Phishing is the practice of sending fraudulent emails, usually purporting to be from a friend or a well-known business, with the intent of duping recipients into giving up sensitive information, such as passwords or credit card numbers. Gaining these credentials can enable bad actors to compromise email accounts and web app servers to launch follow-on attacks. Phishing emails can be used to deploy malware, including ransomware. Anyone in the public or private sector has the potential to be a target of a ransomware attack.
Phishing is one of the most used vectors for cyber attacks—present in almost two-thirds of all social engineering breaches according to the DBIR. The recent increase in phishing may be linked by the surge for businesses to have staff work from home and thus the resulting creation of a more mobile workforce. Phishing has also expanded into other, similar forms, for example, such as via messaging apps or SMS (known as smishing) and voice calls (known as vishing).
As noted in the DBIR, Verizon observed an overall phishing click rate of just 2.9% in 2022, indicating there is some awareness of the dangers. Simulations can be an important tool in helping employees understand how phishing can work. Like any training, the more realistic and reflective of current attack methods, the more effective the simulations will be for staff. Training should also cover how to report phishing attempts to your IT and internal security teams.