You’ve likely heard of phishing–you know, the scams where someone sends you a fake email to trick you into giving up your password or banking information. Most of us have heard about phishing so many times that we’re tempted to tune it out and think to ourselves, “Ha, I would never fall for one of those scams.”
But the truth is that phishing is a bigger threat than ever. Phishing attacks are becoming more common and more sophisticated all the time. Your business and your employees—even those with cybersecurity training—may still be at risk.
Why is Phishing So Dangerous?
Phishing attacks have increased exponentially
The first recorded mentions of phishing attacks occurred back in 1996 in the days of America Online. Over the next decade, internet and email access exploded in popularity, and cybercriminals suddenly had millions of unsuspecting victims. When smartphones hit the market in 2007, phishing attacks became even more commonplace and have only grown in frequency since.
To give you an idea: 74% of U.S. organizations experienced a successful phishing attack last year, a 14% increase from 2019. According to the FBI, phishing is the most common type of cybercrime. In 2020, they saw 12 times more phishing attacks than in 2016.
COVID-19 phishing scams likely accelerated the increase in 2020. The pandemic introduced new opportunities for scammers, and some estimate that drove up cybercrime by 600%!
With modern technology, these attacks can also come in a variety of forms and channels. We’re probably most familiar with email phishing–things like fake links or malicious files hidden in attached documents. Now, with smartphones, we have smishing, which is phishing via SMS text messages on your smartphone.
And let’s not forget vishing or voice phishing over the phone. Ever get one of those calls from “Sharon, your local Google specialist?” Hint: Sharon does NOT work for Google. It’s just a scam.
Phishing has grown more sophisticated
By now, most of us know not to trust Nigerian princes claiming to offer us millions of dollars. But the combination of technology and social engineering has spawned phishing attacks that are more sophisticated–and scarier–than ever.
What is social engineering?
In cybersecurity, social engineering refers to a broad range of scams in which criminals deceive or manipulate victims into taking actions or giving up confidential information. It’s an alternative to “traditional” hacking, which requires technical expertise to infiltrate computer systems.
Social engineering isn’t new. Think of classic con-men like Charles Ponzi or Frank Abagnale (like in Catch Me If You Can), who fast-talked and manipulated people to get ahead.
Today, the difference is that the internet makes an enormous amount of information available that someone can use to manipulate you. Social media is especially risky because it makes it easier than ever for criminals to find out personal details about you.
Here’s an example that our IT team handled that was directed toward one of our clients. The really scary part is that the x’ed-out password was a real password that the victim had used, which was stolen from a hacked website.
Many phishing attacks also manipulate victims by impersonating a trusted person or company. For example, around tax season, scam messages from criminals claiming to be the IRS are common because they know people are waiting for refunds and are more likely to fall for a fake bank transaction. In 2017, there was an extremely sneaky Google Docs phishing scam that sent messages from individuals’ real contacts and exploited a real Google page.
CEO/Manager Fraud Phishing
Another type of social engineering scam to watch out for is CEO/Manager fraud. Using information publically available online, criminals find out details about the CEO or managers of a company. They use that information to craft targeted phishing messages to trick employees into making financial transfers or compromising company data.
Criminals know that they can take advantage of employees’ natural desire to help a customer or please their boss. And it works. In 2019, the FBI reported a whopping 100% increase in the number of CEO scams, costing businesses over $26 billion in losses since 2016.
Human error is still a major problem
No matter how technically secure your computer systems are, you can’t always protect against people. Unfortunately, your employees are still a huge risk factor for your business, even if they don’t mean to be. According to IBM, human error is a contributing cause in 95% of data breaches.
Criminals know this and will continue to exploit unaware employees using phishing attacks and social engineering scams. The same IBM report revealed that data breaches caused by human error cost $128 per record to resolve. How many customer records do you have in your company database or email list? Paying $128 for each one can add up quickly.
How to Protect Yourself and Your Business from Phishing
Educate your employees
An educated employee is your best defense against phishing attacks. Even if you have the best spam email detection in the world, clever phishing emails can still get through. Plus, an unaware employee can still endanger your business if they fall victim to a phone scam or use an infected personal account or device at work.
Invest the time and resources to educate and train your employees, not only to spot phishing emails but to have safer computing habits in general. That way, they can recognize and respond appropriately to threats and scams, keeping your business safe in the process.
Foster a healthy sense of caution
We get it—some of us are just glass-half-full people who naturally want to trust others. You don’t need to be a hopeless skeptic, but it’s vital to practice caution when it comes to IT security.
First, that means being aware of when and how you’re sharing sensitive personal or business information. For example, with the number of online accounts nowadays, you may not hesitate to give out your email address. But recognize that something as simple as an email address is valuable and can be misused in the wrong hands.
Second, never give out information unless you’re sure who is asking for it—and what they need it for. If you get an unexpected email from a company like Microsoft or Amazon asking for your login credentials or credit card information, think twice. Large, reputable companies already have your data and credentials on file, so they would never be asking for it. A closer look may reveal that the message is from a scammer posing as a trusted company.
Finally, when in doubt, ASK. If you receive a message, whether by email, phone, text message, or otherwise, and you’re not 100% sure it’s legitimate, always double-check before giving out any information. It’s worth the extra step to keep yourself and your business safe.
Conduct Simulated Phishing Tests
When it comes to phishing, experience is one of the best teachers. But you don’t want to be a victim of an actual phishing attack to know what one looks like. That’s where simulated phishing training is incredibly valuable.
Yes, you can phish your employees (without actually stealing their information, of course) with the help of cybersecurity services like our Password Watchdog stolen password and training service. While it might seem mean, simulated phishing tests are a highly effective way to give your employees practical experience in identifying and responding to phishing scams.
When implemented fairly and transparently, simulated phishing has proven to be a positive training experience for many businesses.
Given that the average data breach costs a small business $200,000 (or more, depending on which study you read), simulated phishing tests can be a valuable investment that saves your business money in the long run. In fact, the Ponemon Institute reported that security awareness training that includes simulated phishing provides up to a 37% return on investment for businesses.
Have a Security Policy in Place
Lastly, make sure your business has an IT security policy in place. Establish guidelines for how employees should use technology in and around the workplace. Some significant questions to consider include:
- What are acceptable uses for company computers?
- Are there any software applications or websites that are off-limits?
- Do you allow employees to bring their own personal devices?
- What cybersecurity steps are in place for employees working from home?
Think about who has access to what types of information. You don’t want everyone in the company to have access to financial data or employee records.
Restrict access to sensitive data to the employees who genuinely need it. That helps control and protect information from getting inadvertently released or stolen.
Finally, include guidelines on what to do in the event of an emergency. If your business falls victim to a cyberattack, you want your employees to be prepared and know how to respond to fix the problem and minimize any damage.
Is Your Business Ready?
Are you and your employees well-trained and educated to protect yourself against phishing and other cyberattacks? Are you confident that you have systems in place to protect your network and critical business data? If not, give our expert IT consultants a call—we’d be glad to help!