July 14, 2015

Employee Alert: Critical Insights on Preventing Phishing Scams

A Faculty Services Employee newsletter at the University of Washington recently warned its readers about a phishing scam that was posing as the university’s payroll office and asking for login information, social security numbers and bank account information. “We would never ask for sensitive, personal information via email,” commented a payroll spokesperson.

Of course, you’d think that most employees could identify phishing scams by now.

But that’s not always the case.

Verizon’s 2015 Data Breach Investigations Report showed that when a hacker sends out 10 phishing emails, there’s a 90% chance that at least one person responds. Furthermore, when 150,000 test phishing emails were sent out, 50% of recipients opened the emails and clicked on the phishing links within the first hour.

Here's how to identify and protect your business from phishing scams: 

  • Phishing scams are often quite legitimate-looking email messages. They are carefully designed to lure recipients to either download a malicious file attachment or click on a link to a malware or exploit-laden site where confidential information is required. Cyber criminals target employees with a goal to access an organization’s network.
  • Phishing is more widespread than anyone would imagine. There are 156 million phishing emails sent out daily, says international information systems specialist Teju Herath in this online story. Of those, 16 million get through filters, and another eight million are opened by recipients; 800,000 recipients click on the link provided, and 80,000 provide the information requested.
  • Every business and industry is at risk. The Verizon report showed that communications, legal and customer service departments were most vulnerable.
  • Hackers are highly organized and do their research. Security software firm Trend Micro reported that 91% of all cyber attacks begin with an email targeted at a specific individual within an organization. This is known as spear phishing.
  • Social media sites are a source for criminals. Sites such as Facebook and LinkedIn provide lots of information about targets. In a Software Advice survey, almost half (44%) of employees said they accept invitations from strangers on social media “most of the time” or “sometimes”.  
  • Employees can be the weakest link. Over one third (39%) of employees surveyed by Software Advice admitted to opening emails they suspected were fraudulent or contained malware.
  • It’s not just financial information that criminals are after. Herath said there are as many attempts to get personal or business information. The confidential information will be used for further illegal activity.
  • Criminals time their attacks. Most phishing emails are sent when employees tend to rush through their emails – between four and six in the morning and then late in the afternoon, especially on Friday.
  • Employees can help prevent phishing attacks. While technologies (spam-blocking and filtering solutions, and detection and response capabilities) are recommended, effective awareness and training can reduce the number of people that fall victim to potentially less than 5%, said Lance Spitzner, Training Director, SANS Securing the Human, in the Verizon report. Training should be on-going and cover phishing markers (such as spelling mistakes, odd wording, notes of urgency, unrealistic threats, etc., in emails) and appropriate responses (verify suspicious requests by phone, and/or delete). According to Software Advice, 61% of the employees do not receive regular security awareness training.

Safety awareness training and a comprehensive security policy are crucial to protecting your business. You should also simplify document handling with a shred-all policy to avoid having staff mishandle a confidential document or file and reduce the risk of a data breach. Learn more about how to protect your information with paper shredding services.