According to Verizon’s latest data breach report, 36% of data breaches this year involved phishing – that’s 11% more than last year and 85% of these breaches involved human error. With phishing attacks on the rise, the potential cost of a data breach to organisations is worrying. IBM and Ponemon’s research revealed that data breaches cost UK enterprises an average of $3.88 million per breach. While the cost alone is eye wateringly painful, organisations also suffer reputational damage, a loss of trust, and significant disruption to operations.
Why do organisations need to protect against phishing attacks?
With phishing attacks clearly on the rise, many cybercriminals choose this method as their means of a cyberattack because it’s cheap, easy, and effective. Through phishing scams, cybercriminals can steal personal credentials, convince victims to download malware, install types of spyware, and force fraudulent transactions.
Unfortunately, as phishing attacks can be sent to any email in a sort of ‘spray and pray’ method, this does mean that employees are at the helm when it comes to receiving the scams, and this makes them the first line of defence for companies. While many employees still believe they wouldn’t fall victim to a phishing scam, the scams themselves are increasingly sophisticated and targeted, so it only takes a split second for members of staff to be distracted and click on a suspicious link. Next thing you know, an employee has downloaded malware onto their company laptop or shared their credentials with a cybercriminal.
What makes things worse is that cybercriminals continue to invest in technology that allows them to run phishing scams quickly, en masse, and across various platforms, such as text messages and social media.
How can organisations safeguard against phishing attacks?
Employees are the first line of defence to an organisation’s ecosystem. With this in mind, companies must educate their employees with cybersecurity awareness training so they can understand how to recognise a phishing scam, even when distracted by life and work or in a hurry. In addition to having strong security software installed, employees who receive regular awareness training have a better understanding of security threats and are less likely to fall for a phishing attack. A recent study revealed that a third of under-trained users were likely to fall for types of phishing or social engineering scams.
Here are some ways to spot a phishing scam:
1 – Double check the email address or phone number of the sender
If an organisation is legitimate, it will send emails from its company domain accounts. Phishing scams, however, tend to impersonate a person or a company you trust, e.g., Amazon or Post Office. Phishing scams tend to use public domains such as Hotmail, Gmail or Yahoo!, or falsify the company’s domain name with spelling errors, e.g., firstname.lastname@example.org or email@example.com.
Teach employees to double-check the sender. It’s quite easy to see that the sender’s display name is one that you trust but employees should always click further to see the full email address of the sender and check whether it’s from a verified domain name.
2 – Look out for spelling and grammatical mistakes
For cybercriminals, ensuring the spelling and grammar in an email is correct isn’t a top priority. They just want to be passable enough to fool the victim into opening the phishing email and click on a malicious link. Ensure employees understand the importance of reading the email thoroughly and look out for any mistakes, as this could indicate a scam.
3 – Is the email personalised?
When employees receive an email from a trusted sender, it will be personalised – stating their first name/surname, e.g., a bank will often address their customer with their name and personal identifier, e.g., their postcode. However, when emails are impersonal or completely fail to list a name, it’s more than likely part of a phishing scam. For example, Hi Sir/Madam, Good day, Dear [first name].
Ensure you educate employees not to fall for the trick, mark the email as junk, and share the phishing email with the IT team. This way they can warn others in the organisation of the phishing scams which are targeting the organisation.
4 – Is the email requesting sensitive data or credentials?
Spear phishing attacks often impersonate a trusted sender. The sender could appear to be your CEO, an employee, or even a supplier. If the email asks to share sensitive personal information, e.g., payment details, then tread with caution! Genuine companies or colleagues within the business should not be asking for confirmation of these details over email, they should already know that information.
Spear phishing scams trick employees, asking them to click on a link that redirects them to a fake page where the cybercriminal can capture data. If in doubt, always ask the alleged sender (by another means of communication) if they sent such an email, but never reveal details unless you are sure.
5 – Does the email contain malicious links or attachments?
If an employee receives an email asking them to complete an action, e.g., validate their account or enter personal details by clicking on an external link, then it’s more than likely to be malicious. Cybercriminals like to use fake links to lure their victims and steal important credentials. Teach employees to always hover over a link to verify the linking URL. If it looks suspicious, then they shouldn’t click on it (simply delete the email or flag it with the IT department instead).
Receiving attachments over email is also questionable. Most organisations nowadays use file-sharing systems, or a shared drive via the cloud, to access files. If the email with an attachment is out of context, then employees should not download it, as it could download malware or spyware onto the employee’s device.
Organisations must ensure employees are constantly alert and that their cybersecurity awareness training is refreshed regularly, so employees are empowered to spot and report suspicious activity such as phishing attacks. This can also help the organisation strengthen its cybersecurity strategy overall. Prevention is always better than cure, and having employees battle off phishing attacks at the very first instance will always be better than dealing with the consequences later.
Organisations can also regularly test employees with a phishing simulation tool to increase their cybersecurity awareness levels; this means employees remain alert and always think about the training they received when dealing with emails communications. IT teams can also use data from phishing simulator tools to understand which employees may be a risk to the business and therefore require additional training.