With burgeoning hybrid work environments, companies and their employees are more susceptible than ever to phishing attacks and social engineering. Cybercriminals are becoming increasingly more adept at changing tactics to exploit new vulnerabilities. As phishing attempts get more creative and difficult to discern, “new-school” employee training and access controls are a must.
Jumping Phish Ponds
Most of us have heard of phishing or even taken a cybersecurity compliance training that touched upon the threat. We know emails that seem “off” somehow are suspect—an invitation to click on a link from a stranger or a weird request from a usually trustworthy source. Social engineering like this is a cybercriminal’s attempt to manipulate, influence or deceive a target into taking some action that isn’t in their own best interest or in the best interest of the organization.
Phishing scams these days have changed in nature due to a variety of recent developments. During 2020, COVID-19, shelter-in-place and social distancing orders forced many companies to quickly adapt to changing environments and technology. Under these conditions, it wasn’t always possible for network access and privilege escalation to be fully monitored. Misconfigured databases and services were the leading cause behind all-time-high numbers of exposed records in enterprise security breaches. As more automation tools are being implemented on company networks to streamline new operational models, the ability to keep track of who has access to different points on the network, and what type of access they have, is becoming more complex to manage.
These recent changes are driving bad actors away from “net” phishing and toward spear phishing (targeting specific groups and individuals.) The FBI’s Internet Crime Complaint Center (IC3) received a record number of complaints from American citizens in 2020. Phishing—including vishing (voice phishing over the phone), SMiShing (text message phishing), whaling (targeting high-profile employees and C-level executives) and pharming (emails with links that redirect to fake websites)—was the most prevalent threat in the US in 2020, with 241,342 victims. This resulted in non-payment/non-delivery (108,869 victims), extortion (76,741 victims), personal data loss (45,330 victims) and identity theft (43,330 victims).
Phishing Victim Impacts
Link manipulation, fake trial offers, advance-fee loans, and job scams continue to be lucrative phishing methods for threat actors. The consequences, however, are high for victims. Here are some numbers shared by Business Continuity and Disaster Recovery MSP, PathForward IT:
- ~85% of security breaches start with phishing
- 86% of organizations had at least one user try to connect to a phishing site
- 53% of successful cyber-attacks infiltrate organizations without being detected
- 91% of all cyber-attack incidents didn’t generate an alert
- 70+ days: Length of time intruders typically go undetected
- 6–12 months: Estimated time to investigate and remediate a security breach
- 3–15 days: Average downtime, interruption to business continuity
- $1M–$3M: Financial impact of a successful attack
- Regulatory, civil, and criminal impacts: Fines, restitution, penalties to contracted partners, and brand reputation damage
Defending Against Phishers
Recognizing and stopping phishing attacks in advance of a data breach or ransomware is your best defense. The following are recommended mitigations that can help prepare and protect your organization:
POLICIES AWARENESS: The greatest threat to your organization’s cybersecurity strength is, unfortunately, also its greatest asset. Even if unintentional, employee carelessness, mistakes, unreported data exposures and other risky behaviors can provide easy entry points for bad actors. Raising awareness about policies that defend against security threats arm your employees with knowledge that can protect them in the workplace and also in their home offices. Here is just a short list of examples your policies should address:
- Verify financial-related request with a live phone conversation before responding
- Avoid clicking links from unknown senders, suspicious-looking or unverified emails asking for payment or banking information
- Never put financial account information in an email, text or other digital communication unless it’s encrypted
- Never use public WiFi to access your company email, financial institutions or any sensitive data
TRAINING: Providing training to your employees improves their ability to recognize threats and reduces the chance of successful phishing attempts. As cyberattack trends change, ongoing, updated training lessens your organization’s exposure and ensures new attack methods don’t catch your employees unaware. Path Forward IT training and documentation programs leverage best-in-class training tools from preferred vendor, KnowBe4, to help your team correctly utilize your technology’s full features and capabilities while meeting regulatory training requirements. Security Awareness Training, Anti-Phishing Training, and simulated phishing attacks can all help your employees gain real-world experience on how to address threats.
ACCESS CONTROLS: When new employees are hired, network access should be granted on a least-privilege scale. Periodic review of network access for all employees can significantly reduce the risk of compromise of vulnerable and/or weak spots within the network. Actively scanning and monitoring for unauthorized access or modifications can help detect a possible compromise in order to prevent or minimize the loss of data.