One of the most common IT issues we see with our clients is hackers penetrating businesses through phishing schemes. Phishing scams are huge right now and businesses should take the necessary steps to prevent bad actors from taking hold of their companies.
According to dictionary.com, phishing is “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information such as passwords and credit card numbers.” With the most current phishing schemes, unsuspecting employees need not reveal information, they may just simply have to click on a link to unleash a security problem within your network.
Bad actors simply send an email with a worm or fraudulent link and wait for an unsuspecting employee to click on it. Below are some common ways hackers break into businesses by phishing and what business leaders can do to stop them before it’s too late.
The Latest Facts
Almost three-quarters (73 percent) of cyber attacks in 2017 were perpetrated by outsiders, according to the 2018 Data Breach Investigations Report by Verizon. Members of organized criminal groups were behind half of all breaches with nation-state or state-affiliated actors involved in 12 percent of cyber attacks per the findings of the report.
The report goes on to show that phishing is still an issue as an average of four percent of targets in any given phishing campaign will click on it. While that doesn’t seem like much, it only takes one false move to open a proverbial can of worms that could lead to costly lawsuits, a loss of business, and put your company’s reputation on the line. Something interesting found by investigators is that the more phishing emails someone has clicked on, the more likely they are to do so again, according to the report. While any organization is at risk for a phishing attack, the Verizon report shows that professional businesses are at the greatest risk.
The Cost of Phishing
According to the 2017 Cost of Cyber Crime Study, phishing and social engineering cost American businesses 2.76 million dollars in 2016 alone. That cost doesn’t include other types of cybercrime such as malware, malicious insiders, or web-based attacks which cost American businesses millions more. The study showed the cost of cybercrime is impacted by several factors including the frequency of attacks, the size of business, and the amount of time it takes to recover from an attack. For businesses, the cost of cleaning up from a cyber attack far outweighs the cost of preventative measures to thwart them.
A 2017 article by Forbes estimated that phishing scams cost American businesses half a billion dollars a year. That’s right. Half a billion dollars and the number of phishing scams keeps increasing year after year.
The Insider Threat
Every business faces some threat of an insider attack. While there are malicious employees out there who are motivated by money or anger, many employees simply make mistakes that can lead to hacks. The Verizon report shows that 17 percent of breaches, about one in five, were the result of employees making an error such as sending an email to the wrong person, failing to shred confidential information or misconfiguring web servers. While these errors may not be committed with ill intent, they can still prove to be quite costly for businesses.
The HR Connection
When I conduct penetration tests (pen tests), I always try to scam the human resources department. The employees in this department tend to open anything. They are always getting emails from potential employees, people they don’t necessarily know. Their job is to hire new people from outside the company so opening emails from unknown sources is common for them but this also can create security problems.
I also pretend to be someone from human resources when conducting pen tests to see if other employees are vulnerable to phishing schemes as well. This is because people are afraid not to open an email from someone in human resources. The reasoning behind this is that an employee receiving an email from HR is often either in trouble or is being recognized for doing something right. Either way, people open emails from human resources which can also lead to a hack if employees are not properly trained.
You’ve Got Mail
Some phishing scams involve messages that appear to be coming from mail delivery services such as FedEx or the United States Postal Service. Hackers have been known to send these emails to unsuspecting employees notifying them that a package delivery had been attempted but no one was available to sign for it. They then embed a fraudulent link inside the email where your employees can click to “reschedule” the delivery. Rather than scheduling a delivery, your employee has instead just opened the door for a security threat by clicking the link.
Though the threat of phishing is very real, there are things you can do to protect your business. To begin, you’ll want to conduct a pen test of your company to determine what is working and where there are holes in your security. This will help you determine what technology you need to employ to best protect your business. Dox can assist with pen testing which also includes the physical security of your business.
You will want to remain vigilant through the monitoring of log files and change management systems that can give you an early warning if your business security has been compromised. You’ll also want to employ least privilege for your IT and access to data. This means limiting access to data to only those people in your organization who truly need it to do their jobs.
Technology can help you encrypt sensitive data and alert you when a potential threat is upon your business but you’ll need to stay on top of patches since cybercriminals will exploit such vulnerabilities quickly and efficiently. Two-factor authentication can also limit the damage done if a phishing campaign is successfully employed against your company. Be sure to remember that the physical security of your business cannot be overstated. See our blog on the importance of physical security for businesses.
Your employees are your first line of defense. One of the best ways to protect your business is to ensure every employee has the proper training to avoid phishing schemes and other IT hazards. End-user training should be mandatory for every new hire and a refresher course should be conducted on an annual basis for all employees to ensure they have the latest information. Technology is a plus but training is a necessity. Your safety net is your end user because at the end of the day the human factor will either save you or kill you when it comes to your IT security.
If you need help with pen testing, employing IT technology, or instituting end-user training for your staff to avoid phishing scams, please contact Dox today at (585) 473-7766 or visit us online at Doxnet.com. Thank you for your time and stay safe online.