Today’s phishing attacks are more sophisticated than ever. With cybercriminals easily able to spoof emails and websites, even usually astute employees can be fooled and fall victim to an attack. Given the cost of the average attack to a company, that’s pretty scary. That said, there are proactive steps everyone can take to improve their online safety.
And it’s important that everyone takes those steps because phishing is still behind the majority of cyber attacks today…
The 2018 Trustwave Global Security Report (quoted here) shows that phishing was the leading cause of attack (55%) in corporate network environments, followed by malicious insiders (13%) and remote access (9%).
That’s understandable. While some forms of cyber attack require sophisticated levels of coding, phishing leaves most of the work to the victim. As long as the bait is convincing enough, phishers can gain instant access to the victim’s corporate passwords or customer records, causing untold damage along the way.
It can also take a long time for it to become apparent that a phishing attack has taken place. In fact, some companies take up to five months to realize they’ve been attacked.
The cost of phishing
When organizations fall victim to these attacks, it can cost them millions of dollars. In the US alone, FBI statistics indicate that phishing attacks cost American businesses at least US$500 000 000 a year.
An evolving threat
Phishing remains so prevalent due to its continuing evolution. Cyber criminals are constantly improving their methods, making it difficult for ordinary people to keep up.
Email addresses and website URLs, for example, were once easy ways to spot that someone was attempting to phish you. But, they can now be convincingly spoofed, as can the look and feel of those emails and websites.
The cyber criminals behind these attacks move increasingly quickly too. If a bank changes its logo and branding, you can guarantee that within days, there’ll be spoof emails with the updated branding in people’s inboxes.
Nothing about these emails will appear out of the ordinary. A phishing attempt will look and feel like any other email from that bank. If anyone fell victim to it, you wouldn’t blame them.
And that’s part of the reason why phishing remains such a threat. As much work as cyber security companies, email service providers, and corporate security teams put into combating cyber attacks, people remain the weak point.
Staying safe
Fortunately, there are things that employees and organizations can do to minimize their chances of falling victim to a phishing attack.
Users, for example, should look at what kind of attachment an email contains. If the attachment includes a file with the extension .html, .exe, or .bat, they should not open it, under any circumstances.
Meanwhile, from a business perspective, education remains critical. Organizations can play a massive role in informing employees and customers about the latest phishing tactics used by cyber-criminals. Equally important, however, is that these organizations should warn employees and customers when not to respond to a request in an email.
A study by KnowBe4, found a “radical drop of careless clicking to just 13 percent 90 days after initial training and simulated phishing and a steeper drop to two percent after 12 months of combined phishing and computer based training (CBT).
It’s vital that these education initiatives are ongoing and that they’re executed across multiple communication channels. More importantly, this messaging should be simple and easy to remember, so that it sticks in people’s minds.
Fighting off increasingly sophisticated phishing attacks may seem daunting, but with the right business practices and security awareness programs, it’s entirely possible.
Did you enjoy the read? Then be sure to subscribe to our blog to receive more great posts from our expert bloggers.