The steep rise in digital communications over the past decade has, not surprisingly, spawned a similar increase in cybercrime.
25% of all data breaches involve phishing and 85% of data breaches involve a human element.¹
While there has been no direct cyber assault on the United States as of yet, we have seen an increase in the number of phishing attacks during the last twelve months. Aside from severe business disruption, these attacks can cost organizations millions. Stability Networks has prepared this article to help safeguard your user community from phishing tactics used by cybercriminals attempting to compromise your organization.
What is phishing?
Phishing is a cyber-attack to obtain a user’s login credentials, credit card numbers, Social Security numbers, or other information. Typically, the ultimate aim is to gain access to a larger trove of data, such as a personal or corporate bank account, to steal money.
Phishing is a cyber-attack used to obtain a user’s login credentials, credit card numbers, Social Security numbers, or other information.
Phishing involves tricking users into thinking they received an email or text from a reputable company or contact. Attackers will use logos, fake but realistic-looking email addresses, contacts, and other tactics to trick you into clicking on a malicious link or opening an attachment, which could compromise your security.
When unsuspecting users take the suggested action, bad things start to happen. Commonly, malware (short for “malicious software”) is installed on the user’s computer. That code can then infect, explore, steal or wreak almost any sort of havoc an attacker wants, including freezing computer systems as part of a ransomware attack or mining databases searching for sensitive information. The malicious code transmits what it finds back to the attacker.
Examples of phishing attacks
Part of what makes phishing attacks so effective is that they often appear to be from a trusted source. They pretend unusual, often urgent situations to goad people into taking immediate action. Here are some examples:
- You get an email from Microsoft explaining that there’s “unusual sign-in activity” on your company email address. You’re asked to click on a link to view that activity. Once you do, the “phisherman” has hooked you and obtains the credentials necessary to access your company’s databases.
- You handle your company’s accounting and get an email seemingly from the bank. It says there’s a problem with one of the checks you issued. They’ve attached a copy of it and directed you to take a look. Click on the attachment, and you could be opening Pandora’s Box, making your life a living nightmare.
- An email seemingly from someone you know lands in your inbox encouraging you to click on a link to view a Google Docs document. Doing so takes you to what appears to be a Gmail login page, where you’re asked to grant access to your Google account. Enter your credentials, and, bam, you’re the victim of a phishing attack.
Nearly 20% of employees will click on phishing email links. Of those, 67.5% go on to enter their credentials on a phishing website.²
How to spot an attack
Cybercriminals have become very sophisticated in creating phishing communications, both in terms of email design and wording. But here are a few things that should be instant red flags:
- Misspelled words
- Unusual or extraordinary requests
- URLs that do not reflect the supposed sender
- Financial change requests
- Requests for personal information
- Poorly formatted emails or websites
- Unsecure websites
- Missing footers or navigation
- Broken links
- No contact information
Lastly, our advice is this: trust your gut; if the communication doesn’t “feel” right, don’t click on any embedded links or open attachments.
How to avoid phishing attacks
Follow these guidelines, and you’ll significantly reduce your chances of falling prey to a phishing attack.
Exercise caution and verify
First and foremost, do not click on links, or open attachments, from emails you’re not expecting—especially from an unknown source. If you’re unsure, reach out to confirm the request via phone or a means outside the original communication.
According to IBM, the average cost of a data breach is $4.24 million.³
If you’re still determined to proceed, hover your mouse over links to see the URL you’ll be directed to if you click. Even if the URL looks normal, type the domain into your browser using “https” at the beginning instead of “http.” Stability Networks has the technology to re-write links in your email to ensure the integrity of a URL; however, these only cover corporate email. You should implement these same practices for your personal email accounts.
Train employees
Strictly enforce password management policies within your organization. Make sure employees do not reuse passwords for multiple applications. You can also diminish threats by educating employees regularly on the ever-evolving realities of phishing.
Institute multifactor authentication
As discussed in our blog, multifactor authentication (MFA) is one of the most effective ways to combat phishing attacks. It introduces a second or even third way to verify a user’s identity:
-
- Something you know, such as a password or PIN
- Something you have, such as a token or smartcard
- Something you are—your face, fingerprints, voice, even your eyeballs
MFA is so effective that Stability Networks has mandated multifactor authentication across our entire client base.
Limit social media sharing
Be mindful of the information you share on social media. From these platforms, you’d be surprised at how eff thieves can compile a reasonably detailed profile of who you are and the people you know. That makes it easier to dupe you into believing a phishing email is from a friend or colleague.
Report incidents
Microsoft Outlook has built-in reporting features that will “teach” Microsoft 365 to filter out phishing emails more efficiently.
The “Report Message” button in Outlook Desktop and the “Junk” button in Outlook Web should appear in the horizontal line of buttons near the top of the window that includes “New email” or “New message” and “Delete.”
Stability Networks can help protect your business
Every organization, large and small, must be ready to respond to potential disruptive online activities. The more you know about phishing attacks the better prepared you’ll be to keep them from disrupting your operation.
Reach out to us if you’d like to learn more about how we can help fortify your business and make your life easier. Call (208) 344-0050 x2, or email us at support@stabilitynetworks.com.
[1] 2021 Data Breach Investigations Report. Verizon.
[2] 2020 Gone Phishing Tournament™ Terranova Security
[3] Cost of a Data Breach Report. IBM Security. 2021.