Yes, you read that headline correctly. There is a way to stop 91% of all cyberattacks before they penetrate your enterprise. That is a pretty big claim. So how do you do it?
Simple – turn off all email services for your organization. That is because 91% of cyberattacks start with a phishing email. How is it that in the era of the consumerization of IT where everyone is supposed to be digitally savvy, that phishing email is still the primary culprit for cyberattacks? Think about this. According to Verizon’s 2017 Data Breach Investigations Report, one in fourteen users are tricked into following a link to an infected website or opening an attachment and shockingly one quarter of them are duped more than once.
Users open 30% of phishing emails. According to the Anti-Phishing Working Group (APWG), the total number of phishing attacks in 2016 was over 1.2 million, a 65% increase over 2015.
So how are users so easily deceived?
The fact is that spammers are no longer a band of misfit amateurs holed up in a safe house in some warehouse district. 89% of phishing attacks are implemented by organized crime. Thus, the sophistication of phishing attacks has steadily evolved over the past several years. No longer are phishing emails a laughing matter, full of obvious typos and poor language skills. Phishing attacks are formulated by intelligent professionals with skill sets in writing, business communication and human psychology – social engineering.
Some of the most successful phishing attacks in fact specifically target CEOs, CFOs and other senior management positions within companies. We have written before about the prevalence and success of fake invoice scams. One of the more surprising statistics outlined in Cisco’s 2017 Midyear Cybersecurity Report is the fact that Business Email Compromise attacks (BEC) garnered five times the money of ransomware in the 4th quarter of last year. In fact, the average cost of a BEC attack is $1.6 million. Of course, email is the primary delivery method of ransomware as well which cost enterprise organizations over $1 billion last year. The report also mentioned phishing attacks even targeted towards managed services providers who should be astute when it comes to email security.
Simple Things to Do to Identify Phishing Attacks
While an absolute solution would be to simply disable email services within your organization, this is not realistic. But there are simple steps you can take anytime you receive a suspicious email. For example, I received an email the other day to my gmail account that was supposedly sent from my bank informing me that my online account had been locked due to numerous failed logon attempts. I have received spam like this many times in the past from large banks for which I do not have an account. Though I was quite sure this was bogus, I still wanted to verify it as it was my bank this time. Rather than click the embedded link in my email however, I simply opened a private web browser session and accessed my bank account online. Of course, it was not locked.
Here are a few other simple ways to verify the legitimacy of an email:
- Instead of clicking on the return button, click on the forward button. By doing so, you will now be able to see the full email address of the sender within the content of the forwarding email. Make sure that the address contains the official domain name of the company in proper form. An email supposedly from Bankingtrust.com may actually have an email of email@example.com or bank1ngtrust.com in which the letter “I” has been replaced by the number 1.
- Hover your mouse over embedded links in your email. Again, verify that the link involves the official domain name of the company. Also, make sure the URL includes the HTTPS protocol. A bank or financial transaction company such as PayPal will never send you non-encrypted link to access your account with.
- Check the email signature. Any legitimate email request will have a proper email signature. Again, verify company information.
- Ring the bank first before taking any action.
- Never release funds with getting approval from other – establish a robust payment approvals process at your organization.
Then there is the most important step of all if you are a business owner or manager. Integrate an email security gateway into your email infrastructure. Even if your organization hosts your email with a cloud service such as Office 365, you still need an email gateway to supplement the default protection that you assume you are receiving. An email security system should include layers of vigorous spam analysis and antivirus protection as well.
End user training is also vital, as your users are both the weakest link within your organization, as well as your first line of defense. Train them to not only identify obvious phishing emails, but report these attacks as well so that IT personnel can take proper measures. Often times these types of training programs are ignored because of the interruption they may cause to the workday, but these efforts will offer a significant pay off down the road.
Are you an IT professional looking to protect your users form phishing attacks? Talk to a specialist or email us at firstname.lastname@example.org with any questions.