Phishing emails don’t always look like spam, so it’s not surprising that employees get duped into clicking malicious links. Here’s how to prevent scams from landing in your inboxes, so you can stop cybercriminals in their tracks.
Phishing is on the rise.
The costs of being compromised by an attack are high.
Phishing attacks account for more than 80% of reported security incidents and $17,700 is lost every minute due to phishing attacks, according to CSO Magazine.
Beyond the costs of shoring up your technology, falling victim to a breach can have a long-term impact on your revenue.
One-third of consumers said that they would stop doing business with a company following a breach, even if they did not suffer a material loss.
Why Are We Experiencing More Phishing Attacks Than Ever Before?
Cybercriminals are going after low-hanging fruit.
For example, they have created dropper kits that take advantage of exploits in Internet Explorer and Adobe Reader.
They are also targeting the latest monthly vulnerabilities in Microsoft. Microsoft has released critical patches for its operating systems and email browsers. Hackers count on the fact that many IT teams do not patch these systems in an expeditious manner – leaving them open to attacks for weeks or months until they complete their next patch.
Even if you keep up with your patches, you still need to stay on guard.
Today’s cybercriminals use sophisticated techniques to trick employees. For example, their phishing emails are not always loaded with bad grammar and questionable content. Many phishing emails look like they are from someone that you do business with on a daily basis. They may also be sent from a person or company without their knowledge or consent.
There’s Lots of Phishing in the Sea: Scams to Beware
Another cause of increased attacks is that cybercriminals have moved beyond stealing credentials by email. They can now target data across numerous fronts.
Here are just a few of the techniques that hackers can use to gain access to your network:
- Spear phishing:This is the most common type of phishing – accounting for 95 percent of all attacks on enterprise networks. In a spear phishing attack, hackers collect personal information about their targets to boost their odds of success. For example, they might send you an email that looks like it comes from a business partner.
- Whaling: Cybercriminals use this technique to go after executives (the big whales). Whaling emails often look like they come from a trusted source and contain personalized information that motivates executives to click malicious links.
- Clone phishing: In this type of attack, a cybercriminal clones a legitimate email and replaces the link or attachment with a malicious version. Cloned emails are difficult to detect and can quickly spread – giving hackers access to multiple people in your company.
- Business email compromise (BEC):Cybercriminals begin a BEC attack by breaking into the email account of a CEO or other senior executive. Then, they send fraudulent emails from the executive accounts. The emails may ask finance employees to make urgent payments. Since these messages appear to come from senior leadership, employees are more likely to comply.
- Vishing (voice phishing):Cybercriminals phone victims and ask them to dial a specific number, usually their bank. Once they have a victim on the phone, they attempt to get their account info.
- Smishing (SMS phishing):Hackers attempt to extract corporate information via links in a text message.
Email is one of the channels that most hackers prefer. Research shows 94% of malware is delivered via email.
3 Keys to Protecting Your Enterprise from Phishing Attacks
If you don’t have the right security tools and practices in place, your business is at risk.
Here are three ways you can stay a step ahead of cybercriminals and protect your company’s data:
- Understand that employee training is a good start, but it won’t solve the problem
Training your employees on how to detect phishing attacks is important. To prevent employees from opening these emails and downloading viruses, you must heighten their awareness of current threats. Trained employees will also immediately alert you if they sense a dangerous situation so that you can quickly respond and contain the risk. In addition to training, you should test them to make sure they really care and are doing it on a daily basis.
This alone is not enough to solve the problem.
Employee training reduces phishing success but since many phishing emails look like legitimate business emails, you can’t blame employees for falling prey to hackers.
Instead, it’s your IT team’s responsibility to better protect your network. A successful attack against an employee in finance or sales is really a failure in IT.
- Go beyond anti-virus protection
Anti-virus software is no match for today’s cybercriminals.
These tools often only address known attacks. However, with almost 1.5 million new phishing sites created each month, your anti-virus software may not be able to spot new, unknown attacks.
In addition to anti-virus protection, be sure to employ next-generation phishing defense. These tools can include:
-
- Reputation-based filtering to block suspicious uniform resource locators (URLs)
- Endpoint detection and response software to validate all files and emails that access your machines
- An intrusion detection system to monitor your network for threats
- Intrusion protection to prevent your endpoints from reaching out to phishing sites
- Domain name system (DNS) protection to cut off attacks before they blossom by preventing phishing emails and dropper viruses from pulling down their guts from their servers
- Wear your SPF
Although Sender Proxy Frameworks (SPFs) have been around for 15 years, not enough companies take advantage of them. SPF keeps malicious content out of your inbox by validating that incoming emails come from an authorized host.
Companies that use SPF greatly reduce their phishing attempts. For example, Gmail supports SPF and blocks 99.9 percent of all spam.
What’s Next?
Phishing is on the rise, but you don’t need to be a victim. While you will never be 100% secure, you can review your security posture, fill most of your security gaps, and be more protected.
Think like a hacker – from the outside in. Once you get past the user endpoint, you go inside to the network. Then, you go to the box and, ultimately, the application.
Do you have any gaps that a hacker can exploit? You can contact us to discover how we can help you make your IT environment secure.