At its core, business is about people and the relationships between them. That’s what makes phishing attacks so effective. By targeting employees with what appear as legitimate email messages or website links from a trusted company or individual, phishing tricks people into unwittingly exposing valuable data or dollars.
Phishing Attacks are Common
Phishing attacks are common — with more than 95% of US companies reporting having been targeted. Even with sophisticated information security technology in place, phishing attacks are effective. They’re highly capable of slipping through those defenses, particularly when they don’t include an attachment or URL.
In most cases, the weak link is an employee.
Most employees will recognize a message from a Nigerian prince as fraudulent; but they may not notice the subtle differences between a fake and legitimate email from the company CEO. When a message or URL link appears to come from a familiar source, the “trick” is harder to detect.
In one test, untrained users failed to recognize 10 out of 10 phishing emails. In the real world, the cost of employee errors can be significant. One study puts the average financial losses at about $1.6 million.
Teaching your employees to recognize these malicious messages and avoid responding to them is one of the most important components of your cyberdefense strategy.
Here are five of the most common phishing attacks your employees should watch for:
1. Phishing. Basic phishing sends messages that appear to come from a trustworthy source. Typically these emails will request information such as login credentials or credit card information. To prevent employees from falling for these requests, teach users to call the company to confirm the legitimacy of the request. No legitimate business ever asks for personally identifying information via email.
2. Spear phishing. Spear phishing messages aren’t random; they target specific employees with a message that includes specific information about that person. Usually, it’s public information that’s easily found on the internet. The messages may include requests for money or passwords and seem to come from a friend or business associate. The best way to avoid falling for this is to call the apparent sender directly and confirm they sent the message.
2. CEO fraud. Receiving an email from the CEO gets most employees’ attention, which is why messages that pretend to be from the CEO are so effective. These messages typically request employees to transfer a large sum of money to a specified account. Instruct your employees to check directly with the boss to confirm whether or not they should respond.
3. Clone fishing. Clone phishing duplicates a message containing a legitimate attachment with one containing an attachment carrying malware. Because these messages may appear to come from a sender the victim knows, the usual advice to not click on attachments from unknown senders isn’t effective. Instead, use technological defenses to block attachments from downloading unless they’ve been scanned with up-to-date antivirus software.
4. Cloud fishing. Many companies now have their data stored in the cloud, and cyber criminals send emails inviting users to upload files to cloud providers like DropBox or Google Docs. Once they accept the invitation, malicious software is downloaded. Companies can reduce this risk by reminding employees of corporate policies around cloud computing. Only officially approved cloud storage systems should be used.
5. Government fishing. Like messages from the boss, messages from the IRS or law enforcement are likely to get employees to jump. Remind employees that these agencies do not use email to initiate interactions, and they don’t request personal information through email.
Teaching your employees to recognize these and other phishing methods is an important component of your information security strategy. But no matter how well educated your workforce, eventually you’ll experience a breach from phishing — the human need for relationships and to trust others is that strong. Prepare your business with anti-virus software and other technologies, such as web filtering, to reduce the risk of these dangerous emails reaching your employees.
Xiologix can help you incorporate anti-phishing technology as part of your comprehensive cybersecurity strategy. We help you combine the best of technology with the best people for the best, most effective defense.