This article looks at what email phishing is, how it affects businesses, and how businesses can protect themselves from becoming victims of cybercrime.
We will describe how phishing works and provide some specific examples of phishing that affect businesses, including classic email scams, CEO fraud, business email compromise (BEC), and “spear” or targeted phishing.
We’ll not talk about problems without a solution! Our discussion concludes by providing some tips on how you can prevent email phishing in your company and equip your staff to spot scams and avoid phishing attacks.
Email Phishing is a Business Nightmare
Belinda, the company’s CFO, couldn’t believe how much they were off budget for the month. She had her accounting specialist pour over all the expenses to try and find the discrepancy. It turned out that the company had spent five times more on supplies than anticipated. Belinda followed up with accounts payable to find out who had authorized such large supply expenditures. The problem was that no one had requested those supplies and that there were no internal purchase orders to back them up except for one lone supply invoice emailed from a company they had never used before; a request that had come through the payables department for payment and that had included a charge account number. Thus, subsequent charges continued to pile amounting to almost $20,000!
This company was the victim of phishing. According to Wombat Security Technologies, 76% of companies experienced phishing attacks in 2017, and a study by Symantec reports that 8,000 businesses are targeted each month by BECs. Email phishing is definitely something you and your employees should be aware of in our current technology era.
Here is How Email Phishing Works
You’re probably familiar with the personal emails that began to surface when email started to get popular: “Dear sir or madam, pleaze, I need your help…” often with misspellings and poor grammar.
Unfortunately, many fell prey, and still do, to these poorly executed attempts to have people wire sums of money or provide personal information for identity theft purposes. But these classic email scams have grown much more sophisticated, something which you and your employees need to be aware of and guard against.
With Belinda’s company, they received a request to pay an invoice through email that looked totally legitimate. The phisher knew what kind of supplies the company ordered and the general quantity for a normal order, so when the first invoice came, payables didn’t question it; they also happily provided normal billing information that allowed the scammer the ability to put through multiple charges and walk away with almost $20,000.
The most successful phishing techniques are coming in the form of requests for information from what appear to be legitimate businesses, and even trusted sources like your bank, your preferred shipping company, or another business partner. These other classic email scams are engineered to include logos, images, and verbiage from a trusted company, often duplicating perfectly the experience you would have interacting with a known source. Users are asked for, and too often provide, sensitive information like login IDs, passwords, account information, and other proprietary data.
If you receive an email from your company’s CEO, their secretary, or the CFO asking you for confidential information, wouldn’t your instinct be to immediately provide that information? Criminals do extensive research on their target companies, duplicating email signatures, details to impersonate high-level executives, and sometimes even hack into email accounts that then send off additional emails asking for account information, institution information, and related sensitive matters. The FBI reported that 3.1 BILLION dollars were lost to businesses in 2015 because of this type of scam, which is called CEO fraud and business email compromise or BEC.
Targeted phishing, or “spear” phishing, is so sophisticated that cybercriminals will troll on an individual’s social media, the company’s website, or other sources to find information that will create a personal connection with the individual – usually a person within the organization that has privileged information. Emails will include personal greetings and refer to very personal topics like a spouse’s or children’s names, or detailed individual departmental information. Oftentimes these messages come with a demand for urgency, prompting anxiety and causing an individual to react quickly and without sufficient thought.
How to Minimize Your Risk of Email Phishing
There are many ways you can protect your company and minimize the potential for becoming a victim of phishing. Here are some:
1) Training: Knowledge can indeed be power. Invest in a simple training program that teaches your employees how to spot email phishing and how to report it appropriately. A variety of virtual training programs exist; some are offered free as part of a vendor’s support package. A couple tips right off the bat:
a. Bank and credit companies will usually never request personal information via email or request that you call in to disclose that information.
b. Always double-check that you are being navigated to a ‘secure’ website which will be indicated by ‘https’ and a lock symbol in the navigation bar.
c. Double check the exact email address of the sender and the company they claim to represent.
2) Policies and procedures: It’s not enough to just train your staff, you must have a follow up plan. Address such issues as: how staff should report phishing attempts and security breaches; what they should do if they are targeted; where they can go for more information; what your company will do if it is compromised; and how it will communicate this to the public.
3) Communicate: Share knowledge regularly with staff. Consider adding a section in an employee newsletter. Share company specific examples of attempts to compromise sensitive information. Make this an ongoing communications priority.
4) Caution employees to become less click happy. Think about where the email is coming from and what kind of information it is asking for. Should the sender already know this information, or do they absolutely need to know it? Double think before you respond or react.
5) Firewalls: Invest in good desktop firewalls as well as network firewalls (hardware that is between the router and internet connection). The combination is enhanced security.
6) Antivirus Software: While this won’t prevent an employee from sharing information with a cybercriminal, it’s just good practice for preventing other kinds of scamming behind the scenes, like blocking malicious files, keeping out culprits that could enter your system and access personal information; and what is certain to be a never ending stream of new methods for compromising businesses.
Keep your company and its assets safe from the malfeasance of email phishing. Share with us below your stories of a time you were enticed by a cybercriminal or ways that your company protects itself from becoming a victim.