sent from a trusted bank with some sort of warning like the account will be frozen unless the account is verified, but really, this is a scam attempting to get the email recipient to enter personal information and account details. This was not the bank—this was a bunch of cybercriminals trying to threaten the recipient’s cybersecurity. Banks would never email customers requesting this type of information.

Another example may be in the form of an urgent phishing email warning that the account will be shut down and access to messages will cease unless a link is clicked on to resolve the situation. This is the scammer trying to capture personal information or install malware or adware. By malware, I mean any type of malicious software designed to harm or exploit any programmable device, service or network in order to extract data that cybercriminals can leverage over victims for financial gain. There are several kinds of malware, some of which include viruses, scareware, spyware, and ransomware. By adware, I mean software that hijacks a browser or other parts of a system in order to blast someone with unwanted ads.

But email is just one way—phishing can be done through the good old fashioned phone call (known as vishing) or text message (known as smishing) too. And there are several types of phishing, where the main ones include:

  • Email phishing: impersonating legitimate companies and trying to steal personal information
  • Spear phishing: more personalized email messages that seem to come from individuals that the person knows
  • Clone phishing: replicating a received email, but adding a dangerous attachment or link
  • Whaling: targeting high ranking executives to gain access to sensitive data or money
  • Pop-up phishing: tricking users into installing malware

How can someone know that phishing is taking place? If things seem too good to be true, they usually are. If there are strange graphics or spelling and grammatical errors, that is a sign. And if there are urgent messages with deadlines or suspicious attachments and hyperlinks—especially from senders who are not recognized—those are red flags. If the message (or the page it is linking to) seems a bit off, it likely is.

But some are particularly deceptive—some spear phishing emails may target a company employee, appearing to come from a manager or a coworker. The email may request access to sensitive company information, and if the target provides the information, there could be a consequent data breach.

What can organizations do to address phishing?

First and foremost, organizations are recommended to educate individuals who are working in the organization, whether they are employees, contractors, suppliers, or support workers such as IT support workers who have access to the organization’s sensitive information. It is important to note that several workers may simply be unaware or make mistakes, and these factors can be minimized with training.

When training workers, there are several strategies that can be utilized, including: inviting experts to come and emphasize the importance of not falling victim to phishing and using strong passwords; providing real-life examples using simulations; having interactive videos and games; and listening to the Office of the Information and Privacy Commissioner of Ontario’s podcast about not falling for phishing. The organization should start this training at the beginning of the working relationship and regularly provide updated training throughout the working relationship.

Another necessary strategy is to properly protect the organization’s systems. It is worth taking a look at various options to see what is most appropriate for the organization, whether it is antivirus protection, malware removal and protection, and ransomware protection.

And given that we now live in a world with remote work, organizations are recommended to read the document entitled, “Cyber Security Tips for Remote Work” and “Best Practices for Passphrases and Passwords” by the Canadian Centre for Cyber Security. The information contained in these documents can be used when creating an organization’s cybersecurity training program for workers in the organization. Lastly, the Canadian Centre for Cyber Security also has a list of actions to take in the case of accidental interaction with a malicious email in “Spotting Malicious Email Messages“.

  • About
  • Latest Posts
Follow me
Christina Catenacci, BA, LLB, LLM, PhD
Christina Catenacci, BA, LLB, LLM, PhD, is a member of the Law Society of Ontario. Christina worked as an editor with First Reference between 2005 and 2015 working on publications including The Human Resources Advisor (Ontario, Western and Atlantic editions), HRinfodesk, and First Reference Talks blog discussing topics in Canadian Labour and Employment Law. She continues to contribute to First Reference Talks as a regular guest blogger, where she writes on privacy and surveillance topics. Christina has also appeared in the Montreal AI Ethics Institute's AI Brief, International Association of Privacy Professionals’ Privacy Advisor, Tech Policy Press, and Slaw - Canada's online legal magazine.
Follow me
Latest posts by Christina Catenacci, BA, LLB, LLM, PhD (see all)
  • Hefty GDPR fine for Meta - January 20, 2023
  • 2022 report: More data breaches and costs rising - November 1, 2022
  • Bill C-27: a look at proposed AI provisions - August 9, 2022

Article by Christina Catenacci, BA, LLB, LLM, PhD / Business, Information Technology, Privacy / cyber attack, cybercrime, cybersecurity, Data breach, malware, passwords, phishing, privacy, ransomeware

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Christina Catenacci, BA, LLB, LLM, PhD

Christina Catenacci, BA, LLB, LLM, PhD, is a member of the Law Society of Ontario. Christina worked as an editor with First Reference between 2005 and 2015 working on publications including The Human Resources Advisor (Ontario, Western and Atlantic editions), HRinfodesk, and First Reference Talks blog discussing topics in Canadian Labour and Employment Law. She continues to contribute to First Reference Talks as a regular guest blogger, where she writes on privacy and surveillance topics. Christina has also appeared in the Montreal AI Ethics Institute's AI Brief, International Association of Privacy Professionals’ Privacy Advisor, Tech Policy Press, and Slaw - Canada's online legal magazine.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy