Phishing continues to be one of the most significant security challenges facing organisations. For example, when we emailed over 7,500 dummy phishing emails to a wide range of organisations as part of an end-user awareness testing project, we discovered something quite dramatic – there was an 18% success rate in click-throughs to that dummy email. However, that’s not even the really scary statistic. The really scary statistic is that out of the almost 1/5th of employees that would click on a well-designed phishing email, 24% would provide passwords when prompted. With 90% of phishing emails carrying some kind of ransomware, the implications of these attacks become even more serious.
The impact of phishing attacks
A proper phishing attack generally does one of a few things: it could direct a person to a legitimate looking website – that may replicate their banking website, for example – and asks them to input key data; it could execute a payload to provide an entry into the pc and/or network; or it asks them to download an attachment, which will generally have a piece of malware on it that will register keystrokes (such as passwords or credit card details) before sending them back to the hacker.
For individuals, the effects can be devastating. Phishing attacks can lead to the theft of personally identifiable information including credit card details (which can be used to make purchases or other fraudulent transactions), but more worryingly, if enough of an individual’s sensitive data is acquired (perhaps by accessing an email address), a criminal could gain access to a person’s medical records, their passport details, and anything else they might need to commit identity fraud.
For businesses, the risks are just as significant. If a phishing attack is successful in getting a person to give up their workplace passwords, then the hacker will be able to access anything in the business network. With businesses increasingly moving their data and work processes online, all it takes to let a hacker “in” is a phishing victim’s login, to be able to access customer details, the financial details of the company itself, or install viruses or other malware that can then infect the entire organisation.
What does this mean in numbers?
Statistics show that a full 85% of organisations experience phishing attacks, and that malware is delivered more frequently through email than any other medium. If an attack is successful, then the average cost of a phishing attack is $1.6 million.
It gets worse, too. Listed companies also experience a decline in stock value – with 15% of victims being a listed company experiencing a decline in share price as a result of a phishing attack.
Here is an infographic demonstrating the alarming prevalence of ransomware and phishing attacks in recent years.
– An infographic by the team at Indusface
So what can you actually do to prevent these attacks?
Businesses have a responsibility to themselves and their customers to take precautionary steps to protect the business from these attacks. The best way to minimise the risk of phishing is to approach it via a three-pronged strategy.
1. Make sure the employees are educated about phishing.
Given the prevalence of phishing attacks, it’s shocking that businesses don’t do more to educate customers and staff about what to look for in a phishing scam. Teaching employees to look out for three things before clicking on an attachment or a link is critical in catching phishing scams before they can infect computers or steal data.
- Be cautious when asked for personal details: The moment an email requests information on a person or their banking/ business account details, the employee should raise a red flag. An email that look like a business email should be flagged with the IT team for review. An email that looks like it comes from a person’s bank or similar should not be acted on until the employee has the chance to ring the bank and validate it as genuine.
- If the email looks real, check for spelling or grammar errors: While phishing attacks are getting more sophisticated, they often come from places where English is a second language, or from groups that were not overly diligent in English classes, and will usually be riddled with spelling or grammar errors. If there’s a spelling or grammar error in an email, it’s always a good idea to assume it’s a phishing attack.
- Check the links are legitimate: A phishing attack will direct people to web addresses that aren’t legitimate web addresses, however it can be very hard to pick. The goal of a phishing site is to look legitimate so they use similar sounding domains and layouts with subtle changes in the addresses. Before clicking on any link, check that it’s directing you to a proper, secure HTTPS web address that you are familiar with.
2. Create strong password policies
Phishing attacks can be foiled by enacting a couple of different password policies that mean that, even if a hacker is able to get a person’s password, they still can’t necessarily get into the network.
- Enable Two-Factor Authentication: This genius bit of technology adds an extra step after a password has been properly entered into a login; the person connects their phone to the login, and that phone gets a message with an additional code that needs to be input before the login can be complete.
- Enforce regular password changes: Mandating that passwords are changed periodically minimises damage.
- Require each login has a different password: If a person has a number of logins within the organisation, ensure that each login is different, so if a hacker gets access to one account they still can’t access the others. For people who struggle to remember passwords, password management software such as Lastpass (which is free) or 1password can be an invaluable tool.
3. Keep the IT team focused on the task
Monitoring outbound and inbound communications for the signatures of malicious activity is another important task, and should be built into the KPIs of the IT team. There are tools that can help with the monitoring of these things, and the business leaders should require regular reports specifically on security network monitoring to keep them on task.
Enlist an expert security solution
Ideally, through some basic best practices and caution, these attacks can be circumvented, but if a hack does occur, being able to quickly respond by noticing the threat and working to shut down access to the network is vital.
The best defence against phishing attacks is a precautionary approach, whilst also remaining vigilant and aware of the threat. Our security specialists at Kiandra are experts when it comes to protecting and testing your systems against attacks, and can also hold on-site training to help increase security awareness throughout your business. Talk to our team at Kiandra about how we can level up your IT security today.