Four ways to prevent an enterprise phishing attack
According to a new FBI report, businesses lost more than $676 million as a result of email fraud in 2017 -- up 88 percent from the year before. Clearly, businesses are losing the war against email scammers, as phishing attacks have become increasingly sophisticated and widespread.
Phishing is a method of social engineering (i.e. deception) used to gain access to a social media account, bank account or another protected resource. Hackers typically use an email or text message to trick the user into providing login information. Once the user reveals a username and password, the attacker will hijack the account. The outcome can be as devastating as a fully drained bank account. Frankly, all individuals and businesses should take phishing seriously.
There are several types of phishing attacks:
Standard phishing occurs when messages impersonating a well-known brand are sent with the intention of stealing user credentials. Typically, these attacks are widespread and untargeted, as the malicious sender hopes to send enough email to reach at least some of the brand’s audience, and further hoping a portion supplies access to their accounts.
Spear phishing involves highly targeted emails commonly aimed at specific roles within a business. The goal of a spear phishing attack is to access a specific part of a network or to achieve a particular end, like transferring funds into the attacker’s account. These attacks are more difficult for the average user to identify. Spear phishing emails are often personally addressed to the individual, and may contain real information gleaned from other social engineering tactics.
Business Email Compromise (BEC) attacks are usually targeted to a specific individual, and include instructions from a "senior executive" or other respected authority. The addresses used to send these messages are often very similar to the actual individual being impersonated, and the instructions might sound totally feasible, like the "CEO" asking for funds to be transferred to complete a purchase. For some roles within the company, that could be a legitimate request.
Despite the severe consequences of the types of attacks listed above, the best defense against email scammers looking to steal data is a critical eye and business process improvement.
How do you protect yourself and your company from being a victim of phishing?
- Get educated. Could you instantly identify a phishing attempt if you received such an email? OpenDNS has an online phishing quiz to test your ability to spot the differences between fake websites and a real ones. If your organization hasn’t invested in phishing awareness training for employees, we strongly suggest it. Check out Cofense (formerly PhishMe) or Wombat Security (now a part of Proofpoint).
- Improve business processes. When dealing with large monetary transfers, build a secondary verification into the process. For instance, your company could decide that anything over $X (X being your company’s comfort level) should require two forms of verification from the requestor. This could be an email supplemented with a phone call or a signature from the requestor’s manager. Put this process in writing, inform the rest of the company, and stick to it, whether it’s a request from the "CEO" or a lower-level accountant.
- Invest in solid technology. A good anti-spam solution is your first line of defense, and will help catch many of the previously-described fraudulent emails before they reach the inbox. Increasingly, these tools work with email authentication solutions like SPF, DKIM and DMARC. Once you’ve properly authenticated your email, consider taking the next step with Brand Indicators for Message Identification (BIMI). While it’s in beta now, you can get your affairs in order to opt-in when BIMI opens for broad use.
- Craft a response plan. Mistakes happen. Knowing a plan is in place in the event of a successful phishing attempt will organize your team around minimizing the access given to the attacker. This plan should include your senior IT resources, financial teams and communication groups to mobilize any of the necessary resolutions. These could include system hardening, network forensics, financial management and communications (internally and externally). Have you ever considered cyber insurance to cover breach and BEC compromises? It may be worth pondering, especially now, before the issues become more prevalent to your organization.
With phishing attacks on the rise, individuals inside and outside of a business setting should take steps prevent phishing attempts before falling prey to them.
Matthew Vernhout is the Director of Privacy at 250ok and is a Certified International Privacy Professional (Canada) with nearly two decades of experience in email marketing. He actively shares his expertise on industry trends, serving as director at large of the Coalition Against Unsolicited Commercial Email (CAUCE), chair of The Email Experience Council's (eec) Advocacy Subcommittee, and senior administrator of the Email Marketing Gurus group. He is a trusted industry thought-leader, speaking frequently at email marketing and technology conferences around the globe, and maintaining his celebrated blog, EmailKarma.net.