Phishing is one of the most pernicious forms of cybercrime, largely because it is often deployed through an otherwise innocuous medium: email. Targeted email phishing attacks can hamstring and compromise a business or even cause it to lose a considerable amount of money with no promise of recompense.
In today’s world, businesses are becoming less immune to these scams than ever before. The 2020 State of the Phish Report by the security firm, Proofpoint, identified that 55% of businesses that responded had been the target of a successful phishing attack over the last year. While there have been fewer overall attacks than in years past, the report still points out that phishing scams are getting more sophisticated partly by targeting more susceptible individuals and organizations.
Likewise, the FBI’s 2019 Internet Crime Report indicates that its office receives 340,000 complaints of phishing-related cybercrime per year. Last year alone, a total of $3.5 billion was lost by victims of these attacks, the largest amount in a single year ever.
Those numbers certainly sound scary especially when you desperately want your business to avoid being compromised. Fortunately, there are ways to protect against these attacks by fraudsters. Of course, the first step involves becoming more aware of the types of attacks that can be levied against you.
How Do Phishing Scams Work?
You’re probably familiar with the basics of a phishing attack. Cybercriminals send emails to individuals, businesses, or employees of that business with the intent of fooling them into divulging sensitive information, getting them to click on a malicious link, or coercing them to download a dangerous attachment. “Spear phishing” is a specific type of cyberattack that targets an individual or business. These attacks differ from bulk phishing in that they are often more sophisticated and require the gathering of additional intel to be completed successfully. Bulk phishing, by contrast, simply casts a wide net in order to catch as many potential marks as possible.
In almost all cases, fraudsters use some form of “social engineering” to achieve their desired goals. Essentially, they attempt to trick or manipulate employees by appearing as legitimate as possible. You’re more likely to download an attachment or click on a link if you think you received that information from a trusted co-worker, boss, or friend.
In fact, in some cases, fraudsters can simply impersonate fellow co-workers or high-ranking executives to request the transfer of large sums of money to fraudulent locations. This is typically referred to as “business email compromise” (BEC). Cybercriminals can hack or phish their way into prominent email accounts, or they can simply set up a mock account that mimics the account of an important figure in the business. According to the FBI report mentioned above, the bureau received over 23,000 complaints in 2019 relating to BEC attacks with total losses of around $1.7 billion for businesses and consumers.
Even major tech players like Google and Facebook aren’t safe from BEC fraudsters. Both companies were fleeced out of $100 million between 2013 and 2015 by one man pretending to be a company with whom the corporate giants did business. Although the scam artist was prosecuted in 2019, this story is certainly a cautionary tale.
Of course, there are all sorts of methods that scam artists use to try to infiltrate and defraud businesses. These tactics are often used in conjunction with one another to create a sense of plausibility to the scheme. Some of these include:
- Smishing – a combination of SMS text messaging and phishing in which victims are targeted through text messages.
- Vishing – a similar concept that combines voice communication with phishing.
- Ransomware – a type of malware downloaded through malicious links, attachments, or other downloads that effectively holds important data hostage until the business pays a ransom. (It should be noted that the FBI cautions against paying any ransom because there is no guarantee that the fraudsters will release your data, and giving them money will often just embolden them).
How to Avoid Getting Scammed
Now that you understand the basics of phishing, it’s important to know what you can do to stop it from happening to you or your business. Again, part of the solution is simply being aware that these types of attacks can happen at any time. In fact, the 2020 State of the Phish report showed that 78% of organizations were less susceptible to attacks simply by educating their employees or members of these common tactics. But, how do you get everyone on board?
Make Security a Key Priority
It can’t be enough for you to simply pay lip service to maintaining a high degree of cybersecurity. Everyone in your business or organization is at risk of a targeted phishing attack, and neglecting to educate everyone can leave glaring holes in your overall safety.
Institute a company-wide awareness program that highlights the methods often used by cybercriminals. Make it a policy for employees to double check with the sender of an email if the message in question is suspicious or is asking the recipient to click a link, download an attachment, or even transfer funds. Also, make sure to keep reinforcing these ideas and ensuring that new hires get the full breakdown, as well.
Find Out Who is Being Targeted and with What Tactics
If a phishing attack works and you see a loss as a result, don’t panic or overreact. Simply identify who is being targeted and focus your security awareness programs on them. In some cases, an entire department might have been the subject of an attack. In other cases, the CFO is the target.
It’s also important to identify the tactics used by the fraudsters to ensure that everyone in your organization is on the lookout. For instance, if the phishing culprit asks for a password reset or requests some specific data, make sure that everyone in your organization is aware. If everyone is on the same page, they will be less likely to surrender information or click a link without double checking first.
Check the Sender’s Address
Phishing attacks occur under numerous scenarios, and it’s a good idea to have a clear understanding of how these scams manifest. In many cases, you may recognize the name of a sender. For instance, if your CTO is Barbara Johnson, then her sender name in an email will likely say “Barbara Johnson.”
But, anyone can use the sender name “Barbara Johnson” and they can even mimic her signature and writing style. If Ms. Johnson sends you a suspicious email requesting sensitive data, then it may be best to look at the actual email address.
To Sum it All Up
Scam artists are becoming more and more sophisticated, and it’s no longer a question of if you’ll get attacked but when. Prepare your team and exercise caution, because a phishing attack could happen at a moment’s notice. But, if you institute the right training, you’ll mitigate the risk substantially.