When you think about phishing attacks, you probably envision sketchy emails cobbled together with a pixelated logo, an obviously phony sender address, and a ludicrous request to wire thousands of dollars to a mysterious Nigerian prince. There’s no way today’s technologically savvy workforce could fall for such a trite scheme, right?
Unfortunately, phishing has become more sophisticated, personalized, and widespread over the past decade. A whopping 76 percent of businesses reported being victimized by a phishing attack in the past year, according to an annual report by Wombat Security. And with the average cost of a phishing attack on a midsize company totaling $1.6 million, phishing attacks aren’t just annoying—they can leave your organization in financial ruin.
While there’s no way to prevent phishing attempts on employees, educating users on how to identify potential scams is a great place to start. To help, let’s break down how new phishing campaigns operate and compile a few best practices, so you can arm employees with the hacking education they need to fight back against this type of cybercrime.
Watch out for the hidden dangers of social engineering
It’s normal to be skeptical of an email from an address you don’t recognize, but what if the sender is someone you know? Or, at least, that’s how it appears. Consider this warning from renowned hacker-turned-security consultant Kevin Mitnick, who leveraged social engineering to hack the networks of countless organizations, tallying an estimated $300 million in damages.
“Companies spend millions of dollars on firewalls, encryption, and secure access devices, and it’s money wasted,” Mitnick said in an interview with Frontline. “Because none of these measures address the weakest link in the security chain: the people who use, administer, operate, and account for computer systems that contain protected information.”
Of course, money spent on security is never money wasted if it works. But Mitnick is right: The best way an organization can prevent a successful phishing attack is by making sure employees understand attacks aren’t always obvious. One of the most successful types of phishing attacks is impersonation—disguising oneself as someone the victim knows and trusts by using information found on their social media profiles. The criminal then cons the victim into providing sensitive information, wiring money, or—as is the case with a new phishing attack—downloading credential-stealing malware.
For example, imagine an employee in the finance department receives an email from someone who appears to be their boss. The email asks the recipient for an update about an unpaid invoice, which is linked within the body of the email. Within moments of clicking the link, the entire network has been compromised and the victimized employee is none the wiser.
Teach your team how to identify phishing attacks
Unfortunately for IT departments, new phishing campaigns are shockingly convincing and can easily bypass traditional spam filters. Without a thorough understanding of what to look for, employees can easily put your data and financials at risk. To boost your IT security, educate your users to be wary of the following:
An email asking for personal credentials. No legitimate organization would ask for an individual’s password, account number, or other personal information via email.
Requests for access to sensitive information. Any request for sensitive or confidential data should be treated with the utmost scrutiny.
An email address with an unfamiliar domain name. Display names can be easily changed, but the domain name is generally a clear giveaway someone is not with the organization they claim to be from.
Intimidating or time-sensitive requests. Never trust an email that says your account will be closed unless you take a specific action—especially if that action requires you to provide your social security number or other personal information.
Impersonal greetings. By now, nearly every reputable organization uses personalization tokens that drop the recipient’s name into the greeting. Any email beginning with “Dear Customer” or “Hello Cardholder” should raise a red flag.
Spelling or grammatical errors. Everyone makes mistakes, but a genuine communication from a real company is more likely to have been carefully proofread.
Subtle changes in email look and feel. Beware of emails from people you know that have different fonts or a different signature style than normal.
Of course, even if they’re armed with this list, users could still be deceived by phishing attacks that make use of social engineering. To keep your environment safe, hold regular security education sessions with your workforce, remind employees to share strange messages or requests with IT before taking action, and invest in products already outfitted with the best protection available, like printers with embedded security features. After all, a vulnerable endpoint device is one of the easiest access points into your network, second only to an unsuspecting employee.
They say an ounce of prevention is worth a pound of cure. But in the case of phishing attacks, preventive actions could be worth millions. Taking the time to offer hacking education and preparing employees are the best defenses you can employ against sophisticated cybercrime.