According to Templafy.com, in the period from 2014 to 2018, the average office worker received 90 emails each day. 40 of these emails, or five per hour, were directly related to business operations. This average includes personal correspondence, follow-up emails, requests for information, initial contacts—and potential, attempted or successful cyber attacks known as phishing.
The goal of phishing is to simulate or emulate an email originating from a legitimate source, in an effort to convince the recipient to reveal confidential or sensitive information such as login credentials, bank account numbers, passwords, and credit card information. Some types of phishing require the recipient to click a link or enter information, while other forms only need the email to be opened.
In nearly every successful case, the recipient is guilty of nothing but poor judgment—but nonetheless, the damage is done, compromising the security of the business, exposing sensitive information and eroding public confidence.
How Phishing Works
There are several types of phishing. Many of these are designed to look innocent and legitimate. The FBI’s Internet Crime Report says phishing attacks through business email cost organizations $676 million in 2017 alone, nearly double the loss of $360 million from the previous year.
You may get an email from email@example.com when your actual company domain is @madeupcompany.com. Okay, maybe it’s from the UK office. There might be a slight change in the sender’s address, such as “someone” when you usually correspond with “somebody.” Happens all the time, right? Person A changes their email address for security purposes and forgets to let Person B know. The email has a vague or off-topic subject line, but you “know” this person and open it anyway, thinking it comes from a trusted source. The subject line may include your first name, such as, “Bob, here are those documents you requested.” It’s not terribly specific, which would naturally make many users ask, “Which documents? I need to find out. I think I remember that conversation…”
The email is opened. The attack has begun.
Common attacks of this type include:
Phishing, in which an email purporting to be from a legitimate company asks you to log in to their site to verify your account or manage an issue by clicking a link. These emails look legitimate, but the links they provide lead you to a spoof site. When you enter your login credentials, the attackers now have them, giving them access to your account with that company and allowing them access to further compromise your sensitive information.
Spear Phishing is a more sophisticated form of phishing. This type of phishing uses specifics such as your name, phone number, your company’s name and your position in it to give the illusion of a previously existing connection, making it more likely you’ll click any links or provide requested information because it appears to come from a trusted source.
Whaling uses the psychology of power structures against the unwary. In this sort of phishing, the attacker poses as a high-level company official, such as a vice-president or someone in the C-suite, and produces emails crafted to appear like legitimate requests for information originating within the company. This sort of attack asks for sensitive information such as passwords, login information or financial information like credit card numbers and other identifiers.
Shared Document Phishing uses the ubiquity of the connected, collaborative workplace as its weapon of choice. In this sort of attack, you may receive a legitimate-looking email purporting to be from Google Drive or Dropbox, encouraging you to sign in to view or edit a shared document. As you might have guessed by now, when you log in, you’re actually accessing a spoof site and giving your information directly to the attacker.
Document Signature Scams rely on the rise in electronic signatures to lure in victims. “Hey, Bob, here are those documents. Can you sign them and send them back to me today?” Because of the erroneous belief that e-signing is completely secure, this is the most successful type of phishing scam, with a 7% success rate. If that doesn’t sound like much, consider that phishing attacks in total only enjoy around a 3% success rate—and that relatively small number is enough to account for business losses of around two-thirds of a billion dollars in 2017.
How to Protect Against Phishing Attacks
While it may seem counterintuitive to growing your business, a healthy dose of suspicion and some basic countermeasures can circumvent most phishing attacks before they ever get started. By following the basic steps below, you can help prevent phishing from compromising sensitive information. Always remember: You are the first and most important line of defense against phishing and other cyber attacks!
Quick Secure Contact Form Please Let Us Know If We Can Assist
- Never, under any circumstances, share your login credentials or other sensitive information with anyone, especially over email. Assume anyone who has a valid need for such information has access to other methods of obtaining it without using email to ask you for it. No one in your company should ever ask you for sensitive information such as banking details or login credentials over email!
- Always check the subject line and sender’s address. If anything, no matter how innocuous, doesn’t look right, do not open the email. Contact the purported sender through secure communications such as a known secure website, by phone or in person if at all possible, to verify the email’s validity. If the person denies having sent the email, contact us immediately.
- Use specific subject lines rather than vague ones. Instead of saying, “Bob, here are the documents you requested,” use, “February Bills of Lading for MadeUpCompany.com as requested by Bob Johnson on [date].” This may seem needlessly pedantic, but clearly stated subject lines which include information establishing the sender’s bona fides and offering specifics about the contents of the message can help validate authentic emails. It also helps make emails with less specific subject lines more evident and suspicious by contrast.
- If you don’t routinely receive emails from high-ranking company employees, and you receive one, ask your manager or supervisor if it’s a legitimate communication before opening it. Phishing attacks are rarely targeted at only one person, and the more widespread the attack, the greater the chance sensitive information could be compromised.
- Never click on a link, shared document, image or attachment you were not expecting, regardless of the type of file or how legitimate the source appears, without verifying personally with the sender. Compressed and executable files, such as those with the file extensions .zip or .exe, should be considered especially suspect, but treating all links and attachments as potential threats will help increase security and curb attacks before they have a chance to get properly underway.
- Look for suspicious or incorrect domain names. MadeUpCompany.com and MadeUpCompany.co are not the same. In the same way, inspect all domain names or links you encounter to verify they are domains you actually recognize, and check the URLs to make sure they take you somewhere you know to be legitimate. If anything doesn’t look right, no matter how small, or even if you just see something which makes you say, “That’s odd,” there’s a good chance the email might be an attack.
- When in doubt, assume the worst. Contact your supervisor and/or us immediately, so we can determine whether the email is legitimate or a phishing attempt.
- If the email comes with a banner warning it originated from an outside source, do not open or click anything within. Report it immediately. Remember, the success of a phishing attempt hinges on making the email look as innocuous and legitimate as possible.
Is There More We Can Do to Prevent Phishing?
Following good email security protocols and best practices can stop most phishing attempts in their tracks. BACS has recently partnered with Proof Point Email Security to manage the filtering of such emails—but any automated filtering system, no matter how sophisticated, is still only a tool. You are and will always be the first line of defense against stopping cyber attacks, including phishing attempts before they start.
The BACS Consulting Group Is A Team Of Highly Trained IT Professionals Available To Help At A Moments Notice
BACS has developed training programs specifically designed to help harden your company communications against cyber attacks such as phishing. If we haven’t already, we’d like to speak more to you about these programs and how BACS can help prevent these attacks before they begin—and limit the damage if they’re successful. Email us at firstname.lastname@example.org or call
(650) 887-4601 for more information on preventing cyber attacks and other threats which can compromise your business’s function and security.