The Phishing Threat and its Consequences

By: José Ruiz

Cybercrime is a US$600 million annual industry that is projected to be worth US$6 trillion in damages by 2021 according to The Cybersecurity Hub. One of the most common forms of cybercrime is phishing, a threat that feigns innocuousness, but accounts for 91% of cyberattacks, according to Digital Guardian data.


Phishing is a social engineering method used to extract information by deception and the use of technology to gain access to devices, networks or services.

He commonly feigns elements of trust or authority, and builds credibility in order to hook his victim.


According to Stanford University, criminals using phishing methods usually seek passwords, financial information, stolen identities or money. In addition, they estimate that there is a 10 per cent chance that a phishing message will be successful because people usually fall for an illusion of urgency, desire to please, ambition or greed, curiosity, fear or complacency.


This threat is not new as the first known attempts focused on financial services occurred in 2001 and the modality has been known since 1987. Both institutions and individuals need to be aware of this reality and treat it as a risk, as it is not only a financial threat, but also a reputational and even a legal one.


Individuals are prone to fall victim to phishing by being duped by phone calls or clicking on misleading links that redirect them to websites that have been cloned, contain falsified information, or redirect from a legitimate site to a fraudulent one. This accounts for part of the US$1.48 billion in fraud-related monetary losses reported to the US Federal Trade Commission (FTC) in 2018 alone, an increase of 38% over the previous year.


However, institutions and some individuals are exposed to spearphishing, a modality targeting individuals or a company that appears to come from an official source and includes specific information to increase the chances of success. According to TechRepublic, one of the most common forms of spearphishing is "CEO fraud", where information or money transfers are requested by emulating legitimate messages from the CEO of the institution. McAfee Labs provides data indicating that institutional staff are twice as likely to be targeted as management and twice as likely to be duped.


Both institutions and individuals need to raise awareness of this risk in order to reduce its likelihood of success. Some recommendations for institutions are: 


  1. To interest and involve the leaders of the institution. 
  2. Raise safety awareness among employees from the beginning of the employment relationship. 
  3. Create a formal training plan. 
  4. Conduct training with realistic scenarios. 
  5. To highlight the importance of safety in the working and personal environment. 
  6. Evaluate results periodically. 
  7. Communicate results and relevant information. 
  8. Continue updated trainings.