It wasn’t too long ago that phishing attacks were largely aimed at the consumer market and malware was reserved for targeting businesses. Today, however, phishing secures the spot of being the top social threat to businesses and is estimated that it is responsible for over 90% of security breaches.
No matter what protocols are in place, no cybersecurity solution can block 100% of threats. Humans are the weakest link, and it is absolutely critical that employees have vigorous training on what to look for to protect them from attack.
If your organization is still making the mistake of thinking that a phishing attack cannot easily happen to you, please think again. The methods attackers are using are increasingly sophisticated and phishing attempts are becoming more targeted and complex, especially geared towards finance teams.
For example, we recently had a client that had one of their finance employees receive an email from a senior manager within the organization requesting a transfer of $20,000. Only, the email hadn’t been sent by the senior manager – it was from a hacker instead. How can this happen? That manager likely clicked on some phishing email link, which then gave hackers the credentials to their corporate email account – and the freedom to send emails impersonating them.
These types of attacks are becoming more and more common and are so easy for hackers to execute. All they need to do is trick one manager into clicking on a link that will give them access to their account.
While employee training is essential, due to the increase in these types of attacks and the financial damage they inflict, organizations also need to start developing internal processes to protect themselves.
Hackers take a ‘hook, line, and sink’ approach in their spear-phishing tactics. The ‘spear’ is the email itself, sent to an unsuspecting employee. It looks official, appears to come from a high ranking manager or C-level executive with an urgent message, and usually contains an attachment or link. Often, these will contain instructions to wire funds to what appears to be a trusted vendor or supplier; however, the wire transfer information may be different, or the payment is rerouted to another off-shore account.
There are dozens of techniques that hackers can use to try and get employees to click on a link in an email or an attachment. Here are the top things that your employees should understand about phishing so that they can better identify if they are potentially being targeted.
Email Addresses Can Be Spoofed – as explained above, a phishing email may very well come from the email address of someone in your organization. Also watch out for display name spoofing, where the phisher will us a legitimate company name in the display, but the actual email will indicate a random email like email@example.com
Urgent Subject Lines – Enticing or threatening language in an email subject line should be a warning. Phishers try and invoke a sense of curiosity or panic in order to trick users into reacting. These messages will often state that ‘immediate’ action is required.
Personalization – Gone are the days where phishing emails were sent to large groups of users at once with impersonal greetings. Phishing emails today are much more likely to include the victim’s name in the subject line and even pre-filling their name or email on the fraudulent website.
Deceptive Links – Phishing links are deceptive. A link may say ‘Go to your McAfee’ account, but the actual URL will go to a phishing page that looks like McAfee instead. Train users to always however over links to display the actual destination before clicking. If it doesn’t appear to be a legitimate corporate website, don’t click.
Brand Logos – Hackers will use actual brand images and logos in emails in an attempt to pose as an organization. Logos and trademarks can easily be replicated and are not an indication of email legitimacy.
All it takes is one careless click to compromise your entire organization’s network. Employees need to work together as a team to help protect the company. Implement a system where employees can report possible attacks and that everyone understands the importance of following through and reporting any email that seems even a bit suspicious. If your business does not have a dedicated IT department, partnering with a Managed Service Provider like MBC can help in training your employees, create a feedback loop, and provide real-time network monitoring to stop attacks before they cause damage.
To learn more about how MBC can help keep your business secure from phishing attacks, get a free assessment today.
MBC Security Tip: Goodbye Passwords, Hello Passphrases. Strengthen your security with strong passwords that are simple to remember by using a passphrase that includes numbers and special characters like hello7dan$ingAlligat0rs. mbccs.com/it-business-so… #cybersecurity #infosec pic.twitter.com/ExdjFov1DR