The effects of phishing should not be underestimated

Phishing is a form of online fraud whereby criminals use digital messages to try to entice you to rogue websites. There they ask for your personal details, passwords or PIN codes. They then use this information to steal your identity, empty your bank account or launch a targeted cyberattack on your company.

Wouter Vandenbussche, Solution Lead Cybersecurity at Proximus, and Koen Bossaert, Solution Lead Vulnerability Management and co-founder of Davinsi Labs, explain the different kinds of phishing, the dangers and the potential impact.

Types of phishing

There are various kinds of phishing, based on the channel used by the phishers. In addition to the traditional e-mail channel, phishing also comes in other guises:

• In the case of vishing, or voice phishing, fraudsters phone their victims. When nobody picks up, they leave a voice message. They often use strong or threatening language, which makes victims feel that they have no choice but to hand over the requested information or call back.
• Smishing is phishing via text message. Cybercriminals send fake text messages, for example from a courier service, and ask you to follow or change your order via a rogue link.
• Phishers also attack via social media and instant messaging applications. Always be vigilant about dubious reactions or comments, because some accounts can be hacked without you knowing.
• In the case of clone phishing, cybercriminals send clone e-mails that appear to come from a reliable company but actually lead to rogue sites.

Companies have lost hundreds of thousands of euros, CEOs and CFOs have been fired as a result of phishing – it’s more common than you realize.

Wouter Vandenbussche, Solution Lead Cybersecurity at Proximus

Different targets

Depending on their ultimate objective, cybercriminals direct their fire at different targets. In the case of phishing, a large group of people are in the crosshairs and the phishing mail is sent in bulk.

Spear phishing, on the other hand, is directed at one person or a specific group of people (e.g. HR) and the messages are more difficult to detect because they are more advanced. In these cases the phisher has done thorough research and is well prepared.

When an attack is directed at management who have access to highly valuable information, such as CEOs and CFOs, this is known as whaling. Cybercriminals almost always have financial objectives. If a company is chosen as a target, it is usually the first step of a bigger cyberattack.

Humans are the weakest link

Phishing is dangerous because it can lead to enormous damage and targets the weakest link in the security chain: humans. “Phishing has caused the downfall of many a business,” says Wouter Vandenbussche. “They lose hundreds of thousands of euros due to CEO or invoicing fraud. This is money that they never see again because it is transferred at lightning speed to foreign bank accounts. CEOs, CFOs, and CIOs have been fired as a result of phishing. Unfortunately it’s more common than you realize.”

Even if less than 0.01% of recipients give out their information, the gain for phishers can still be colossal.

Koen Bossaert, Solution Lead Vulnerability Management at Davinsi Labs

Hundreds of millions of e-mails per day

Research conducted in 2020 in Belgium and the Netherlands shows that these companies were the most threatened by phishing attacksNew window. Phishing is a common occurrence because it can be easily automated, is very cheap, and incredibly lucrative. Attackers don’t even have to be familiar with the IT environment of the company they want to attack. All of us have been affected at some point, because hundreds of millions of mails are sent every day.

“Even if less than 0.01% of recipients give out their information, the gain can still be colossal, particularly if the cybercriminals convince someone from a financial services company to deposit money. Or worse still, if they gain access to business accounts,” says Koen Bossaert.

Phishers know the identity of their victims

Phishing is becoming more and more specific and personal. It used to be that e-mails were written in English, or in poor Dutch or French. Now they are written in perfect Dutch or French and they even address the recipient by their first or last name. They often come from so-called clients or suppliers, or even from an important person or service within the company.

The danger is always lurking, even in your company. Wouter Vandenbussche: “Recently a large Belgian company experienced an attack on their HR department. The phishers knew the personnel numbers of the employees and made a request in their name to change their bank account numbers. Luckily, this attack was detected by the company’s cybersecurity service. Otherwise the phishers would have made off with a lot of money.”