by Scott Jack
Content Contributor, E-N Computers
7+ years experience in healthcare IT and tech support.
Phishing is a type of attack that uses social engineering to trick a person into divulging information that can be used to exploit them or the company they work for. It is a common tactic used in many internet crimes. According to the FBI, there were nearly 800,000 complaints of internet crime with losses totaling $4.2 billion in 2020. Phishing made up 30% of the complaints.
These statistics make it clear that phishing is a real and present danger for businesses. So it is useful to understand the purpose of phishing, how it negatively impacts businesses, steps you can take to defend your company against it, and what you can do if you become a victim of a phishing attack. Let’s start by looking at the purpose of phishing.
QUICK ANSWER:
What is a Phishing Scam?
Phishing is a type of cyber attack that uses email to get a victim to take a desired action, such as divulging passwords or sensitive information, installing malware, or transferring money to the scammer. It can result in a data breach, cyber incident, or financial loss for an individual or a company.
The Purpose of Phishing Scams
Attackers use phishing for many reasons including stealing credentials, spreading malware, receiving fraudulent payments, or gathering sensitive information. Initial contact usually happens over email, but can also happen over SMS, voice, or through malicious code that redirects you to illegitimate websites. How might you be tricked into giving up valuable information?
A basic phishing email is designed for a broad audience; they cast a wide net and hope to catch something good. Often, they look like emails from large companies that many people are likely to have an account with. They may claim that your account has been compromised or that there is a billing problem with your account, then provide you with a link so you can take immediate action. The link is to a fake website that asks you to put in your username and password, payment details, or other sensitive information. In just a few steps, a criminal can get hold of your information.
A more focused alternative that provides criminals with better results is called spear phishing. This approach requires the attacker to do some research first. They determine what data they want, figure out who at an organization will have that information, and then target them. Often, people with finance, HR, or executive functions are selected. Using social media, job postings, and other information available online, they can customize an email so the target is more likely to follow the call to action. Opening the link or attachment they send may install a keylogger that sends everything you type back to them, including your login credentials.
With your credentials, a criminal can gain access to your email account and all the information you have stored there such as communications with vendors, calendars, and contacts. After a period of monitoring, a phisher can craft an email convincing enough to get you to open an attachment or make changes in your records that result in fraudulent payments. With access to your address book, a phisher can disguise themselves as your business and target your clients and business partners.
The links and attachments in phishing emails can spread other types of malware, too. A common attack aimed at businesses is an email with an attachment described as an overdue invoice. People are often inclined to open an attachment like this to see what it is for. However, even a harmless looking PDF can contain malicious code that installs malware on your computer system. This malware could be ransomware that locks your files away, or a trojan virus that give criminals remote access to your network. How do these methods affect businesses?
QUICK REFERENCE
How to Recognize a Phishing Email
Phishing emails often share similar traits — misspellings, questionable links, or formatting issues. In our How to Recognize a Phishing Email Quick Reference Guide, you’ll learn how to spot a scam email before it can be used to steal your information.
Want a copy of the quick reference for later? Enter your email address (totally optional!) and we’ll send you a link so you can download it later or share it with your team.
Phishing Negatively Impacts Businesses
The phishing methods discussed above have real consequences. These include data loss, data theft, direct financial losses, future attacks on others, and reputational harm. Let’s briefly consider each.
Data loss can occur if the phishing payload includes ransomware. The ransomware may even sit dormant for a while. Eventually, though it begins locking files and requires a payment in exchange for the key. The FBI recommends not paying such ransoms, and many cyber insurance policies no longer provide coverage for ransomware without sufficient proof that you have taken steps to protect yourself. If you cannot pay the ransom, you may lose the data permanently. Some organizations permanently lost data even after paying the ransom.
Data theft may occur if a remote access trojan (RAT) is installed. This type of malware gives an attacker complete access to your system. As a result they may be able to access confidential information like social security numbers, credit card and bank account details, or login credentials. They can view, download, modify files. This type of malware can also destroy files and install other malware.
