Is Phishing Still a Problem?
The short answer is yes. The long answer is that it is a growing problem for businesses each day which requires greater defense.
Phishing is the most popular attack vector for criminals and has grown 65% in the last year, according to Retruster.
Datashield is here to explain phishing, how attacks have affected businesses, how this form of cybercrime is growing, and how to defend against them.
Phishing Definition: Phishing is a cyber attack that uses email as its method of attack. The objective is for the recipient to believe the message is legitimate and to click a link, open an attachment.
Malicious links will lead to a website that often steals login credentials or financial information like credit card numbers. Attachments from phishing emails can contain malware that once opened can leave the door open to the attacker to perform malicious behavior from the user’s computer.
The term “phish” is a reference to the act of fishing, throwing a hook and hoping to catch something juicy.
Who is phishing?
Due to their low bar of skill required to launch, phishing is a popular choice for cyber criminals. Many of them use phishing kits, which include all the technical materials needed to launch a phishing campaign.
More advanced phishing methods like spoofing (pretending to send emails from a legitimate source), spear phishing (personalizing emails to target specific people), and whaling (targeting high-level executives) remain popular and are even harder to detect by eye alone.
Who is targeted?
Phishing targets individuals and private citizens each day. Additionally, cyber criminals will target businesses.
Business email compromise (BEC) scams accounted for over $12 million in losses last year, according to Retruster.
Contrary to popular belief, phishing attacks are being launched on small and medium-sized businesses with shocking regularity. And while the most common industries targeted are Software-as-a-Service and Webmail organizations, social media and e-commerce industries also top the list.
Businesses targeted by phishing
Here are some of the biggest phishing attacks recorded, according to The SSL Store:
Tech giants Facebook and Google were scammed $100 million between 2013 and 2015 through an elaborate fake invoice scam.
U.S. drug company Upsher-Smith Laboratories lost over $50 million in just three weeks in 2014. Attackers impersonated the company’s CEO and were able to convince the company’s accounts payable coordinator to make nine wire transfers.
Higher education wasn’t immune from phishing. MacEwan University in Canada had $11.8 million taken in 2017 when phishers imitated construction companies and sent fake invoices.
Lasting effects of Phishing
Beyond monetary damages, businesses who are breached lose public trust and must work to secure their databases.
Many companies are required to notify their customers of a breach, pay regulatory fines, and lose customers as a result.
How to defend against phishing attacks
Use advanced tools
Do not rely on built-in spam filters and junk folders to catch malicious emails. Using a secure email gateway in your organization will increase your defenses and automatically follow policies and playbooks that will prevent certain emails from even reaching your employees’ emails.
While this does not provide coverage for current breaches or remediation, gateways are just the first line of defense against a breach.
Require Two-Factor Authentication (2FA)
By requiring two-factor authentication, email users must verify their identity in a second form (i.e. text message, mobile app, or security token). This helps prevent unauthorized users from accessing an email account without the second form of authorization and can warn legitimate users that someone is trying to access their account and to update their credentials.
Create a password policy
Password hygiene (changing and creating strong passwords) is more important than ever. Requiring employees to change their passwords often and follow strength guidelines makes credential stealing more difficult. Criminals looking to use credentials they stole or purchased off the dark web will find that because passwords change often, their outdated credentials will lapse and provide no value.
Of course, this doesn’t help against current credentials shared, but can prevent breaches in the future.
Above all, educate your employees and coworkers. Providing education and training around password hygiene, common phishing techniques (identifying spoofing and suspicious messages), and the effects of phishing scams will communicate the importance of email security.
There is no single solution or strategy to fight phishing campaigns. If your organization has questions about how to create a truly resilient email security environment and manage your cybersecurity, contact us for a hassle-free consultation.