Earlier this year, there was a report on a new spear-phishing attack seeking to steal people’s sensitive data. The spear-phishing email message, apparently drafted to look like it came from FedEx, included a link that took the recipient of the email to a Google Docs page and then used a script to download malware to the employee’s computer. What was notable about this spear-phishing attempt was that the email “bait” actually included employee sensitive data, such as his or her Social Security Number. This is yet another new wrinkle in such phishing attempts and should serve as a reminder about being diligent in continually monitoring and improving your cybersecurity program.
Last year alone, cybercriminal activity increased 38%. While cybercriminal activity comes in different forms, 90% of all successful cybersecurity attacks begin with phishing emails. That’s right, 90%! If you are wondering whether this should alarm you as a business owner, IT SHOULD. That’s because the greatest workplace threat to data security is rarely cyber-hackers. As we have shared before, the biggest risks are employees making things easy for hackers or violating policies themselves. Every day, millions of employees read their emails. Consequently, in reading those emails, every day thousands of employees unknowingly open phishing emails, downloading malware viruses to their computer and company databases.
Now I know what you are thinking: “Our employees are smart people who know a phishing email when they see one. They wouldn’t take that bait.” Or, perhaps you have a training program and have warned employees about phishing. However, in one study, 56% of employees who received a phishing email clicked on the link. In a more recent study, 33% of employees opened the phishing email, 25% of employees clicked on the link, and 20% of the employees entered their personal credentials into the link. This research also indicated that employees, regardless of their job title or tenure with the company, are susceptible to phishing emails. Indeed, Taft’s Neil Roach recently reminded us all of a spear-phishing scam that is going on its third year of successfully getting employees to give up W-2 information.
These reports make sense and are bolstered by the FedEx e-mail scam. Criminals have become more sophisticated in their implementation of sending phishing emails, as well as other attacks. They are not simply drafting emails and sending them out to anonymous users. These hackers are researching companies and their employees, and tailoring the emails accordingly. Spear-phishing uses a little information about an individual for the purposes of creating a targeted message with increased likelihood of fooling the recipient and getting that all-important “click.”
So, how do you protect your company against phishing and spear-phishing emails?
- Technological Defenses. These defenses include anti-spam filtering, firewalls, and email software that draws attention to suspicious links before allowing the employee to click them. Research indicates that asking employees if they are sure they want to click on a link causes employees to rethink decisions.
- Education. Although even trained employees can be fooled by some of the sophisticated approaches to phishing and spear phishing, training remains one of the most successful and efficient means to reduce risk to your data. The best offense is a good defense. This means that in order to protect the company from phishing emails, employees must know what phishing emails are and how to spot them.
It is also not enough to have one yearly training session. “An annual training program is good, but hardly sufficient to keep up with the evolving risk” says Scot Ganow, co-chair of Taft’s Data Privacy and Security Group. “Best practice, and indeed some laws, require the administration of a complimentary awareness program that regularly updates employees on both existing company policy and emerging threats.”
- Policies and Procedures. And you can’t train employees unless you have written materials on which to base such training. The employee must also know the protocol he or she must follow if they think they have come across a phishing email. Lastly, the employee must know who to call if they think they have clicked a link they believe is a phishing email.
Implementing these methods will help protect your company against phishing emails and cybercriminal activity. While none of these recommendations are a silver bullet in the constantly evolving world of information security, they all serve to increase awareness and reduce risk, especially in the most common way into your company: employees and emails.