July 27, 2021
Phishing is one of the biggest threats to information security, and the effect of phishing attacks on companies can be severe. The following sections explore the cause and effect of phishing and offer strategies for how to avoid it.
Phishing is a type of social engineering scam, where cybercriminals pose as legitimate companies, people, or institutions in emails or text messages, to trick recipients into sharing financial information, corporate credentials, or other sensitive data. Within these communications, the scammer may ask the recipient to click on a link or attachment, which then infects the recipient’s computer with malware. The nefarious software can steal information directly or reroute the recipient to a fake website that asks for sensitive information.
In 2020, three out of four companies around the world were hit by a phishing attack, and these kinds of scams were responsible for 22% of data breaches. Phishing often takes the form of something an employee is expecting, such as an HR document, a shipping confirmation, or an IT department request to change a password. The email may look like it comes from a work colleague or even the company’s CEO or other senior leaders. Since these communications are designed to look familiar, they can be hard to recognize. They can also be more sinister in nature, playing on people’s fears, insecurities, and personal tragedies. For example, in 2020, there were several phishing schemes related to COVID-19 relief payments, Centers for Disease Control and Prevention (CDC) infection prevention measures, small business loans, and tax extension deadlines.
There are a variety of phishing types, and cybercriminals get more sophisticated every day. That said, there are some common kinds of phishing you and your staff should know how to recognize.
Email phishing. Also known as deception phishing, this common scheme occurs when malicious characters send emails impersonating a recognized company or brand. Using social engineering tactics, criminals communicate urgency and direct people to click on a link or download an attachment. Links go to malicious websites that either steal credentials or install malware on a user’s device. To recognize these emails, look for something “off” about the email address. There may also be misspellings or misused words throughout the body of the text.
Spear phishing. This type of phishing uses emails but in a more targeted manner. Cybercriminals gather information from company websites about specific individuals and design emails to appear like they are sent from internal individuals, often using their names, titles, telephone numbers, and email addresses. Since recipients think they are receiving a communication from a colleague, they are more likely to click on links or download malware. One of the most famous examples of spear-phishing involved the Democratic National Committee where criminals tricked members of the committee into sharing their passwords. To spot spear phishing, look for abnormal requests, including someone asking for highly sensitive information, such as passwords.
Whale phishing. Along the same lines as spear phishing, whale phishing occurs when a cybercriminal impersonates a senior company leader, such as someone in the C-suite. These emails may request a money transfer or ask the recipient to review a document, prompting the person to click on links and share sensitive information. As with spear phishing, staff should know to question things that appear unusual before clicking on any links.
Vishing/smishing/and angler attacks. These are similar to email phishing, but they involve phone calls (vishing) texts (smishing), or social media messages (angler attacks). Criminals create a heightened sense of urgency and spur the recipient to act. These communications often occur during stressful times. For example, a common scam comes around tax time when people receive phone calls or text messages that seem to come from the IRS, informing them of an audit and asking for social security numbers. Note that no legitimate entity will ever make an unsolicited request for confidential information over the phone, via text, or through a social media platform.
There are several negative effects of a phishing attack, including significant financial implications. According to IBM, the average cost of a data breach is 3.86 million dollars. IC3 found that phishing scams are among the costliest types of breaches, with U.S. businesses suffering adjusted losses of more than $54 million last year. Nearly all (97.25%) phishing emails contain some form of ransomware, and these communications can have both short- and long-term ramifications. In addition to the financial burden, they can introduce viruses, halt productivity, and compromise sensitive data on a broader scale. Depending on an incident’s scope, there can also be negative impacts to a company’s reputation, which can have wide-reaching financial and operational repercussions.
Your employees should always be your first line of defense. If staff doesn’t click on suspicious communications, you can avoid many of the negative consequences of a phishing attack. To ensure your staff is aware of the effects of phishing and its role in mitigating risk, you should provide ongoing training that introduces the different types of phishing and provides practical ways to identify and deal with them. In addition, employees should be encouraged to report suspected phishing. Currently, only 3% of technology users report phishing emails to management. By identifying potential attacks early on, your company can alert users and possibly avoid a breach.
It is also important to install IT safeguards, including anti-virus software, firewalls, and two-factor or multi-factor authentication that can limit phishing and provide early warnings if there is a security compromise. Keeping cybersecurity protections up to date is critical. By introducing automatic software updates, you can make sure your systems remain current without overtaxing staff.
Restricting the number of people in the company that have access to sensitive and confidential information can further reduce risk. You may want to consider providing additional training to those employees who access confidential information as part of their job, so they fully appreciate the criticality of their role in avoiding a data breach. Encrypting sensitive data is also essential to limit the risk of use in the event a scammer can access data.
In conjunction with training and technology safeguards, your organization should make sure its physical security is robust. By having visible surveillance cameras, locked offices and desks, regularly scheduled professional document destruction, secure data backups, and policies that promote best data security practices, your organization can foster a culture of security where all staff have a heightened awareness of the risks and know the key role they play in minimizing them.
What Should You Do if Your Company Experiences a Phishing Attack?
In the event of a phishing attack, there are a few things to do immediately. First, notify your employees to change their passwords to prevent further infiltration and safeguard your company’s sensitive information. At the same time, you should verify that your virus scans have not uncovered any suspicious issues. You may want to take this opportunity to examine all your cybersecurity measures to make sure they are adequately protecting you from potential threats. Email authentication technology, for example, can help prevent phishing emails from reaching your company’s inboxes in the first place. If the phishing attack results in a data breach, where sensitive information is compromised, be sure to follow your company’s data breach procedures to protect both employees and customers. Also, report the attack to the Anti-Phishing Working Group and the Federal Trade Commission. Finally, use the experience as a teachable moment and provide training to staff on how to prevent such an attack in the future.
Learn more about how Shred-it can help your company improve its information security program.