What you need to know to protect your company and employees from this form of cybercrime.
Back when our grand-parents and parents felt secure enough to leave the front door unlocked, back when kids could play “Kick the can, Hide-and-seek, or Sardines” in the neighborhood so long as we were home for dinner when the street lights came on, “Gone Fishing” meant the local store was closed because the owner decided to take a little “R&R” to spend time with the family at their favorite fishing hole.
Today, “Gone Phishing” means cybercrime, identity and monetary theft and corporate espionage.
With the official end of summer and National Hunting and Fishing Day having just passed on Saturday the 23rd, we thought it would be a good time to highlight one of the biggest security risks in today’s business climate: Phishing.
What exactly is “phishing”? According to Wikipedia, “Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. “
Phishing is typically carried out by email. The “bait” is a message in an email that appears to come from a reliable source to entice and/or scare the recipient to enter their personal information, corporate information, or to click on a website link that contains malware.
There are several types of phishing that include “spear phishing”, “cloning” and “whaling”.
Spear phishing is directed at individuals or companies to gather personal information and represents about 90% of all attacks.
Clone phishing is an attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender.
Whaling is a phishing attack directed specifically at senior executives and other high-profile targets within businesses. In the case of whaling, the masquerading web page/email will take a more serious executive-level form. The content will be crafted to target an upper manager and the person's role in the company. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue. Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority. The content is meant to be tailored for upper management, and usually involves some kind of falsified company-wide concern. Whaling phishers have also forged official-looking FBI subpoena emails, and claimed that the manager needs to click a link and install special software to view the subpoena.
The damages of phishing attacks are enormous. According to the InfoSec Institute the average cost of a phishing attack is now more than $1 million. For the specialized versions known as spear phishing, the average damage done goes up to $1.6 million. And the increase in attacks is alarming:
- 250% increase of phishing attacks in 2016.
- 90% of attacks carry ransomware – check out how we help protect against Ransomware here.
- 33% of companies have been successfully targeted with CEO fraud emails according to InfoSec.
So, what can we do to protect ourselves? End-user training is key, but so is putting security systems, protocols, policies and procedures in place to protect your company.
Here is a link on how to recognize phishing email messages, links or phone calls.
From an I.T. security perspective, new technology standards are available to fortify your email. Here are a few that we recommend and implement for our customers.
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Compliance (DMARC).
In today’s world, we must be vigilant about the emails we open, the links we click on and where our kids go on the internet. No more shouting “Ollie, Ollie Oxen Free” as the streetlights come on and the meatloaf is ready.
To learn more about how Modo Networks is protecting our customers from phishing attacks, schedule a network and security assessment here.