85% of organizations reported being victim of a phishing attack in 2015, up 13% from the previous year. The threat of phishing attacks is still very real, and not only is there a rise in the number of organizations facing an attack, but there is also a rise in the number of attacks they are experiencing annually.
Phishing can have a large negative impact on your organization through several factors. Compromised accounts and loss of data can cost your organization time and money, it can damage the reputation of your organization, and it can lead to reduced employee productivity because they need to spend more time dealing with a phishing attack.
What Does Phishing Look Like?
Phishing usually comes in the form of an email sent to members of an organization that may look like any of the following:
• Technical Emails- These typically look like emails that have bounced back with error reports. They often say things like "Delivery Status Notification Failure."
• Corporate Emails- These emails will look like they came from the corporation or organization itself. They may include information like confidential human resources information, benefits enrollment messages, spam quarantines, invoices, and full mailbox notifications.
• Commercial Emails- These emails won't be specific to the organization, but rather they would include information like insurance notifications, shipping confirmations, wire transfers, and auto insurance renewal information.
• Consumer Emails- These are emails that the general public gets on a regular basis that are made to replicate offers and accounts the consumer already has. They can come in the form of frequent flier accounts, photo tagging, frozen accounts, store memberships, networking, and gift card notifications.
Spear Phishing is an email that seems to come from an individual or business that you know. This type of email comes directly addressed to you, often with the sender knowing a little about you. Spear phishers go to great lengths to gather information about the person they are emailing, sometimes even calling the organization to find more personal information.
Studies have shown that emails personalized with the receivers first name had a click rate that was 19% higher than those with no personalization. Phishers are social engineers, aiming to portray someone you know and trust.
Some tips and questions to ask to reduce your chances of becoming victim to spear phishing attacks include:
• Never give out your password via email. The websites you deal with would never ask for your password this way.
• Don’t log onto a website via a link sent to you in an email. Go directly to the site and log in that way.
• Do you really know who is sending the email? Do you recognize the sender and their email address? Click on the sender's name and check the email address, if it doesn't seem to match, don't open their attachments.
• Is the tone consistent with what you would expect from the sender?
• Is the sender asking you to open an attachment or access a website? If you normally deal with a sender doing this, look at the name of the attachment and check to see that it looks similar to attachments you have opened from the sender in the past.
• Is the domain in the URL or file name of the attachment related to the content of the message?
How Can Your Organization Protect Itself?
In order to reduce the rick of a phishing attack, organizations can provide the following.
• Keep the plug-ins up to date. The chances of attack are higher when these plug-ins are out of date: Adobe PDF, Adobe Flash, Microsoft Silverlight, and Java.
• Email and spam filters in all organizational accounts.
• Outbound proxy protection.
• Advanced malware analytics.
• URL wrapping.
• Training for employees to be able to identify and avoid phishing messages via monthly notifications and newsletters and annual awareness sessions.
• Simulated phishing attacks.
Organizations can measure the effectiveness of their security by evaluating the current state of phishing attacks and setting objectives based on that. Asses the vulnerability of the company and the individuals by delivering simulated phishing attacks with teachable moments involved. Communicate the goals and the steps to attaining those goals to all individuals in the organization, explaining how training assignments will be communicated to them in the future. Enroll all the "clickers" into training automatically, and allow "non-clickers" the opportunity to enroll voluntarily.
To get started in protecting your organization from phishing attacks, contact us.