Successful businesses get staggering volumes of e-mail. According to the Radicati Group, the average office worker receives approximately 90 messages per day. With most taking on the appearance of official correspondence, it is easy to fall victim to a well-crafted phishing e-mail.
While only 10.8% of phishing attempts are successful, it’s a strictly a numbers game for professional cybercriminals. According to the latest Internet Security Threat Report released by Symantec, the average employee receives 16 phishing e-mails per month. In a firm with 30 employees, that’s over 5,700 opportunities for a hacker to get into your system annually.
When successful, these attacks can cause an enormous amount of economic damage. Internet security firm Cofense estimates that the average mid-size company loses $1.6 million in a single phishing attack. Nationwide, that amounts to over a half billion dollars lost every year, per FBI figures.
How can you defend your business against this onslaught? In today’s blog, we’ll teach you how to recognize phishing e-mails so you can empower your team to avoid them.
What is a phishing e-mail?
If we have any hope of stemming this tide of cybercrime, it is essential to know how to recognise a phishing email. In short, a phishing e-mail is any electronic message designed to resemble one sent from an authority, like a bank or a government agency.
They contain a link that leads the victim to a website that looks like the one used by the impersonated authority. Here, they ask for passwords, credit card numbers, or other personal information needed to give hackers access to capital, trade secrets, and other sensitive info.
Sounds scary, doesn’t it? Fortunately, even well-designed phishing scams contain hints that they are not legitimate. First, e-mails from official sources already know your name – therefore, any correspondence should be addressed to you.
Second, many phishing e-mails contain glaring grammatical errors. Official communications from government and corporations are thoroughly vetted for mistakes before they are sent.
Third, hovering over the link provided in the e-mail should reveal a URL used by the authority in question. If a different web address pops up, it is practically guaranteed to be a phishing message. Even so, sophisticated phishers do know how to mask their actual URL, so don’t assume you’re safe if the URL displayed appears to be from your bank.
If you suspect an e-mail is from a phisher, do NOT click on the link to investigate further. Phishing websites may contain malware that could install keyloggers (to steal passwords) or worse, ransomware – this could freeze company servers until a cash ransom is paid.
Why are cybercriminals targeting businesses so aggressively?
Why do robbers hold up banks? Because that’s where the money is. In the 21st century, data has replaced money – cybercriminals go after businesses because they contain the information needed (addresses, social security numbers, etc) to impersonate others.
When they get their hands on this information, they can apply for loans, ‘buy’ goods and then sell them online, share trade secrets with third parties, and steal balances from banking accounts. With billions of dollars and millions of customer accounts out there for the raiding, any business with a web presence is at risk of being phished.
What can you do to protect your enterprise from phishers?
Education is your best weapon against cyber crooks. According to a survey conducted by Intel, 97% of test subjects couldn’t identify a phishing e-mail from a legitimate one. To combat this ignorance, call a mandatory meeting to teach existing employees about the characteristics of phishing e-mails. Additionally, new hires should have information about these threats included in their orientation training.
However, relying on the decision-making ability of humans is a losing strategy in the long run. Web tools can defend against phishing threats where intuition fails. Browser add-ons for Chrome (Netcraft), Firefox (already built in), and other browsers can deny access to phishing sites before they have a chance to harm your company.
Making the use of password managers company policy is another effective anti-phishing strategy. These programs remember the URL of sites you frequently log into, auto-filling username and password fields. If an employee somehow clicks on a phishing link, the lack of auto-filled fields at the destination site should stand out as an immediate red flag.
Finally, consider making use of two-factor authentication. This requires you to fill a second field with the answer to a question or with a code sent by the site you are logging into. This makes life incredibly difficult for hackers, as this requires them to social engineer the answer to personal questions or the SMS code.
Rule #1 of the internet: trust, but verify
The communal nature of the internet is part of what makes it a great place. However, it still has a ‘Wild West’ feel to it, even decades after its founding. By adopting an attitude of healthy skepticism, you can reduce the probability of your company falling victim to those who prey on the naivete of the average internet user.
