It’s no secret that email inboxes are under siege. According to the 2018 Verizon Data Breach Report, phishing attacks are at the heart of 93 per cent of data breaches. In fact, the FBI’s 2017 Internet Crime Report indicates that business email compromise (BEC) and phishing drive 48 per cent of ALL internet crime-driven loss — more than all other business-related internet crime combined. And with $12B lost globally, it’s proving extremely effective.
While these facts indicate defending against phishing attacks needs to be a priority for all organisations, many businesses often underestimate their risk level. In fact, in a recent survey by EdgeWave, we asked IT pros how confident they were in their existing email gateways to protect them against advanced, targeted email attacks. The result? 80 per cent said they were confident or very confident in gateways blocking these threats.
Unfortunately, that mindset is creating more risk for all businesses. Email gateways are decades-old technology designed to stop high volume spam and phishing campaigns, not targeted attacks like BEC. As long as businesses keep telling themselves their security is “good enough”, they’ll be open to socially engineered attacks.
Is security awareness training the answer?
Phishing preys on a combination of human psychology and technological vulnerabilities. Cybercriminals realise it’s easier to fool a distracted worker in an email environment than to hack a server or bull rush a domain URL. Today’s workforce is used to working at warp speed, and not paying much attention to email addresses or the “from” fields. They are also used to being asked for Personally Identifiable Information (PII) and may not think twice about responding to a personal request. Over 1.5 million “spoof” web sites are now created every month to fool unsuspecting users.
Over the past several years, many organisations have turned to Security Awareness Education to help users become more aware of these cyber threat tactics and become an active part of their defence posture. This training includes lessons on what to look for, and simulated phishing attacks to assess “readiness” of users. However, after training, many firms are now realising that the benefits of this training are fleeting. Despite training, users are still only reporting 17 per cent of phishing attacks (based on Verizon’s Data Breach Report 2018). What’s more, training is expensive and never ending. As new users come on board, training begins again anew.
Security Awareness Training is a good step to creating awareness of the problem, but it is not the silver bullet everyone thought it could be. If you think about it, you are asking everyday users to become expert at recognising cyberattacks. IT pros themselves have stated they don’t trust users to do this. So why give users that responsibility?
So what can you do to stop phishing?
Organisations don’t need large budgets to effectively defend against phishing attacks. However, they need to change their mindset and recognise that it’s no longer if you will be attacked, but when.
A good starting point is 1) understanding the threat landscape, 2) knowing where your sensitive data resides and 3) what could likely cause your business harm. Most successful phishing campaigns tend to be very targeted (Spear Phishing and BEC), going after specific job functions in the organisation that have access to or manage critical data and finances – C-level, HR, IT, Accounting and Finance. This is where cybercriminals pull emotional levers like trust and fear to get employees to take the bait. Focus on securing those areas of the business as an initial priority, yet don’t stop there. Successful anti-phishing programs need to touch all employees.
Start by understanding the nature of phishing emails
- Always be on guard. While obvious issues like grammatical errors and spelling mistakes still exist, modern phishing emails look very legitimate. Treat anything from the internet as suspicious.
- Be cautious of individuals or organisations that ask for personal information or transferring of funds. Don’t click on any links -- verify directly with the company itself to avoid any potential issues.
- Take a close look at the sender’s email address (not the display name – this can be easily spoofed) when checking the legitimacy of an email. Would your CEO truly send you an email from their “personal” account asking you to transfer money?
- Don’t be frightened or intimidated by messages that have an alarmist or urgent tone. Contact the company or individual directly if they are uncertain about the status of their accounts or the request.
Build a cyber aware corporate culture
- Make cybersecurity a priority for all employees, not just the IT team, and provide a written cybersecurity policy that all employees must read and acknowledge
- If your business works with third parties and systems are integrated (e.g. retail POS), make it a policy to ensure their applications are secure – ask them about their security policies before deploying.
- Set formal, explicit security policies to stop BEC or CEO Fraud. For example, all wire transfers or movement of company funds requires verbal and written approval.
Deploy relevant technologies and tools
Deploy a multi-layered email security posture including email gateway, anti-phishing postdelivery detection and incident response technologies. Adding Postdelivery Detection and Incident Response solutions to your existing email gateway not only greatly reduces your risk, they also dramatically reduce dwell time for threats that get into inboxes. The faster these threats can be deleted across the organisation, the less costly the attack. Our company, EdgeWave, currently offers a platform with all these solutions to provide a modern email security platform.
Because phishing criminals continue to innovate, you need to enhance your security approach as well to stay ahead of these attacks. Although there is no silver bullet, a combination of employee education to increase awareness, formal cybersecurity policies, and specific, anti-phishing technologies can drastically reduce the risk of successful phishing attacks.
John Randall, VP of Product Management, EdgeWave
Image Credit: wk1003mike / Shutterstock