Phishing: It sounds like such an innocuous term. But, every year, phishing attacks are responsible for billions of dollars in costs to businesses worldwide. These attacks are becoming increasingly sophisticated and are being delivered more frequently and in more creative ways.
Phishing, which uses a malicious email or advertisement as a weapon in a cyber attack, seeks to trick users into doing any or all of the following:
- Downloading an attachment that contains malware;
- Clicking on a suspicious link; and/or
- Revealing personal or business account information.
Phishing is a cybercrime prevention issue for the security of many businesses around the world. According to statistics cited in SC Media Magazine, 90% of all cybersecurity attacks begin with email phishing efforts. Let me repeat that: 90% — meaning the overwhelming majority — of these attacks start with the use of email phishing (with some studies showing the number to be as high as 98%). In these attacks, cyber-criminals present themselves as trustworthy parties to steal usernames, passwords, and financial data.
After more than 25 years working in the Los Angeles IT and cybersecurity scene, I’ve had many conversations with clients about how they can increase their organizations’ defenses. These conversations typically head in the direction of penetration testing and risk assessments, which are great processes to implement and will benefit any business.
However, something that people often minimize or don’t even consider is the biggest threat to their company’s security: Their own people.
The Biggest Cybersecurity Threat: Employees
While externals threats are a big concern to businesses and organizations of any size, there is an often-overlooked threat that exists within your own organization. One of the most basic culprits of data breaches is the uninformed employee — the person who is doing something that they shouldn’t be doing on their work computers.
Phishing emails are often very detailed and aim to mimic real organizations and people that you — or others within your organization — may interact with on a daily basis. Here are 15 real-world examples that you can review to see how these imposter messages can be identified.
The good news is that a lot of these incidents are preventable when companies implement effective cyber protection methods like cybersecurity awareness training. In fact, a recent study demonstrates the difference that occurs when companies implement this type of training:
“The study, drawn from a data set of more than six million users across nearly 11,000 organizations, benchmarks real-world phishing results. Results show a radical drop of careless clicking to just 13 percent 90 days after initial training and simulated phishing and a steeper drop to two percent after 12 months of combined phishing and computer based training (CBT).”
Training employees to recognize phishing emails takes time and resources — and it needs to be a continuous effort. By taking the time to educate your employees, you can help to decrease your organization’s risk of falling victim to phishing attacks.
So what are some of the top three examples of phishing that we can learn from?
1. Phishing Attacks on the 2018 Winter Olympic Games
One form of phishing, known as social engineering, was recently used in attempted cybersecurity attacks aimed at various groups that were involved with the 2018 Winter Olympics in Pyeongchang, South Korea. The email attacks, which were shown to have come from Singapore, were spoofed to look like they were actually sent from a location in South Korea.
By sending the kinds of emails those groups would be expecting to receive, the attackers were hoping to gain access to larger organizations — and to their valuable data. The same kinds of attacks are unleashed on businesses around the world each and every day. This is why it’s so important for business leaders to understand and recognize these threats. It’s also why it’s so important to have a plan of action as well.
2. Phishing Reels in Medicaid Patients’ Health Care Information
For another example of a recent phishing attack, look no further than Florida. The state’s Agency for Health Care Administration announced that one of its employees had clicked on a malicious email, which may have allowed hackers to access the personal information and medical records of up to 30,000 Medicaid recipients. This shows that it’s not just businesses that fall victim to these types of attacks. Government organizations do as well. It’s important to remember that this can happen anytime, anywhere, and to any organization (regardless of size).
3. Facebook and Google Lose $100+ Million in Email Scam
Although the two victim companies weren’t originally identified, it was revealed by Forbes last year that Facebook and Google were taken for more than $100 million over a two-year period of attacks.
According to the official U.S. Justice Department press release, a man from Lithuania used an elaborate scheme to falsify emails and invoices to mimic those from a real Asian-based computer hardware manufacturer that worked with both technology companies. He used the emails to trick the companies’ employees into wiring the funds to a bank account he controlled.
This demonstrates that even the most technologically advanced companies can still fall victim to these kinds of attacks. While no cyber protection method is 100% foolproof, implementing cybersecurity awareness training can at least help to mitigate the risk of your organization falling prey to these attacks in the future.
Each day, compliance officers within businesses and organizations around the world are responding to security threats. To be truly effective, they must assess the effectiveness of their current cybersecurity initiatives and implement necessary protocols that stay up-to-date with changing attack methods and technologies. They are also adopting stricter policies and procedures to better protect their companies’ sensitive data and that of their clients.
What has your company done to try to reduce potential cybersecurity threats such as phishing attacks? Let us know in the comments box below. Or, you can always send me an email to discuss this topic with me directly more in-depth.