Stories about data breaches leaking personal data and damaging company profitability continue to make headlines. Much of the focus in these pieces includes the sophisticated forms of cyberattacks that are involved. For example, the WannaCry attack of 2017 was accomplished with a ransomware worm while the infamous Equifax breach reportedly came from software exploitation.
Incidents like these highlight just how threatening sophisticated forms of cyberattacks can be in the professional space. At the same time, however, focusing solely on software updates and worm virus protection is not enough to keep a company safe from a data breach. According to cybersecurity firm Wombat Security, 76% of companies have reportedly been victims of phishing attacks within the past year.
What is Phishing?
Phishing is one of the oldest forms of malicious hacking behavior. In it, the attacker assumes a false persona and sends a communication (e.g., direct mail piece, telephone call, e-mail) to an unsuspecting recipient. This communication typically requests some form of confidential information, such as a password, account number, or credit information. Although early forms of e-mail phishing were broad and rarely made it through spam filters, new tactics by malicious third parties mean that more of these communications are making their way into inboxes.
The “spear phishing” technique refines broader phishing tactics into a much more personalized message. For example, most of today’s employees know that they shouldn’t respond to an e-mail message from a “Nigerian prince,” but far fewer would be comfortable ignoring a message if they believed it came from a company executive or other superior. Spear phishing messages frequently incorporate publicly available information to give them that extra hint of legitimacy. This, coupled with the intimidating tone of most phishing e-mails, can override caution. Some employees with therefore act before they have thought through the potential ramifications of responding to the message.
According to industry data, falling prey to a phishing attack can be disastrous. For example, a PhishMe report found that the average company lost $1.6 million per incident.
How to Prevent Phishing
Employee training is a great first step in eliminating the potential negative impact of phishing schemes. All company personnel should be taught to recognize the warning signs of illegitimate e-mails. These include:
- An intimidating tone: Senders of phishing e-mails want the recipient to act quickly, so they will usually threaten severe consequences for a lack of cooperation. These consequences might include termination of one’s job or legal actions.
- Spelling/Grammatical errors: Phishing e-mails are sent quickly and rarely proofread with scrutiny, so mistakes will often slip through. This is good news because any typographical errors should make these messages stand out from the legitimate professional e-mails that an employee encounters.
- False Domain names: Malicious third parties won’t have access to legitimate Internet domain names, but they will often attempt to incorporate similar ones. For example, “keypointintelligence.com” is a legitimate domain, but “kyepointintelligence.co.net” is most likely not.
- Excessive links: Most e-mails do not need to include external hyperlinks in the body of the message, so any e-mail that is full of external links should be treated with caution. In most cases, these links are designed to trick the recipient into unintentionally downloading some form of malware.
When it comes to avoiding phishing, caution is the most important lesson that an organization can preach to its employees. No e-mail should be responded to in haste, and any message that raises a red flag should be questioned. Businesses must encourage their employees to err on the side of caution and call in another set of eyes if they doubt the legitimacy of any communication.
Keypoint Intelligence – InfoTrends is committed to educating the industry about prudent cybersecurity practices. Our recently published series on data responsibility covers phishing and other common forms of cyberattacks, and also discusses what businesses can do to safeguard themselves from costly data breaches. PSPs that are curious about how cybersecurity can affect their workflow procedures should refer to the third and final piece in our data responsibility series, which will be published soon.