Phishing attacks are on the rise and are becoming more sophisticated. In fact, PhishMe’s Enterprise Phishing Resiliency and Defense Report showed an annual increase of 65%.
Phishing attacks are a tactic used by cybercriminals to extract information from a targeted recipient by disguising their identity as a familiar source. The perpetrators behind phishing attacks attempt to illicit urgency so that the target will open an attachment, click a link in the email, or provide sensitive information. Once a user falls victim to a phishing attack, cybercriminals have access to the company network and the data they want.
Next-level phishing attacks are classified as spear phishing, which targets a specific individual rather than a broad group. Cybercriminals are crafting emails that seem completely real to their targets because they appear to be coming from a trusted source and include very specific information that makes the message appear legitimate.
Phishing costs businesses serious money
And, they can be costly. In the same report from PhishMe, a mid-size company could lose up to $1.6 million in a cyber attack like this. The FBI Internet Crime Report noted that they received over 15,000 complaints regarding business email compromises in 2017, with losses of more than $675 million.
So, how can you protect your business from these risks? Here are some important tips to safeguard your business.
Train your employees on phishing scams
The best defense against phishing scams is to have an educated staff. Spend time training them on what to look for in a suspicious email, including:
- Spoofed sender addresses or links (for any links, train employees to hover over them before clicking to see where they really lead)
- Impersonal and/or poorly written content
- Messages implying certain activities like orders or shipments that aren’t familiar
- Verifying any requests for wire transfers or payments
Consider regular training on phishing as part of your cybersecurity strategy for your employees so they remain vigilant and scrutinize all emails they receive. And advise your team on what steps to take (and not take) when they suspect an email is a fake.
Use two-factor authentication
With two-factor authentication, identity is confirmed by a password. An additional step like sending a verification code to a verified smartphone or email address adds another layer of security that can help thwart phishing attacks.
Update your software regularly
Not updating your software when it’s time can expose your email systems and browsers to fraudulent activity. Phishing attempts are intended to exploit vulnerabilities in software. Updates from the vendor can fix those vulnerabilities. Keeping all software up-to-date is an essential tool in the fight against phishing.
Secure your browsers
Most phishing links involve the impersonation of a trusted website. No matter how much you train your employees, there is always the risk that the link will be clicked, which could lead to a data breach. To combat this, you need to secure your browsers. You can do this by using an extension like HTTPS Everywhere, which verifies the correct URL and security features for every website page. This is just one more way to add layers to your cybersecurity practices.
Your email server probably has spam filtering parameters. However, you can make these stronger by configuring the filter alerts for certain keywords, untrusted sending domains, and IP addresses. It’s true that spam filtering won’t catch every phishing attack, but it’s a good idea to make these filters as robust as possible.
Send mock phishing emails to employees
Training your employees and keeping them current on the evolution of phishing is critical. But by sending simulated phishing emails, you can test to see how that training has paid off. You can measure what percentage of your employees clicked in what situations and then share those results. It can also help you test your antivirus software. Prevention is vital to protection and testing is an excellent way to verify, validate and adjust your efforts.