Phishing is one of the biggest cybersecurity threats in today’s workplace, yet it’s one going largely ignored by employers.Phishing refers to the use of email and websites which aim to steal money or private information. In August the FBI spoke out about phishing in the workplace and the threat it poses. The FBI reports a significant spike in the number of victims as well as the amount of money being stolen as a result of this increasingly common scam. Often in the workplace phishing takes the form of scam artists and hackers using company email accounts to launch unauthorized wire transfers.
The FBI’s statistics show thieves stole almost $750 million between October 2013 and August 2015 as a result of phishing-related scams.
Between October 2013 and the start of December 2014 nearly 1,200 companies lost almost $180 million dollars as a consequence of a business email compromise scams, BEC. This represents a 270% increase in victims and losses. If we’re to consider the foreign victims of such scams, the total rises to more than $1.2 billion in losses.
An FBI alert was published, saying “The scam has been reported in all 50 states and in 79 countries. Fraudulent transfers have been reported going to 72 countries; however, the majority of the transfers are going to Asian banks located within China and Hong Kong.”
What Does a Business Phishing Attack Look Like?
The way the scam most likely emerges is when fraudsters access CEO or executive email accounts, or they’re able to create emails from similar domain names, which may be just a letter or character off from the actual domain name. What’s unique about this approach to scamming businesses through phishing is that the thieves take time to understand the organizations they’re targeting, making these scenarios seem much more realistic than past versions of phishing.
The ability to do this kind of insider research happens by scraping employee email addresses and the thieves are then able to look through various emails to gain a broad picture of what it might look like for this particular organization to do a wire transfer. There’s actually a term for this type of personalized attack—it’s called “spear phishing,” since it is so specific and targeted.
In addition to these sophisticated attacks, other ways phishing might occur is through emails calling for immediate action, the inclusion of suspicious attachments, or sending emails with fake URLs. These phishing attacks are more broadly recognized, so while they do impact organizations, these aren’t as successful these days as many of the more sophisticated attacks like those mentioned above.
Employees’ Role in Phishing Attacks
Despite their prevalence, phishing is still something not widely understood in the workplace. Employees are readily giving attackers all the information they need, and while companies may depend on security technology to protect them, it’s not doing enough, as evidenced by the tremendous amount of growth in these attacks.
Protecting your business starts with your employees, yet they’re often offered little to no information about the subject of phishing.
Consider this from McAfee—the company’s “Phishing Quiz” is a tool used by McAfee to study the ability of business personnel to detect phishing. They use real email samples and the quiz included 16,000 respondents in 2014. 80% of those respondents missed at least one phishing email. Interestingly, employees within HR and accounting roles—the most sensitive for this kind of attacks—performed the worst.
Only 6% of respondents were able to identify accurately 10 of 10 emails, and just by missing one email these employees would have given the thieves a tremendous opportunity.
So what is the answer? While IT protection is one piece of the puzzle, it’s not the only layer of protection. The best way to protect your company against phishing and spear phishing is through employee training and education.
Training To Safeguard Against Phishing
The first thing to realize along with the commonality of phishing is that the best course of action isn’t to retroactively punish employees if their actions lead to this type of attack.
It’s your responsibility to ensure everyone, at all levels, is properly educated and trained on the risks and red flags associated with phishing.
Rather than attempting to punish employees who do become part of a phishing scam, refocus your efforts toward providing them with more training.
Also, invest in intense phishing training for employees to prevent future attacks from occurring.
When creating this training, consider the following tips:
- The information above highlights the importance of having everyone within an organization take part in IT security and phishing training. Don’t just limit it to the employees you think might need it, because anyone can be a victim, particularly as these attacks get increasingly sophisticated. Train everyone from the top level executives to each and every person who’s part of the accounting team. Not recognizing phishing doesn’t mean you aren’t smart or capable—it’s a very challenging thing to catch, which is why there should be no exceptions when it comes to who will be trained.
- Use a learning management system to include a variety of assessments. Assessments are an important and crucial component in this kind of training because you want to test continually the knowledge of your employees and see where potential deficiencies exist.
- Consider implementing false attacks and then using e-Learning as a way for employees to be debriefed and build on what they learned during these mock attacks. Sometimes the best way for employees to really understand what phishing looks like is through something that replicates an actual attack. You can then use e-Learning as a way for employees to study the elements comprising the attack, learn more about the red flags they should have spotted and the reporting procedures they should follow if they see something suspicious.
- One of the significant benefits of using e-Learning to train employees on phishing threats is that you can easily update the content on an as-needed basis without overhauling all training materials. This is important as phishing threats are always evolving, and you need to have an efficient way to update training to reflect this evolution.
Let us know what you think. Are you training your employees to protect your company against phishing and spear phishing?
Check out the How to Foster Employee Engagement through E-Learning white paper