Direct financial losses are often the result of a phishing attack on a business. Phishers are known to impersonate vendors or employees asking for their records to be updated with new banking information. Then the next time you pay an invoice or do payroll, the money goes to a reloadable pre-paid card held by the criminals instead of to the rightful recipient. Because the change was made by an authorized user, a cyber insurance policy is not likely to cover this. Instead, you will have to work with the financial institutions and law enforcement to recover the funds.
Future attacks on others you do business with are another unfortunate consequence of a successful phishing attack. When clients and other businesses receive suspicious emails that are made to look like they are coming from you, it tarnishes your reputation. Similarly data theft and data loss can cause reputational harm that is difficult to recover from. Strong IT security practices help your clients and business partners have confidence in your competency across the board. What can you do to prevent a successful phishing attack?
How to Prevent Phishing Attacks
There are proactive steps you can take to prevent a successful phishing attack. The most effective defense includes a combination of technology and training. Below are some effective tools and techniques to thwart phishing.
Spam filtering and antivirus. Spam filtering and antivirus software can help reduce your exposure to phishing threats. Spam filtering runs on your email server either locally or in the cloud. Using a combination of rules and machine learning, it analyzes emails to determine whether they are legitimate or not. It looks for things like the domain the email was sent from, whether the email server it came from is known for sending illegitimate bulk emails, and language in the emails that is typical of phishers. Antivirus software runs on local machines to prevent malicious programs from running and warn users if they try to access a suspicious page. Regular updates provide your antivirus with lists of known safe and unsafe software and websites. For a detailed example, you can look at the official documentation for Microsoft Defender SmartScreen, the anti-phishing feature included with Windows 10.
Multi-factor authentication. Multi-factor authentication, also called two-factor authentication, adds a layer of security to your account. On accounts with two-factor authentication, you must enter your password and a valid authentication code. The service you are logging into sends the code to a trusted device by SMS, email, or an authentication app. You then enter the code on their website to finish logging in. This can prevent attackers who already have your password from accessing your account.
Employee training and company policies. Although the technologies described above can help prevent phishing, they should not be your only defense against it. Because phishing works by tricking people, it is critical to train employees how to recognize and handle a phishing attempt. This includes training them to:
- carefully examine the email address, links and spelling in an email
- never click on a link or attachment in an unsolicited email
- be wary of forwarded emails with links and attachments
- never share their passwords or verification codes
- immediately report an incident where they fall for a phishing email
Company policies may also provide defense against phishing. For example, your password policy may explicitly state that an employee’s work passwords should not be similar to their personal passwords. You may disallow the use of work email for personal affairs. You might even limit who can email with senders outside your organization. These policies can limit a phisher’s access to company accounts and their opportunities to deceive your employees.
Phishing tests and formal training. A simulated phishing attack can reveal how susceptible your employees are to this type of attack. You provide a vendor with a list of employee email addresses, they send a sample phishing email, and then they report to you how many employees clicked the included link. If this exercise reveals that further training is necessary, the vendor can provide security awareness training for a fee. We recommend the services of KnowBe4 for phishing testing and training.
But what if you are the victim of a phishing attack?
Take These Steps If You Become a Phishing Victim
Despite your best efforts, you may fall victim to a phishing attack. If this happens, there are immediate steps you can take to protect yourself. First, affected users should change their passwords. Second, you should complete a full antivirus scan of affected computers. If any threats are discovered and cannot be resolved by your antivirus, you should disconnect the computer from your network so other computers do not become infected. Third, call E-N Computers so we can assist you in remediating the threat. Our experts can help you by identifying any remaining malware, cleaning or reimaging the computer if necessary, and bolstering your IT security.
Next Steps: Improve Your Phishing Defenses
READ: What Is Multi-Factor Authentication?
READ: How to Configure Spam Filtering in Office 365
DOWNLOAD: How to Recognize a Phishing Email
As discussed above, multi-factor authentication and spam filtering are powerful tools you can use to help protect against phishing. The linked articles provide more information about these technologies and how to make good use of them.
We’ve also prepared a downloadable cheat sheet with tips to help you and your employees identify phishing emails.
If phishing emails or other cybersecurity concerns are impacting your business, take our free IT Maturity Assessment. You’ll get personalized information on how you can improve your IT processes, including your cybersecurity defenses. Click here to begin the assessment now.
Take the IT Maturity Assessment
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.
