By: Emile Abou Saleh, Regional Director, Middle East, Turkey & Africa at Proofpoint

In the mid-1990s, hackers began using fraudulent emails to “fish” for information from unsuspecting users. Phishing was used to describe emails that lure people in and get them to take the bait. Once hooked, it spelt trouble for both user and organization. Since then, phishing emails have been used to trick users into divulging their bank account details, hijack credentials, steal money, commit fraud, or spam other users.

Phishing is an example of social engineering: techniques such as forgery, misdirection and lying used by scam artists to manipulate people. Whether a phishing campaign is targeted or sent to as many victims as possible, it starts off with a malicious email message, disguised as a message from a legitimate company. The more aspects of the message that mimic the real company, the more likely an attacker will be successful. On a basic level, phishing emails use social engineering to encourage users to act without thinking things through.
Even if the hackers’ goals vary, the aim is usually to steal personal information or credentials. Phishing continually evolves to bypass security and human detection, so organizations must continually train staff to recognize the latest phishing strategies. All it takes is one person to fall for a phishing scam and cause a severe data breach. That’s why it’s one of the most critical threats to mitigate and the most difficult since it requires human defenses.

According to Proofpoint’s ninth annual State of the Phish report, while attackers are pivoting to emerging and lesser-known tactics to compromise organizations, tried-and-tested tactics such as phishing are still extremely rife – and successful. Among the organizations in the UAE that experienced attempted email-based phishing attacks, eight in 10 (86%) experienced at least one successful attack, and nearly half (44%) reported direct financial losses as a result.

The way organizations work today in the wake of the pandemic has also exacerbated this threat. With the rise in remote working, attackers have an advantage as users are working outside the traditional corporate networks, giving attackers a higher chance of a successful phishing campaign. In fact, 32% of CISOs in the UAE agree that they have seen an increase in targeted attacks in the last 12 months. And more than 1 in 3 (37%) say that increases in employee transitions means that protecting data has become a greater challenge.

How to prevent phishing scams

Preventing phishing attacks requires a combination of user training to recognize the warning signs and robust cybersecurity systems to stop malicious emails before they reach employees’ inboxes.

Building a security awareness program tailored to the specific threats faced by an organization is a big challenge. But there’s reason for optimism: 67% of security pros said that phishing failure rates have gone down since a security awareness program was implemented.

Proofpoint analysis suggests three distinct approaches can work. Firstly, reduce complexity by asking the right questions. Who is being attacked? Where are the current defensive gaps? Secondly, pair threat intelligence with organization-wide security awareness education. Identify which users are most likely to be targeted and who is most likely to succumb. Match education, including phishing simulation and training, to threats currently circulating. Tailor training and assessment for most attacked users based on the threats targeting them.
Lastly, build a security culture that goes beyond training. Training is crucial but not sufficient. A strong workplace security culture will motivate users to take security more seriously and help them build sustainable security habits that extend to their personal lives.

People-centric cyberattacks pose the biggest risk to organizations and working adults in the Middle East. An effective and comprehensive cybersecurity awareness training program that adapts to the ever-evolving threat landscape is fundamental to building a strong security culture, as employees increasingly access organizational data from multiple platforms, devices, and locations.

As traditional working models evolve, the old ways of protecting data no longer work. Organizations will need to work together with their employees to up their game and adapt data loss prevention and insider risk solutions to protect endpoints, emails, cloud apps, and the web.