Due to its simplicity and high rates of success, phishing attempts have become pervasive among low-level criminals and high tech hackers alike. Overall, experts estimate that phishing and ransomware attacks generate over $1 billion annually from direct ransom payments and corporate loss.
In fact, Facebook and Google were recently the victims of a phishing scam resulting in $100 million in losses. Staff members at both companies were tricked into sending money to a hacker impersonating an electronics company. The attack lasted over a span of two years before he was caught.
If tech savvy people, like those at Facebook and Google can become victims of phishing, what do you think are the odds of your staff falling victim? Education is the first step.
What is Phishing?
Phishing is the act of sending out malicious emails with the intent to take personal information, business secrets, or financial data under false pretenses. This email can ask an employee to supply the sender with sensitive information like login credentials or banking information, to click on a corrupt link, to visit an infected website, or to perform an external action that goes against normal protocols.
Kasperky Lab asserts that well over 50% of all users are not entirely confident in their abilities to successfully detect and avoid a phishing attack. This is because a phishing attack can be incredibly targeted and detailed. Hackers are becoming better and better at impersonating high-level executives, and employees often don't think twice when doing exactly what the boss asks.
What Can Phishing Do?
The negative consequences of a phishing attack are serious, can carry on for years following an attack, and can initiate a depressing ripple effect.
Of course, you stand to lose money, either through paying a ransom to get your data back, transferring money per the hacker's instructions, or corporate losses from productivity while overcoming an attack. You also stand to lose your hard earned reputation, as well as your long term livelihood. Sixty percent of small businesses that suffer a cyber attack, like phishing are out of business within six months if they ever open their doors again at all.
Where is Phishing Headed?
Phishing is no longer limited to the inbox or impressive cyber criminals. In fact, it never has been.
A successful phishing campaign can be played out in person, over the phone, or through an online advertisement by any petty criminal who wants to give it a go. All that's required is a heavy dose of social engineering and maybe even some acting skills. To do this, a person preys upon human weaknesses by employing a variety of tactics.
Here are a few possibilities:
Offering something for something - Here's a shiny, new pen. Now, what's your password? This may seem like it won't work, but it does.
Showcasing a deal that's too good to be true - Click here for your free trial of Photoshop! Works all the time. Ever heard of a Trojan Horse?
Acting like a concerned third party - I'm calling from your Internet Company and we noticed you're experiencing some technical difficulties. Could we have your login credentials to run a few tests? Seems legitimate enough.
Pretending to be an authority figure and/or causing a scene - Your boss is going to have an answer to me if you don't let me in his office right now! What receptionist would say no to that? Not very many.
These are just a few of the potential situations where social engineering goes beyond the typical phishing email and enters into the real world. Much like a phishing email, these situations can be difficult to spot, and if given enough detail and planning, they can be near impossible to effectively avoid.
How do you protect yourself from phishing?
Your greatest defense against phishing emails and social engineering, is your awareness and suspicion. You should always remain 100% suspicious of every request for information, money, and data that you receive - even if it comes from your CEO.
Here are a few tips to help you and your fellow team members protect your business and yourselves from everyday phishing scams:
- Create strong internal processes that encourage requests to be double checked and sometimes triple checked.
- Review all contents of the email to ensure the proper grammar, contact information and email address is used.
- Consider the request carefully, and don't always respond immediately. Ask yourself why someone would need this information, if this is typically how things are handled, and if this is coming from and going to the appropriate source.
- Use strong anti-phishing software that protects your inbox and internet browsing.
- Regularly train and educate your staff members on how to effectively detect and avoid phishing emails.
How can we help you?
As a full suite IT and cybersecurity firm, we understand the inner workings of phishing. If you have any questions on how to keep your company safe from phishing, please contact us and get a free demo of our anti-phishing solution.