Phishing emails can sometimes seem rather easy to ignore, which leads employers to believe that only the most gullible could fall prey to an attack. But while some phishing scams may be full of glaring grammar errors and strange subject lines, many scammers have stepped up their game.
Picture an email with a subject line that reads “Quarterly reports” sent from the name of a co-worker. Now imagine the employee is at the end of a grueling workday on just a few hours of sleep. It wouldn’t be that difficult for an employee to click on those reports only to discover that they’ve subjected the entire company to malware.
It’s time to get behind the minds of phishers and focus on education before it’s too late.
The Prevalence of Phishing
In just the last two years, phishing has become the main tactic for criminals to infiltrate a user’s security. Phishing requires very few technical skills and is largely dependent on social engineering to entice people to open a malicious file. Most of these criminals aren’t interested in selling a company’s trade secrets. Instead, they’ll either encrypt files and ask their victim to pay a ransom or they’ll sell personal and financial data to the dark web.
If your company has an updated database of customer credit card numbers, this information would fetch a handsome price on the black market. Phishing has become so popular that 89 percent of attacks are perpetrated by a crime syndicate rather than a lone hacker.
Playing the Game
There are a number of different tactics a criminal may try before they actually succeed in their quests, which is why employers need to be willing to play their game. It’s to a hacker’s benefit to vary their methods and continue spamming people to see what works and what doesn’t.
A mass spamming technique will send out the same ‘important’ message to everyone, regardless of their circumstances. They may begin the email with ‘Dear Sir/Madam’ before informing the reader there was a fraudulent charge on their credit card with a prompt to click on an attachment to provide additional information.
Spear phishing refers to a much more calculated kind of attack, where it includes your name and specific, relevant information. These are the emails that are most likely to be acted upon.
Don’t Be Fooled
When criminals go out of their way to learn about the company and the recipient of the email, they can put a lot of insider information into a single email. They can track an employee’s information on social media and combine that personal information with the business information they find about the company. Once employees realize the most legitimate-seeming email in the world may still be a scam, they’ll be much more likely to have their guard up.
One of the biggest indicators of a phishing email is that the sender is in a huge hurry to get some type of response. Any time someone is asked to verify information immediately, it’s a red flag that the person on the other end is up to something.
Tips for Better Training
Training should ideally focus on everyone in the company because even members of the IT team may need a short refresher course! Remind people that generic salutations or odd language is almost certainly the mark of a spammer. Employees should know not to click on links that request sensitive data, but they should also know not to click on websites from untrusted sources of any kind.
Some companies will use websites that look like major websites but with one letter off, such as amzon.com. Finally, employees should be wary of survey requests or grand prize giveaways because they’re typically just a means of gleaning personal data that can be used against them (or the company) later on.
Striking a Better Balance
Employers need to be careful about how they approach this topic. No employee wants to be paranoid when they’re just trying to get their job done. Do they really want to question every email that comes in? What happens if they don’t respond to an urgent email that was legitimately sent by their boss because they assumed it was spam? Trainers have to account for real-world situations while instilling the importance of caution and skepticism in employees. Ideally, employees will feel empowered after training to easily spot phishing rather than scared they’re going to take the company down in one keystroke.
Phishing has become a major threat for businesses of all sizes, and it will only keep growing if employers don’t recognize the signs. Unfortunately, there is no magic solution for any of this. Better tech security to stop phishing attacks in their tracks is a good start, but it can’t necessarily prevent everything. Better education can go a long way to protecting everyone from criminals.