According to a report from Verizon, cybercriminals are ignoring mobile and other new technologies as vehicles for cyberattacks, and sticking to the good old fashioned email phishing campaign.
Email phishing by the numbers
Out of more than 100,000 security incidents that hit thousands of companies in 2015,
almost 90% of the incidents involved attempts to steal cash. In addition, there was little evidence that new technologies involving net-connected gadgets or smartphones were becoming a popular attack route.
About 30% of phishing emails had been opened by people in targeted organizations in 2015, which was up from 23% in 2014. Of the scam emails opened, about 13% had been able to launch malware because staff had run the attachments they had carried—meaning in many cases, it took only minutes for criminals to compromise the network of a targeted company.
These phishing attacks also fly under the radar, with companies often taking too long to realize they have been compromised. Statistics gathered for the Verizon report suggest 84% of the organizations questioned took weeks to spot that criminals had won access to internal systems.
Why are your employees still falling victim?
You’ve probably heard of, or even received, the Nigerian prince scam email, in which the sender requests assistance in transferring millions of dollars of excess money out of Nigeria and promises to pay the person for his or her help. There’s also the dying widow emails, in which the widow of billionaire randomly acquires your email and decides to give you her entire inheritance out of “the goodness of her heart.”
Most know not to fall for these over-the-top phishing emails, but there are many attacks that come in a much subtler message. For instance, many phishing emails tell the recipient that their account has been suspended, deleted or hacked—asking the recipient to reenter their information through the included link.
Unfortunately, many employees are just not educated or aware of the various types of phishing emails and the negative, widespread effects of opening them.
Fixing the problem
There are two key steps you can take to prevent email phishing attacks on your business. First, employ an email filtering system that accounts for known tricks. Consider employing two-step authentication procedures, and segment your network to limit further access if an account or user has been compromised. Actively monitor your network for signs of suspicious activity or data exfiltration to cut down response times.
Secondly, and most importantly, you must be regularly providing your employees with security awareness training. Your business will still be vulnerable to phishing attacks because they do not target your IT systems, they target your employees. You need to provide all of your employees, even key executives, with regular security awareness training. Consider running phishing simulations that place would-be victims in the same position of a potential attack.
Cyber scammers and attackers are constantly changing their strategies to keep tricking their victims—prepare your business and your staff for these phishing emails.