How to Stop Employees From Falling Victim to Phishing Emails
We’ve all seen (or at least heard of) the most famous example of a phishing attack: the Nigerian Prince scam. By simply providing your social security number as well as some trivial banking information, you can net oodles of cash for simply “safeguarding” some foreign funds.
Of course, many of us are too savvy to fall for such an obvious ploy; however, scammers have grown more nuanced in their attempts to trick well-meaning email users into parting with important information.
How Often are Employees Clicking on Phishing Emails?
In its 2016 Data Breach Investigations Report, Verizon Enterprise found that 30 percent of phishing emails were opened by the target, with the average recipient requiring one minute and 40 seconds to open the message. Even more troubling, 12 percent of users clicked on the malicious attachment doing so in three minutes and 45 seconds on average.
High-ranking personnel are sometimes more susceptible to these efforts as they routinely do not participate in security awareness training with other employees.
These figures include corporate email users, and in the second quarter of 2016, the Anti-Phishing Working Group tracked over 400 brands that were targeted for phishing schemes each month.
During this same time period, software security firm Kaspersky Labs reported that 8.7 percent of its user base received phishing emails.
Types of Phishing Schemes
The most common type, deceptive or “traditional” phishing is primarily done through email. The messages routinely rely on a sense of urgency, highlighting the consequences of inaction, such as a suspended account or deleted information.
Previously, the links contained in these emails focused on directing users to phony sites intended on capturing user information — particularly usernames and passwords. However, more frequently these messages contain either attachments or links intended to install persistent malware.
These types of schemes are more customized and personalized to the target user. The sender may rely on social media profiles, such as LinkedIn, to obtain the target’s name, position, responsibilities, or other pertinent information.
With more data available, these scams can more easily create a false sense of connection, such as a message pretending to be sent from a business partner or subsidiary.
Much like spear phishing schemes, these scams are highly targeted; however, the focus is routinely CEOs and other senior executives. High-ranking personnel are sometimes more susceptible to these efforts as they routinely do not participate in security awareness training with other employees.
If the first phase of a whaling attempt is successful, scammers will routinely take advantage of the executive’s credentials to engage in larger fraud, such as authorizing wire transfers from the compromised email account.
These efforts are not targeted at your business directly, instead of attacking the domain name systems (DNS) that comprise the backbone of the internet. Via one of these attacks, the scammers can redirect legitimate web traffic to a malicious website that displays the appropriate website address.
What Can You Do?
Your first line of defense should be an email filtering system that accounts for known tricks, like email spoofing. Consider employing two-step authentication procedures, and segment your network to limit further access if an account or user has been compromised. Actively monitor your network for signs of suspicious activity or data exfiltration to cut down response times.
Security awareness training
No matter how complicated your email monitoring systems may be, your business will still be vulnerable to phishing attacks because they do not target your IT systems, they target your employees.
Phishing scams rely on “social engineering” strategies to trick your employees into trusting fraudulent sources, and the only true means to combat these attacks is to create a savvy, well-educated workforce.
You need to provide all of your employees, even key executives, with regular security awareness training. Consider running phishing simulations that place would-be victims in the same position of a potential attack.
Provide staff with a mechanism for reporting suspicious emails, and make sure that they know how to escalate a potential threat. Of the 636,000 phishing emails identified in the Verizon study mentioned earlier, only an approximate 3 percent of recipients alerted management of a potential phishing attempt.
Scammers are constantly thinking up new techniques to fool your employees, and your business needs to be equally diligent in preparing your staff to spot potential security risks, whether through email or some other avenue.
To learn more about our security awareness courses, you can fill out the form on the right to request a demo.