You’ve likely heard of phishing – you know, the scams where someone sends you a fake email to trick you into giving up your password or banking information. Most of us have heard about phishing many, many times. So many times, in fact, that we’re tempted to tune it out and think to ourselves, “Ha, I would never fall for one of those scams.”
But the truth of the matter is that phishing is a bigger threat than ever. Phishing attacks are becoming more common and more sophisticated all the time. Your business and your employees, even those with cybersecurity training, may still be at risk.
Why is Phishing So Dangerous?
Phishing attacks have increased exponentially
The first recorded mentions of phishing attacks occurred back in 1996 in the days of America Online. Over the next decade, internet and email access exploded in popularity, and cybercriminals suddenly had millions of unsuspecting victims. When smartphones hit the market in 2007, phishing attacks became even more commonplace.
To give you an idea: in 2016, the Anti-Phishing Working Group (APWG) saw over 92,000 phishing attempts every month, a 5,753% increase since 2004. Even worse, a study by Wombat Security found that 76% of companies reported falling victim to a phishing attack in 2016.
With modern technology, these attacks can also come in a variety of forms and channels. We’re probably most familiar with email phishing – things like fake links, or malicious files hidden in attached documents. Now, with smartphones, we have smishing, which is phishing via SMS text messages on your smartphone. And let’s not forget vishing, or voice phishing over the phone. Ever get one of those calls from “Sharon, your local Google specialist?” Hint: Sharon does NOT work for Google. It’s just a scam.
Phishing has grown more sophisticated
By now, most of us know not to trust Nigerian princes claiming to offer us millions of dollars. But the combination of technology and social engineering have spawned phishing attacks that are more sophisticated – and scarier – than ever.
What is social engineering?
In security, social engineering refers to a broad range of scams in which criminals deceive or manipulate victims into taking actions or giving up confidential information. It’s an alternative to “traditional” hacking, which is based on using technical expertise to infiltrate computer systems.
Social engineering isn’t new. Think of classic con-men like Charles Ponzi or Frank Abagnale (like in Catch Me If You Can), who fast-talked and manipulated people to get ahead. The difference today is that with the Internet, there’s an enormous amount of information available online that someone can use to manipulate you. Social media especially makes it easier than ever for criminals to find out personal details about you.
Here’s an example that our IT team recently dealt with that was directed toward one of our clients. The really scary part is that the x’ed out password was a real password that the victim had actually used, which was stolen from a hacked website.
Many phishing attacks also manipulate victims by impersonating a trusted person or company. For example, around tax season, scam messages from criminals claiming to be the IRS are common, because they know people are waiting for refunds and are more likely to fall for a fake bank transaction. In 2017, there was an extremely sneaky Google Docs phishing scam that sent messages from your real contacts and exploited a real Google page.
CEO/Manager Fraud Phishing
Another type of social engineering scam to watch out for is CEO/Manager fraud. Using information publically available online, criminals find out details about the CEO or managers of a company. They use that information to craft targeted phishing messages to trick employees into making financial transfers or compromising company data.
Criminals know that they can take advantage of employees’ natural desire to help a customer or please their boss. And it works. In 2016, the FBI reported a dramatic increase in the number of CEO scams, resulting in more than $2.3 billion in losses.
Human error is still a major problem
No matter how technically secure your computer systems are, you can’t always protect against people. Unfortunately, your employees are still a huge risk factor for your business, even if they don’t mean to be. According to IBM, 27% of data breaches are caused by human error.
Criminals know this and will continue to exploit unaware employees using phishing attacks and social engineering scams. The same IBM report revealed that data breaches caused by human error cost $128 per record to resolve. How many customer records do you have in your company database or email list? Paying $128 for each one can add up quick.
How to Protect Yourself and Your Business from Phishing
Educate your employees
An educated employee is your best defense against phishing attacks. Even if you have the best spam email detection in the world, clever phishing emails can still get through. Plus, an unaware employee can still endanger your business if they fall victim to a phone scam or use an infected personal account or device at work.
Invest the time and resources to educate and train your employees, not only to recognize phishing, but to have safer computing habits in general. That way, they can recognize and respond appropriately to threats and scams, keeping your business safe in the process.
Foster a healthy sense of caution
We get it, some of us are just glass-half-full people who naturally want to trust others. And while we don’t want everyone to be hopeless skeptics, when it comes to security, it’s important to practice caution.
First, that starts with being aware when and how you’re sharing sensitive personal or business information. For example, with the number of online accounts nowadays, you may not even hesitate about giving out your email address. But recognize that even something as simple as an email address is valuable and can be misused in the wrong hands.
Second, never give out information unless you’re sure of who is asking for it, and what they need it for. If you get an unexpected email from a company like Microsoft or Amazon asking for your login credentials or credit card information, think twice. Large, reputable companies already have your data and credentials on file, so they wouldn’t be asking for it. A closer look may reveal that the message is from a scammer posing as a trusted company.
Finally, when in doubt, ASK. If you receive a message, whether by email, phone, text message, or otherwise, and you’re not 100% sure it’s legitimate, always double check before giving out any information. It’s worth the extra step to keep yourself and your business safe.
Conduct Simulated Phishing Tests
When it comes to phishing, experience is one of the best teachers. But you don’t want to be a victim of a real phishing attack just to know what one looks like. That’s where simulated phishing training comes in.
Yes, you can actually phish your own employees (without actually stealing their information, of course) with the help of security awareness providers like InfoSec or KnowBe4. While it might seem mean, simulated phishing tests are a highly effective way to give your employees practical experience in identifying and responding to phishing scams. When implemented fairly and transparently, simulated phishing has proven to be a positive training experience for many businesses.
Given that the average data breach costs a small business $117,000 (or more, depending on which study you read), simulated phishing tests can be a valuable investment that saves your business money in the long run. In fact, the Ponemon Institute reported that security awareness training that includes simulated phishing provides up to a 37% return on investment for businesses.
Have a Security Policy in Place
Lastly, make sure your business has an IT security policy in place. Establish guidelines for how employees should use technology in and around the workplace. What are acceptable uses for company computers? Are there any software applications or websites that are off-limits? Do you allow employees to bring their own personal devices?
Think about who has access to what types of information. You don’t want everyone in the company to have access to financial data or employee records. Restrict access to sensitive data to the employees who truly need it. That helps control and protect information from getting inadvertently released or stolen.
Finally, include guidelines on what to do in the event of an emergency. If your business does fall victim to a cyber attack, you want your employees to be prepared and know how to respond so you can fix the problem and minimize any damage.
Is Your Business Ready?
Are you and your employees well-trained and educated to protect yourself against phishing and other cyber attacks? Are you confident that you have systems in place to protect your network and critical business data? If not, give our expert IT consultants a call – we’d be glad to help!