Phishing continues to be a pressing problem for businesses and their employees. For cybercriminals seeking to wreak havoc, phishing is cheap, effective and profitable. Verizon's 2018 Data Breach Investigations Report (DBIR) states that 76 percent of data breaches are financially motivated, the majority through phishing attacks. And according to Forbes, phishing scams cost American businesses about $500 million a year between October 2013 and December 2016.
“Unfortunately, phishing is one of the quickest and easiest ways to compromise a business,” says Jordan Martone, Assistant Vice President, Information Security Program Manager, Johnson Financial Group. “Technology defenses and security awareness training are critically important in order to avoid these damaging attacks.”
Phishing combines technology with social engineering to deliver malicious code (like viruses or ransomware) or attempts to obtain usernames, passwords, account numbers and other sensitive information.
Email represents the most prevalent form of phishing, but other means of attack include:
Elements to consider include:
1. Details. Does the address match the sender name? Is it a non-corporate or foreign email address?
2. Body. Is there poor spelling or grammar? Is the voice authentic? If it is supposed to be from a business or person you know, does it contain language you know the sender is unlikely to use?
3. Subject line. Is the subject nonspecific, threatening, urgent or too good to be true?
4. Elements. Be cautious of links, attachments and login pages. If in doubt about a link or attachment, call or email the sender with an independently verified phone number or email address. Rather than click on a login page in an email, log in directly on a website using a known URL.
“Because so many phishing emails appear legitimate, it's important to examine individual elements of an email carefully,” Martone says. “Train your employees to recognize potential phishing attempts and encourage them to think critically about every communication they receive.”
Suspicious emails should be reported to your IT department immediately, however businesses without a dedicated IT department can forward phishing emails to the Federal Trade Commission (FTC) at email@example.com and file a report at FTC.gov/complaint. You also may want to report phishing emails to the Anti‐Phishing Working Group at firstname.lastname@example.org.
“Some organizations believe they aren't vulnerable to phishing because they are so small,” Martone says. “However, research shows that hacking groups around the world often use a smaller business as a training ground to practice phishing before attacking a larger organization. Plus, scammers sometimes infiltrate a smaller organization – perhaps a vendor of a large company – in an attempt to attack the larger group.” That means every business, no matter the size, needs to develop a robust security protocol to help identify phishing attacks and avoid compromising the business.
In addition to critically examining email elements, consider implementing the following to secure your business and employees from fraud:
The best way to protect your business from phishing is to ensure you and your employees know what to look for. “Despite your best efforts, people make mistakes,” adds Martone. “The DBIR reports that 4 percent of targets will click on any given phishing email campaign. So be sure you have a good IT response team and plan in place to quickly address issues and keep damage to a minimum.”