Phishing is a type of online scam in which cyber criminals try to steal login data, credit card information, pin codes or medical data. They do so by sending forged e-mails or text messages from agencies you trust: your bank, the Inland Revenue, a well-known amusement park, a large telecoms provider, … In these messages, they ask you to click through to the web site of this agency to enter your account number and pin code of your bank app, for example. Or to click on a link, which then installs a virus on your computer.
Meanwhile, variations of phishing are already emerging, and the inventiveness of cyber criminals knows no bounds. ‘Whaling’ is a good example, in which scammers use platforms such as WhatsApp to send messages in which they pretend to be known persons or family members. The scammer asks for money to be transferred because he has a small problem or is temporarily unable to access his account, of course with the promise of repaying this as quickly as possible. ‘CEO fraud’ is also something that is still common. The fraudster poses as the victim’s boss and asks for an urgent transfer of money to pay an unpaid invoice, for example.
“In the beginning, phishing messages were still quite easy to spot,” says Tom Van Britsom, cyber expert at Vanbreda Risk & Benefits. “They were often full of grammatical mistakes, had a vague title or used your e-mail address as a form of address. The websites they reproduced were also often just poor copies, immediately setting off alarm bells in the minds of many victims. However, the phishers have become ever more professional. It is becoming increasingly difficult to distinguish from legitimate emails and sites.”
In addition to the fact that the hackers are getting better and better in their fraudulent attempts, the number of phishing messages is also enormously on the increase, causing more and more victims. According to the bank federation, Febelfin, in 2020 about 67,000 fraudulent bank transactions took place due to phishing. In so doing, 34 million euros were stolen. By way of comparison: a year earlier, the damage amounted to ‘only’ 8 million euros.
Vanbreda Risk & Benefits also notes that there are more reported claims and the amounts involved are higher. “We find that insurers usually respond to this in three possible ways,” says Tom Van Britsom. “They increase policy premiums for both new and existing customers. Or they adjust their terms and conditions and, for example, provide for lower cap rates, higher excesses and amended clauses. Finally, insurers are also tightening up their acceptance policy. Companies have to demonstrate that their security policy is in order otherwise certain sectors are simply excluded.”
Of course, a sound technical safety policy is an important factor in deterring phishers, says Van Britsom. But it is equally important to invest in the ‘human factor’. “The vast majority of claims have a human link, which you as a company can never completely eliminate, but on which you must continuously provide training. Vanbreda Risk & Benefits does this in two ways. Firstly, through the cyber workshops that we organise and that we base on our own experiences in cyber damage. We will teach you best practices: how to deal with phishing as soon as you are affected. So, the do’s and the don’ts, what can you do to prepare your company and how can you respond appropriately after an attack?”
The second part is an online ‘phishing training course’ offered by Vanbreda. Van Britsom: “Using our platform, we can set up highly realistic phishing simulations, which are tailored to your company. You do not have to make any adjustments to your own IT infrastructure. We send out the so-called phishing emails and then keep a very accurate record of how your employees respond to them. Afterwards, we will of course provide you with comprehensive reports and analyses of how the test went.”
For example, the reports explain how many emails were sent, how many emails were opened, who entered what data or answered the emails, how many people clicked on suspicious attachments, how many employees informed the IT department, and so on. “In this way we are able to provide both the company and the employees with greater insight into the digital risks and teach them how to deal with them correctly. This also clearly demonstrates to your company how its internal cybersecurity policy can be optimised,” says Van Britsom. “The training course turns every employee into a real phishing expert. For example, your employees are prepared for cyber attacks, which means that the data, assets and reputation of your organisation are better protected.”
