When was the last time you got an email from a Nigerian prince asking you to help him recover a secret hoard of cash? It sounds like a terrible joke, right? But for many of us, getting one (or more) of these emails was our first experience with what is now known as “phishing”.
As the internet has grown, tools to filter out these kinds of spam have gotten more sophisticated. Unfortunately, so have the methods of phishing used by criminals. More important, the focus of their efforts has migrated from consumers to businesses. In 2017 alone, businesses targeted by phishing attacks lost over half a billion dollars. This year, it’s likely to be even more.
What Is Phishing?
Phishing is a cybercrime that targets individuals or businesses through email, text, or social media. The goal is to convince those who have been targeted to provide sensitive data such as personal information, bank account details, credit card numbers, and passwords.
The information is then used to initiate illegitimate bank transfers, bogus credit card charges, and fraudulent purchases.
It is called “phishing” because, like real-life fishing, the scam involves “casting” (sending out digital messages) and “reeling in” those who are fooled by the phony messages and begin cooperating (unknowingly) with the criminals involved.
Unlike email spam, which still accounts for over fifty percent of all email employees receive every day, phishing emails have become much more difficult for employees to identify and filter out of their inbox. A recent report from cybersecurity firm FireEye found that approximately one percent of all emails employees receive are malicious and possible phishing attempts.
While one percent may sound minimal, think about how many emails are sitting in your inbox, unread. Is it over five hundred? A thousand? Like an actual fish, you only need to be caught once for criminals to ruin your day.
Why Businesses Are Easy Targets
Generally speaking, the motivation for targeting businesses comes down to three simple things:
- More money
- More people
- More information
Money: While a phishing scam might net a few hundred dollars from a random individual, a successful attack on a business can mean tens of thousands, or even millions of dollars. The FBI has estimated that the average haul for business phishing scams is between $25,000 and $75,000.
People: The more employees a business has, the more chances a phishing attack has of being successful. These scams often succeed by exploiting the fact that employees in larger organizations don’t always know each other personally. This enables criminals to more easily impersonate people from other departments, offices, and even outside vendors.
Information: The amount of information businesses share online (both at the employee and organizational levels) these days is extensive. Social media accounts, blog posts, the company YouTube channel – all of it can be scraped for details that make it easier for scammers to impersonate an employee.
What Does Phishing Look Like?
Let’s assume for a moment that your business works with an outside vendor called The Parts Shop. When you get an invoice or payment reminder from them, it comes from the email address firstname.lastname@example.org.
Now, imagine you get an email from email@example.com stating that you have an past due balance for $7,500 and the vendor is asking you to pay immediately. The email contains a copy of an invoice for the same amount, and there’s a link in the email to a payment page. Would you pay it?
If you said yes, congratulations, you’ve been phished.
Why? Because of a diabolical tactic that scammers use called “email spoofing”. In the example above, the imaginary scammers registered the domain name “thepartssh0p.com” which is exactly the same as the domain name of your vendor, except the letter ‘O’ has been replaced with the numeral ‘0’.
How would scammers know which vendors you use? Maybe they called in pretending to be a different vendor in order to get an employee to disclose who your current vendor is. Or perhaps the person in charge of purchasing is connected to several people from The Parts Shop on LinkedIn.
There are hundreds of different ways that scam artists can discover information about your business that you don’t want available to the public. For more examples of what these attacks look like, Phishing.org has some screen captures of actual phishing emails and landing pages.
Identifying Malicious Emails
The vast majority of cybercrime and phishing attacks start via email. So it’s important to know what to look for when trying to identify potential threats in your inbox.
Employees that receive an email with any combination of these traits should exercise extreme caution before replying, downloading attachments, or clicking links contained in the email body.
Just as important as training employees to be skeptical when reading emails with those traits, employees must take care not to write emails with those same traits as well. If employees are accustomed to sending and receiving regular, legitimate, internal emails that share many of the same traits that phishing attacks use, they are more likely to be susceptible to phishing.
How To Protect Your Employees
Admittedly, the picture painted so far is a little bleak. The good news is that there are a handful of simple protocols, procedures, and tools that your business can utilize to greatly reduce the likelihood of being a phishing victim.
If you see something, say something: Phishing attacks succeed when employees get a funny feeling about an email, but then choose to ignore it. Train employees to speak up when they get an odd looking email. Taking an extra thirty seconds to call the sender and verify their request could save your business from huge losses.
Not everything is urgent: Another common phishing tactic is to exploit a sense of urgency in a message. If your day-to-day internal communications share this same trait (ie “URGENT: Taco Tuesday has been CANCELLED”), employees are more likely to subconsciously validate similarly phrased messages that might be scams.
Keep day-to-day communications calm and professional. When suspicious emails do arrive, they are more likely to stand out.
Require two factor authentication: Two factor authentication is a simple way to add an extra layer of security to employee email accounts. When enabled, it reduces the chances of employee email accounts being compromised and taken over by scammers. With a business email platform such as Google’s G Suite, two factor authentication can be required for all employees.